Solved

Group Policy Software Restriction Policy prohibits permitted applications from being launched

Posted on 2013-12-13
4
996 Views
Last Modified: 2013-12-18
I am testing an implementation of the Software Restriction policy in Group Policy. I have opted for the default of Restricted and then creating exceptions for permitted applications paths. I have allowed Program Files, Program Files (x86), *.lnk, and the path to our EHR program. All seems to work fine when testing. I can open Internet Explorer, MS Office, our EHR, and any other programs loaded in those paths. However, there is an "integration" in our EHR that basically just launches IE and passes the patient name in the URL to the database in the cloud so that we can pull up that patient's imagery. When the GPO is not applied, this works as expected. When the GPO is applied the application launch fails but no message is given as to why. I know the GPO is working because I have tested by trying to launch Process Explorer out of its own directory and it was blocked by policy (as expected). Is there a known issue with permitted applications launching other permitted applications but failing? Has anyone encountered this when they setup similar policy restrictions? I've even tried hashing IE and allowing it that way but there is no change in the behavior.
0
Comment
Question by:VEC-CTO
  • 3
4 Comments
 
LVL 35

Expert Comment

by:Joseph Daly
Comment Utility
What does the event log say when you get the failed attempt to launch. An event in the application log with details to the path/hash/exe and reason why the app was blocked should be there.
0
 

Author Comment

by:VEC-CTO
Comment Utility
It says that "Access to C:\Program Files\Internet Explorer\iexplore.exe has been restricted by your Administrator by the default software restriction policy level."

This is weird since I have specifically allowed that path and launching IE natively works just fine.
0
 

Accepted Solution

by:
VEC-CTO earned 0 total points
Comment Utility
OK... So, strangely, I had to create a path rule that matched the path the EHR program was passing to get to Internet Explorer and that seemed to work. Weirdness...
0
 

Author Closing Comment

by:VEC-CTO
Comment Utility
Because I figured it out.
0

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Join & Write a Comment

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now