Using GPO to prohibit the execution/installation of specific applications

Posted on 2009-02-24
Last Modified: 2012-06-20
There are some applications that I would like to prevent certain groups of users from being able to run. The majority of our users are on XP SP2 or SP3. There is a very small minority of Vista users.

The main program I'd like to outright prevent from running is iTunes. It's a great program, but unfortunately in the hands of some users it is abused and leads to a considerable decrease in productivity (not to mention the consumption of bandwidth when users start firing up streaming radio). I know it's installed on some systems already, but I'm not sure who exactly has it. The easiest solution that I can see is to throw all of these users' computers into their own OU and drop a workstation policy on them that prohibits iTunes (and any other programs I choose) from running. Additionally I'd like to ensure that only domain administrators (not local admins or local powerusers) can install new applications on workstations in this new OU.

I know it's sort of a draconic approach but some users don't listen when you tell them, "You can't do that." I think this is the best solution to the problem.

I think I have a general idea how it's done but I'm not really certain, so I was looking for some verification here. To my knowledge, the process should look something like this:

1. Create the new GPO and assign it to the OU I'll be placing these restricted PCs in.
2. Set the new GPO to Enforced.
3. In the new GPO, go to: Computer Configuration\Windows Settings\Security Settings\Software Restrictions.
4. Select "New Software Restriction Policies."
5. Under the Software Restrictions item, ensure that Enforcement is set to: "All software files except libraries" and "All users."

This is the part where I'm not sure though. I believe I'm supposed to specify the restricted executables under the Additional Rules section of the software restriction policy, but I have a couple questions:

1. What's the best/appropriate way to do this? Hash rule, certificate rule, path rule? How should it look?
2. Ideally I want to block iTunes regardless of where it's installed (and I want to make sure it's blocked in the event they try to get crafty and rename itunes.exe to something else). Will I be able to do this, or is the GPO method specific to the name and exact location of the file/application?
Question by:elorc
    LVL 70

    Accepted Solution

    The has rule is the best compromise - unless you are prepared to sign the required executables then you can't use a certificate rule. Path rules are OK but can be got around by simply renaming the executables. With a hash rule its does not matter if the user renames it - it stioll won't run - the only problem is that you have to have a copy of the executable to create the hash in the first place - and of course if an update is released you will have to create a new hash,
    LVL 1

    Author Comment

    Okay... at the risk of sounding like a complete moron, how do I implement the hash rule? Does the policy editor figure out the hash for me, or do I need to create it myself and import it somehow?

    Also, for the sake of being overzealous would it be helpful to use a combination of rules? Such as using both a hash rule and path rule?

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
    Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now