Solved

Group Policy Software Restriction Policy prohibits permitted applications from being launched

Posted on 2013-12-13
4
1,019 Views
Last Modified: 2013-12-18
I am testing an implementation of the Software Restriction policy in Group Policy. I have opted for the default of Restricted and then creating exceptions for permitted applications paths. I have allowed Program Files, Program Files (x86), *.lnk, and the path to our EHR program. All seems to work fine when testing. I can open Internet Explorer, MS Office, our EHR, and any other programs loaded in those paths. However, there is an "integration" in our EHR that basically just launches IE and passes the patient name in the URL to the database in the cloud so that we can pull up that patient's imagery. When the GPO is not applied, this works as expected. When the GPO is applied the application launch fails but no message is given as to why. I know the GPO is working because I have tested by trying to launch Process Explorer out of its own directory and it was blocked by policy (as expected). Is there a known issue with permitted applications launching other permitted applications but failing? Has anyone encountered this when they setup similar policy restrictions? I've even tried hashing IE and allowing it that way but there is no change in the behavior.
0
Comment
Question by:VEC-CTO
  • 3
4 Comments
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 39717671
What does the event log say when you get the failed attempt to launch. An event in the application log with details to the path/hash/exe and reason why the app was blocked should be there.
0
 

Author Comment

by:VEC-CTO
ID: 39717688
It says that "Access to C:\Program Files\Internet Explorer\iexplore.exe has been restricted by your Administrator by the default software restriction policy level."

This is weird since I have specifically allowed that path and launching IE natively works just fine.
0
 

Accepted Solution

by:
VEC-CTO earned 0 total points
ID: 39717763
OK... So, strangely, I had to create a path rule that matched the path the EHR program was passing to get to Internet Explorer and that seemed to work. Weirdness...
0
 

Author Closing Comment

by:VEC-CTO
ID: 39726214
Because I figured it out.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
In-place Upgrading Dirsync to Azure AD Connect
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question