Solved

Quickly Disabling access to a Windows desktop Application. Possibly Via GPO..

Posted on 2015-01-02
7
136 Views
Last Modified: 2015-01-14
Hello,

I need to disable access to a windows desktop application rather quickly.  I was looking for input in regards to how others do this ?

How i am currently doing it is via a GPO.  I am blocking the EXE from being run in its location.  The problem is it takes forever for 250 pc's to get hit with this.

What i do is :

- One hour before lockout I put the PC's in the OU with the Blockout GPO applied.
- at time of lockout I reboot the pc's

They do not all seem to get hit with it.. ie locked out of the app.

We are VMware view.. these are virtual desktops.. and we use an app called Unidesk to push out our applications / base image.

Accounting needs our accounting App inaccessible to everyone for year end / month end.  However people scream if they are not allowed into it up until the last moment.

i.e. I can not turn off access and deny the app the night before.

The GPo i currently use Eventually works.. however You need to keep the pc turned off for quite a while.

MY process works fine If there is just ONE pc ( mine ).. however when I up this to 250 machines it's not so fast.

I was just wondering if anyone ever needs to lockout access to an app very quickly.. and how THEY do it.

thanks much !
0
Comment
Question by:ossjzb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 500 total points
ID: 40528863
Can you put the application on a file share? If you can, that would allow you to quickly change the share permissions to kick people out.

Whenever we need to kick people out we do it at the application/database level. :-)

Whenever I need to relatively quickly force a group of PCs to do a gpupdate I use Specops Gpupdate, which is a nifty little tool.

http://www.specopssoft.com/products/specops-gpupdate
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40528865
The only other way I can think of doing this is to use groups for permissions.
Setup two groups - one for accounting (who have access always) and one for those that need to be blocked out.
Then create a third group, which is used to actually set the permissions and make both of the other two groups members of that third group.

When you want to remove the access, remove the group of blocked users from the group allowing access. That should be effective pretty quickly. Then when access is to be resumed, add them back in again.

You could list individuals in the group to control access, but that would get tedious removing them each time, then adding them back in again shortly afterwards.

Simon.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 40529284
Simon, I don't think you can use nested groups because group membership tokens are created at login, and remain throughout the lifetime of the login. Adding or removing group memberships require a new login session to become effective.
0
Office 365 Advanced Training for Admins

Special Offer:  Buy 1 course, get 2nd free!  Buy the 'Managing Office 365 Identities & Requirements' course w/ Accelerated TestPrep, and automatically receive the 'Enabling Office 365 Services' course FREE!

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40529301
If you have the permission set on the application executable (for example), then I am pretty sure that is queried in real time.

Simon.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 40529347
You can test, but pretty sure it isn't, because NTFS checks for the SID granting access, which belongs to the group, and those are granted at login and don't change. If the permissions on the executable are changed to remove a group from having access, that works, which is why I asked if program can be run from a share. Changing permissions in 1 location is doable, if you can to do it on every workstation you are back to the same problem of delays getting group policy to apply. Other option is to run a script that changes permissions on every workstation. It would probably need to query AD to get the list of computers to modify.
0
 
LVL 25

Expert Comment

by:Coralon
ID: 40529445
Is this a client-server application?  If it is, one possibility might be to set up multiple firewall rules on the server. 1 for general access, and 1 limiting access to the authorized PC's.  About 5 minutes before it is necessary, you can send out a message to the users warning them that at 5 min, they will be locked out of the application, when the time arrives, you could script the rules change to the firewall with netsh.exe.

If not, your GPO method should still work, but you'll want to script it out to hit all the machines simultaneously.  You can do that with either powershell (if the machines are current enough), or you could use psexec from Microsoft SysInternals.

Start with a list of all the machines you want to affect: computers.txt

Powershell:
$machines = get-content -path .\computers.txt
$machines | foreach-object { invoke-command -computername $_ -scriptblock { gpupdate.exe /force } -asjob }

Open in new window


Batch:
for /f %%f in (computers.txt) do psexec \\%f -h gpupdate.exe /force

Open in new window




Coralon
0
 

Author Closing Comment

by:ossjzb
ID: 40549407
Thank you - The app is Great Plains.. and runs on our SQL server.  I think the problem is just the Slow A/D update.. when i apply the GPO to 300 people at once.  I will try the APP .. may be exactly what im looking for.. I greatly appreciate the help.

thank you.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question