• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 152
  • Last Modified:

Quickly Disabling access to a Windows desktop Application. Possibly Via GPO..

Hello,

I need to disable access to a windows desktop application rather quickly.  I was looking for input in regards to how others do this ?

How i am currently doing it is via a GPO.  I am blocking the EXE from being run in its location.  The problem is it takes forever for 250 pc's to get hit with this.

What i do is :

- One hour before lockout I put the PC's in the OU with the Blockout GPO applied.
- at time of lockout I reboot the pc's

They do not all seem to get hit with it.. ie locked out of the app.

We are VMware view.. these are virtual desktops.. and we use an app called Unidesk to push out our applications / base image.

Accounting needs our accounting App inaccessible to everyone for year end / month end.  However people scream if they are not allowed into it up until the last moment.

i.e. I can not turn off access and deny the app the night before.

The GPo i currently use Eventually works.. however You need to keep the pc turned off for quite a while.

MY process works fine If there is just ONE pc ( mine ).. however when I up this to 250 machines it's not so fast.

I was just wondering if anyone ever needs to lockout access to an app very quickly.. and how THEY do it.

thanks much !
0
ossjzb
Asked:
ossjzb
1 Solution
 
kevinhsiehCommented:
Can you put the application on a file share? If you can, that would allow you to quickly change the share permissions to kick people out.

Whenever we need to kick people out we do it at the application/database level. :-)

Whenever I need to relatively quickly force a group of PCs to do a gpupdate I use Specops Gpupdate, which is a nifty little tool.

http://www.specopssoft.com/products/specops-gpupdate
0
 
Simon Butler (Sembee)ConsultantCommented:
The only other way I can think of doing this is to use groups for permissions.
Setup two groups - one for accounting (who have access always) and one for those that need to be blocked out.
Then create a third group, which is used to actually set the permissions and make both of the other two groups members of that third group.

When you want to remove the access, remove the group of blocked users from the group allowing access. That should be effective pretty quickly. Then when access is to be resumed, add them back in again.

You could list individuals in the group to control access, but that would get tedious removing them each time, then adding them back in again shortly afterwards.

Simon.
0
 
kevinhsiehCommented:
Simon, I don't think you can use nested groups because group membership tokens are created at login, and remain throughout the lifetime of the login. Adding or removing group memberships require a new login session to become effective.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Simon Butler (Sembee)ConsultantCommented:
If you have the permission set on the application executable (for example), then I am pretty sure that is queried in real time.

Simon.
0
 
kevinhsiehCommented:
You can test, but pretty sure it isn't, because NTFS checks for the SID granting access, which belongs to the group, and those are granted at login and don't change. If the permissions on the executable are changed to remove a group from having access, that works, which is why I asked if program can be run from a share. Changing permissions in 1 location is doable, if you can to do it on every workstation you are back to the same problem of delays getting group policy to apply. Other option is to run a script that changes permissions on every workstation. It would probably need to query AD to get the list of computers to modify.
0
 
CoralonCommented:
Is this a client-server application?  If it is, one possibility might be to set up multiple firewall rules on the server. 1 for general access, and 1 limiting access to the authorized PC's.  About 5 minutes before it is necessary, you can send out a message to the users warning them that at 5 min, they will be locked out of the application, when the time arrives, you could script the rules change to the firewall with netsh.exe.

If not, your GPO method should still work, but you'll want to script it out to hit all the machines simultaneously.  You can do that with either powershell (if the machines are current enough), or you could use psexec from Microsoft SysInternals.

Start with a list of all the machines you want to affect: computers.txt

Powershell:
$machines = get-content -path .\computers.txt
$machines | foreach-object { invoke-command -computername $_ -scriptblock { gpupdate.exe /force } -asjob }

Open in new window


Batch:
for /f %%f in (computers.txt) do psexec \\%f -h gpupdate.exe /force

Open in new window




Coralon
0
 
ossjzbAuthor Commented:
Thank you - The app is Great Plains.. and runs on our SQL server.  I think the problem is just the Slow A/D update.. when i apply the GPO to 300 people at once.  I will try the APP .. may be exactly what im looking for.. I greatly appreciate the help.

thank you.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now