Solved

Quickly Disabling access to a Windows desktop Application. Possibly Via GPO..

Posted on 2015-01-02
7
132 Views
Last Modified: 2015-01-14
Hello,

I need to disable access to a windows desktop application rather quickly.  I was looking for input in regards to how others do this ?

How i am currently doing it is via a GPO.  I am blocking the EXE from being run in its location.  The problem is it takes forever for 250 pc's to get hit with this.

What i do is :

- One hour before lockout I put the PC's in the OU with the Blockout GPO applied.
- at time of lockout I reboot the pc's

They do not all seem to get hit with it.. ie locked out of the app.

We are VMware view.. these are virtual desktops.. and we use an app called Unidesk to push out our applications / base image.

Accounting needs our accounting App inaccessible to everyone for year end / month end.  However people scream if they are not allowed into it up until the last moment.

i.e. I can not turn off access and deny the app the night before.

The GPo i currently use Eventually works.. however You need to keep the pc turned off for quite a while.

MY process works fine If there is just ONE pc ( mine ).. however when I up this to 250 machines it's not so fast.

I was just wondering if anyone ever needs to lockout access to an app very quickly.. and how THEY do it.

thanks much !
0
Comment
Question by:ossjzb
7 Comments
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 500 total points
ID: 40528863
Can you put the application on a file share? If you can, that would allow you to quickly change the share permissions to kick people out.

Whenever we need to kick people out we do it at the application/database level. :-)

Whenever I need to relatively quickly force a group of PCs to do a gpupdate I use Specops Gpupdate, which is a nifty little tool.

http://www.specopssoft.com/products/specops-gpupdate
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40528865
The only other way I can think of doing this is to use groups for permissions.
Setup two groups - one for accounting (who have access always) and one for those that need to be blocked out.
Then create a third group, which is used to actually set the permissions and make both of the other two groups members of that third group.

When you want to remove the access, remove the group of blocked users from the group allowing access. That should be effective pretty quickly. Then when access is to be resumed, add them back in again.

You could list individuals in the group to control access, but that would get tedious removing them each time, then adding them back in again shortly afterwards.

Simon.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 40529284
Simon, I don't think you can use nested groups because group membership tokens are created at login, and remain throughout the lifetime of the login. Adding or removing group memberships require a new login session to become effective.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40529301
If you have the permission set on the application executable (for example), then I am pretty sure that is queried in real time.

Simon.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 40529347
You can test, but pretty sure it isn't, because NTFS checks for the SID granting access, which belongs to the group, and those are granted at login and don't change. If the permissions on the executable are changed to remove a group from having access, that works, which is why I asked if program can be run from a share. Changing permissions in 1 location is doable, if you can to do it on every workstation you are back to the same problem of delays getting group policy to apply. Other option is to run a script that changes permissions on every workstation. It would probably need to query AD to get the list of computers to modify.
0
 
LVL 24

Expert Comment

by:Coralon
ID: 40529445
Is this a client-server application?  If it is, one possibility might be to set up multiple firewall rules on the server. 1 for general access, and 1 limiting access to the authorized PC's.  About 5 minutes before it is necessary, you can send out a message to the users warning them that at 5 min, they will be locked out of the application, when the time arrives, you could script the rules change to the firewall with netsh.exe.

If not, your GPO method should still work, but you'll want to script it out to hit all the machines simultaneously.  You can do that with either powershell (if the machines are current enough), or you could use psexec from Microsoft SysInternals.

Start with a list of all the machines you want to affect: computers.txt

Powershell:
$machines = get-content -path .\computers.txt
$machines | foreach-object { invoke-command -computername $_ -scriptblock { gpupdate.exe /force } -asjob }

Open in new window


Batch:
for /f %%f in (computers.txt) do psexec \\%f -h gpupdate.exe /force

Open in new window




Coralon
0
 

Author Closing Comment

by:ossjzb
ID: 40549407
Thank you - The app is Great Plains.. and runs on our SQL server.  I think the problem is just the Slow A/D update.. when i apply the GPO to 300 people at once.  I will try the APP .. may be exactly what im looking for.. I greatly appreciate the help.

thank you.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now