How Can I prevent a specific application from being run on a specific machine using Group Policy?

windows windows-xp group-policy restrictions

I know this is possible to do and I am working on it with limited success. I believe the Group Policy I want is "Do Not Run Specified Windows Applications" - I can enable this and add the .exe I want to the list of programs not to be run.

I have tried this on my local machine by running gpedit.msc going to User Config > Admin Templates > System and then choosing that policy and editing and enabling it. Doing it this way verifies that it works as I could then not run the specified .exe (XenAppWeb.exe) So this is great.

I have created a GPO to do the same thing in GP Management on my domain controller where we centralize this, enforced it, applied it to an OU, and put one of our machines into this OU to test it. I have let it sit there for 3 days, run gpupdate /force, and when I try to run XenAppWeb.exe on this machine, it still lets me run it fine.

What can I look at to troubleshoot this?

I should note that I am trying to enact this policy on Windows XP machines (Virtual Machines)

Thanks, Mike


Solution 1:

One alternative would be to use Software Restriction Policies (Computer Configuration -> Windows Settings -> Security Settings) rather than the "Do Not Run Specified Windows Applications" user policy. This will also give you more flexibility around how you select the application to be blocked.

Keep in mind that any blacklisting approach can be worked around. If you want to ensure that the restriction can't be bypassed, you'll need to use Software Restriction Policies in whitelist mode, i.e., specify those applications that are allowed to run rather than those that are not.

Solution 2:

If you're setting the restriction policy on the User Configuration section of the GPO then this will have no effect unless the user account objects are in the OU that you've applied the policy to (or if you enable loopback processing).

Shift the settings to the Computer Configuration section of the policy, assuming you want the policy to apply regardless of who logs on to those systems.

Related

ntrights equivalent/replacement for Server 2008
Setting up https with a self-signed certificate on Apache
Is there a way to make encrypted DNS resolutions? [closed]
Why can't DSC find a resource that's installed?
Recommended SpamAssassin update channels?
Monitor or log directory permission changes?
What issues should I watch for when rolling out CentOS as a desktop environment?
Apache Virtual Hosts - Map different paths of the same domain (or IP) to different sites
Cisco ASA logs "regular translation creation failed for icmp ..." for DNS traffic, yet it works
How do I mount a raid disk
How to re-create /tmp/mysql.sock?
Double VPN (OpenVPN)