Solved

Group Policy Software Restriction Policy prohibits permitted applications from being launched

Posted on 2013-12-13
4
1,005 Views
Last Modified: 2013-12-18
I am testing an implementation of the Software Restriction policy in Group Policy. I have opted for the default of Restricted and then creating exceptions for permitted applications paths. I have allowed Program Files, Program Files (x86), *.lnk, and the path to our EHR program. All seems to work fine when testing. I can open Internet Explorer, MS Office, our EHR, and any other programs loaded in those paths. However, there is an "integration" in our EHR that basically just launches IE and passes the patient name in the URL to the database in the cloud so that we can pull up that patient's imagery. When the GPO is not applied, this works as expected. When the GPO is applied the application launch fails but no message is given as to why. I know the GPO is working because I have tested by trying to launch Process Explorer out of its own directory and it was blocked by policy (as expected). Is there a known issue with permitted applications launching other permitted applications but failing? Has anyone encountered this when they setup similar policy restrictions? I've even tried hashing IE and allowing it that way but there is no change in the behavior.
0
Comment
Question by:VEC-CTO
  • 3
4 Comments
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 39717671
What does the event log say when you get the failed attempt to launch. An event in the application log with details to the path/hash/exe and reason why the app was blocked should be there.
0
 

Author Comment

by:VEC-CTO
ID: 39717688
It says that "Access to C:\Program Files\Internet Explorer\iexplore.exe has been restricted by your Administrator by the default software restriction policy level."

This is weird since I have specifically allowed that path and launching IE natively works just fine.
0
 

Accepted Solution

by:
VEC-CTO earned 0 total points
ID: 39717763
OK... So, strangely, I had to create a path rule that matched the path the EHR program was passing to get to Internet Explorer and that seemed to work. Weirdness...
0
 

Author Closing Comment

by:VEC-CTO
ID: 39726214
Because I figured it out.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now