Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Group Policy Software Restriction Policy prohibits permitted applications from being launched

Posted on 2013-12-13
4
Medium Priority
?
1,034 Views
Last Modified: 2013-12-18
I am testing an implementation of the Software Restriction policy in Group Policy. I have opted for the default of Restricted and then creating exceptions for permitted applications paths. I have allowed Program Files, Program Files (x86), *.lnk, and the path to our EHR program. All seems to work fine when testing. I can open Internet Explorer, MS Office, our EHR, and any other programs loaded in those paths. However, there is an "integration" in our EHR that basically just launches IE and passes the patient name in the URL to the database in the cloud so that we can pull up that patient's imagery. When the GPO is not applied, this works as expected. When the GPO is applied the application launch fails but no message is given as to why. I know the GPO is working because I have tested by trying to launch Process Explorer out of its own directory and it was blocked by policy (as expected). Is there a known issue with permitted applications launching other permitted applications but failing? Has anyone encountered this when they setup similar policy restrictions? I've even tried hashing IE and allowing it that way but there is no change in the behavior.
0
Comment
Question by:VEC-CTO
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 39717671
What does the event log say when you get the failed attempt to launch. An event in the application log with details to the path/hash/exe and reason why the app was blocked should be there.
0
 

Author Comment

by:VEC-CTO
ID: 39717688
It says that "Access to C:\Program Files\Internet Explorer\iexplore.exe has been restricted by your Administrator by the default software restriction policy level."

This is weird since I have specifically allowed that path and launching IE natively works just fine.
0
 

Accepted Solution

by:
VEC-CTO earned 0 total points
ID: 39717763
OK... So, strangely, I had to create a path rule that matched the path the EHR program was passing to get to Internet Explorer and that seemed to work. Weirdness...
0
 

Author Closing Comment

by:VEC-CTO
ID: 39726214
Because I figured it out.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
Suggested Courses

660 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question