how do you deny certain .exe files from running on a windows 2003 server domain's workstations

Posted on 2009-12-23
Last Modified: 2012-08-14
I believe at one time I was able to set up a group policy on a windows 2003 domain controller so that certain executables would not run on the work stations when they were logged into the domain.  For example, if someone logged onto our 2003 domain on a windows xp workstation, and they had yahoo messenger installed, they would not be able to run the executable file on their worstation to run yahoo messenger due to the fact that I had denied it from running on our domain.  It's been a long time since I have done it and totally forget how.  Any help would be greatly appreciated.  I don't want to have to block it through certain ports or ip addresses as I know that Yahoo, AIM etc. are always changing wich ones their programs run on.
Question by:Steelin_It
    LVL 11

    Accepted Solution

    LVL 70

    Assisted Solution

    You can use a software restriction policy to prevent the execution of specified programs see
    LVL 19

    Assisted Solution

    I'm sure the previously posted articles explain this, but just the basic way you would normally do it:

    Create a new group policy.

    Go to Computer Config > Windows Settings > Security Settings > Software Restriction Policies.

    Right click, and select 'Create new policies'. Now go into "Additional Rules", right-click, and select "New path rule" - Enter the path of the executable, and select Disallowed. Enter any description that you want.

    That should stop the specified executable from being run.

    I would also probably advise using the 'Enforcement' setting (directly under 'Software Restriction Policies) to set it so that the policy applies to all users except local admins - Unless you specifically want absolutely no one to be able to execute these files under any circumstances... :)

    Oh and lastly, as always, ensure you test this policy first before deploying to all your machines, in case there are any unforeseen side affects!! So just use a test computer in a test OU, and link the policy to the test OU first to ensure that the result you get is what you're after...


    LVL 47

    Assisted Solution


    Author Closing Comment

    Sorry not to get back to everyone but I was pulled from this project .  All of your solutions were feasabile.  Thanks for the input.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Experts-Exchange users below are the steps you can follow to upgrade your Lync server to latest CU's or cumulative updates. Note: Perform it during non-production hours.   Step 1: Backup your lync and SQL server database. Follow below article: h…
    Learn about cloud computing and its benefits for small business owners.
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now