Solved

Group Policy Software Restriction Policy prohibits permitted applications from being launched

Posted on 2013-12-13
4
1,022 Views
Last Modified: 2013-12-18
I am testing an implementation of the Software Restriction policy in Group Policy. I have opted for the default of Restricted and then creating exceptions for permitted applications paths. I have allowed Program Files, Program Files (x86), *.lnk, and the path to our EHR program. All seems to work fine when testing. I can open Internet Explorer, MS Office, our EHR, and any other programs loaded in those paths. However, there is an "integration" in our EHR that basically just launches IE and passes the patient name in the URL to the database in the cloud so that we can pull up that patient's imagery. When the GPO is not applied, this works as expected. When the GPO is applied the application launch fails but no message is given as to why. I know the GPO is working because I have tested by trying to launch Process Explorer out of its own directory and it was blocked by policy (as expected). Is there a known issue with permitted applications launching other permitted applications but failing? Has anyone encountered this when they setup similar policy restrictions? I've even tried hashing IE and allowing it that way but there is no change in the behavior.
0
Comment
Question by:VEC-CTO
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 39717671
What does the event log say when you get the failed attempt to launch. An event in the application log with details to the path/hash/exe and reason why the app was blocked should be there.
0
 

Author Comment

by:VEC-CTO
ID: 39717688
It says that "Access to C:\Program Files\Internet Explorer\iexplore.exe has been restricted by your Administrator by the default software restriction policy level."

This is weird since I have specifically allowed that path and launching IE natively works just fine.
0
 

Accepted Solution

by:
VEC-CTO earned 0 total points
ID: 39717763
OK... So, strangely, I had to create a path rule that matched the path the EHR program was passing to get to Internet Explorer and that seemed to work. Weirdness...
0
 

Author Closing Comment

by:VEC-CTO
ID: 39726214
Because I figured it out.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article runs through the process of deploying a single EXE application selectively to a group of user.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question