Solved

Quickly Disabling access to a Windows desktop Application. Possibly Via GPO..

Posted on 2015-01-02
7
126 Views
Last Modified: 2015-01-14
Hello,

I need to disable access to a windows desktop application rather quickly.  I was looking for input in regards to how others do this ?

How i am currently doing it is via a GPO.  I am blocking the EXE from being run in its location.  The problem is it takes forever for 250 pc's to get hit with this.

What i do is :

- One hour before lockout I put the PC's in the OU with the Blockout GPO applied.
- at time of lockout I reboot the pc's

They do not all seem to get hit with it.. ie locked out of the app.

We are VMware view.. these are virtual desktops.. and we use an app called Unidesk to push out our applications / base image.

Accounting needs our accounting App inaccessible to everyone for year end / month end.  However people scream if they are not allowed into it up until the last moment.

i.e. I can not turn off access and deny the app the night before.

The GPo i currently use Eventually works.. however You need to keep the pc turned off for quite a while.

MY process works fine If there is just ONE pc ( mine ).. however when I up this to 250 machines it's not so fast.

I was just wondering if anyone ever needs to lockout access to an app very quickly.. and how THEY do it.

thanks much !
0
Comment
Question by:ossjzb
7 Comments
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 500 total points
ID: 40528863
Can you put the application on a file share? If you can, that would allow you to quickly change the share permissions to kick people out.

Whenever we need to kick people out we do it at the application/database level. :-)

Whenever I need to relatively quickly force a group of PCs to do a gpupdate I use Specops Gpupdate, which is a nifty little tool.

http://www.specopssoft.com/products/specops-gpupdate
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40528865
The only other way I can think of doing this is to use groups for permissions.
Setup two groups - one for accounting (who have access always) and one for those that need to be blocked out.
Then create a third group, which is used to actually set the permissions and make both of the other two groups members of that third group.

When you want to remove the access, remove the group of blocked users from the group allowing access. That should be effective pretty quickly. Then when access is to be resumed, add them back in again.

You could list individuals in the group to control access, but that would get tedious removing them each time, then adding them back in again shortly afterwards.

Simon.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 40529284
Simon, I don't think you can use nested groups because group membership tokens are created at login, and remain throughout the lifetime of the login. Adding or removing group memberships require a new login session to become effective.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40529301
If you have the permission set on the application executable (for example), then I am pretty sure that is queried in real time.

Simon.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 40529347
You can test, but pretty sure it isn't, because NTFS checks for the SID granting access, which belongs to the group, and those are granted at login and don't change. If the permissions on the executable are changed to remove a group from having access, that works, which is why I asked if program can be run from a share. Changing permissions in 1 location is doable, if you can to do it on every workstation you are back to the same problem of delays getting group policy to apply. Other option is to run a script that changes permissions on every workstation. It would probably need to query AD to get the list of computers to modify.
0
 
LVL 23

Expert Comment

by:Coralon
ID: 40529445
Is this a client-server application?  If it is, one possibility might be to set up multiple firewall rules on the server. 1 for general access, and 1 limiting access to the authorized PC's.  About 5 minutes before it is necessary, you can send out a message to the users warning them that at 5 min, they will be locked out of the application, when the time arrives, you could script the rules change to the firewall with netsh.exe.

If not, your GPO method should still work, but you'll want to script it out to hit all the machines simultaneously.  You can do that with either powershell (if the machines are current enough), or you could use psexec from Microsoft SysInternals.

Start with a list of all the machines you want to affect: computers.txt

Powershell:
$machines = get-content -path .\computers.txt
$machines | foreach-object { invoke-command -computername $_ -scriptblock { gpupdate.exe /force } -asjob }

Open in new window


Batch:
for /f %%f in (computers.txt) do psexec \\%f -h gpupdate.exe /force

Open in new window




Coralon
0
 

Author Closing Comment

by:ossjzb
ID: 40549407
Thank you - The app is Great Plains.. and runs on our SQL server.  I think the problem is just the Slow A/D update.. when i apply the GPO to 300 people at once.  I will try the APP .. may be exactly what im looking for.. I greatly appreciate the help.

thank you.
0

Featured Post

Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now