Using GPO to prohibit the execution/installation of specific applications
Posted on 2009-02-24
There are some applications that I would like to prevent certain groups of users from being able to run. The majority of our users are on XP SP2 or SP3. There is a very small minority of Vista users.
The main program I'd like to outright prevent from running is iTunes. It's a great program, but unfortunately in the hands of some users it is abused and leads to a considerable decrease in productivity (not to mention the consumption of bandwidth when users start firing up streaming radio). I know it's installed on some systems already, but I'm not sure who exactly has it. The easiest solution that I can see is to throw all of these users' computers into their own OU and drop a workstation policy on them that prohibits iTunes (and any other programs I choose) from running. Additionally I'd like to ensure that only domain administrators (not local admins or local powerusers) can install new applications on workstations in this new OU.
I know it's sort of a draconic approach but some users don't listen when you tell them, "You can't do that." I think this is the best solution to the problem.
I think I have a general idea how it's done but I'm not really certain, so I was looking for some verification here. To my knowledge, the process should look something like this:
1. Create the new GPO and assign it to the OU I'll be placing these restricted PCs in.
2. Set the new GPO to Enforced.
3. In the new GPO, go to: Computer Configuration\Windows Settings\Security Settings\Software Restrictions.
4. Select "New Software Restriction Policies."
5. Under the Software Restrictions item, ensure that Enforcement is set to: "All software files except libraries" and "All users."
This is the part where I'm not sure though. I believe I'm supposed to specify the restricted executables under the Additional Rules section of the software restriction policy, but I have a couple questions:
1. What's the best/appropriate way to do this? Hash rule, certificate rule, path rule? How should it look?
2. Ideally I want to block iTunes regardless of where it's installed (and I want to make sure it's blocked in the event they try to get crafty and rename itunes.exe to something else). Will I be able to do this, or is the GPO method specific to the name and exact location of the file/application?