Quickly Disabling access to a Windows desktop Application. Possibly Via GPO..


I need to disable access to a windows desktop application rather quickly.  I was looking for input in regards to how others do this ?

How i am currently doing it is via a GPO.  I am blocking the EXE from being run in its location.  The problem is it takes forever for 250 pc's to get hit with this.

What i do is :

- One hour before lockout I put the PC's in the OU with the Blockout GPO applied.
- at time of lockout I reboot the pc's

They do not all seem to get hit with it.. ie locked out of the app.

We are VMware view.. these are virtual desktops.. and we use an app called Unidesk to push out our applications / base image.

Accounting needs our accounting App inaccessible to everyone for year end / month end.  However people scream if they are not allowed into it up until the last moment.

i.e. I can not turn off access and deny the app the night before.

The GPo i currently use Eventually works.. however You need to keep the pc turned off for quite a while.

MY process works fine If there is just ONE pc ( mine ).. however when I up this to 250 machines it's not so fast.

I was just wondering if anyone ever needs to lockout access to an app very quickly.. and how THEY do it.

thanks much !
Who is Participating?
kevinhsiehConnect With a Mentor Commented:
Can you put the application on a file share? If you can, that would allow you to quickly change the share permissions to kick people out.

Whenever we need to kick people out we do it at the application/database level. :-)

Whenever I need to relatively quickly force a group of PCs to do a gpupdate I use Specops Gpupdate, which is a nifty little tool.

Simon Butler (Sembee)ConsultantCommented:
The only other way I can think of doing this is to use groups for permissions.
Setup two groups - one for accounting (who have access always) and one for those that need to be blocked out.
Then create a third group, which is used to actually set the permissions and make both of the other two groups members of that third group.

When you want to remove the access, remove the group of blocked users from the group allowing access. That should be effective pretty quickly. Then when access is to be resumed, add them back in again.

You could list individuals in the group to control access, but that would get tedious removing them each time, then adding them back in again shortly afterwards.

Simon, I don't think you can use nested groups because group membership tokens are created at login, and remain throughout the lifetime of the login. Adding or removing group memberships require a new login session to become effective.
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

Simon Butler (Sembee)ConsultantCommented:
If you have the permission set on the application executable (for example), then I am pretty sure that is queried in real time.

You can test, but pretty sure it isn't, because NTFS checks for the SID granting access, which belongs to the group, and those are granted at login and don't change. If the permissions on the executable are changed to remove a group from having access, that works, which is why I asked if program can be run from a share. Changing permissions in 1 location is doable, if you can to do it on every workstation you are back to the same problem of delays getting group policy to apply. Other option is to run a script that changes permissions on every workstation. It would probably need to query AD to get the list of computers to modify.
Is this a client-server application?  If it is, one possibility might be to set up multiple firewall rules on the server. 1 for general access, and 1 limiting access to the authorized PC's.  About 5 minutes before it is necessary, you can send out a message to the users warning them that at 5 min, they will be locked out of the application, when the time arrives, you could script the rules change to the firewall with netsh.exe.

If not, your GPO method should still work, but you'll want to script it out to hit all the machines simultaneously.  You can do that with either powershell (if the machines are current enough), or you could use psexec from Microsoft SysInternals.

Start with a list of all the machines you want to affect: computers.txt

$machines = get-content -path .\computers.txt
$machines | foreach-object { invoke-command -computername $_ -scriptblock { gpupdate.exe /force } -asjob }

Open in new window

for /f %%f in (computers.txt) do psexec \\%f -h gpupdate.exe /force

Open in new window

ossjzbAuthor Commented:
Thank you - The app is Great Plains.. and runs on our SQL server.  I think the problem is just the Slow A/D update.. when i apply the GPO to 300 people at once.  I will try the APP .. may be exactly what im looking for.. I greatly appreciate the help.

thank you.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.