how do you deny certain .exe files from running on a windows 2003 server domain's workstations

Posted on 2009-12-23
Medium Priority
Last Modified: 2012-08-14
I believe at one time I was able to set up a group policy on a windows 2003 domain controller so that certain executables would not run on the work stations when they were logged into the domain.  For example, if someone logged onto our 2003 domain on a windows xp workstation, and they had yahoo messenger installed, they would not be able to run the executable file on their worstation to run yahoo messenger due to the fact that I had denied it from running on our domain.  It's been a long time since I have done it and totally forget how.  Any help would be greatly appreciated.  I don't want to have to block it through certain ports or ip addresses as I know that Yahoo, AIM etc. are always changing wich ones their programs run on.
Question by:Steelin_It
LVL 11

Accepted Solution

enriquecadalso earned 500 total points
ID: 26115840
LVL 70

Assisted Solution

KCTS earned 500 total points
ID: 26115905
You can use a software restriction policy to prevent the execution of specified programs see http://support.microsoft.com/kb/324036
LVL 19

Assisted Solution

PeteJThomas earned 500 total points
ID: 26118335
I'm sure the previously posted articles explain this, but just the basic way you would normally do it:

Create a new group policy.

Go to Computer Config > Windows Settings > Security Settings > Software Restriction Policies.

Right click, and select 'Create new policies'. Now go into "Additional Rules", right-click, and select "New path rule" - Enter the path of the executable, and select Disallowed. Enter any description that you want.

That should stop the specified executable from being run.

I would also probably advise using the 'Enforcement' setting (directly under 'Software Restriction Policies) to set it so that the policy applies to all users except local admins - Unless you specifically want absolutely no one to be able to execute these files under any circumstances... :)

Oh and lastly, as always, ensure you test this policy first before deploying to all your machines, in case there are any unforeseen side affects!! So just use a test computer in a test OU, and link the policy to the test OU first to ensure that the result you get is what you're after...


LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 500 total points
ID: 26133813

Author Closing Comment

ID: 31669615
Sorry not to get back to everyone but I was pulled from this project .  All of your solutions were feasabile.  Thanks for the input.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
Learn about cloud computing and its benefits for small business owners.
Integration Management Part 2
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question