Solved

Windows Server Group Policy Whitelist

Posted on 2015-01-15
1
82 Views
Last Modified: 2015-02-22
Hi -

I recently added a system based group policy the stop exe files from running in app data (see below) I have a program that users must run under "C:\Users\%username%\AppData\Local\BroadIn" But cant ont seems to add the exception the the group policy.

I tried...

Path:  %USERPROFILE%:\AppData\Local\BroadIn\*.exe but it did not seem to work
Security Level: Unrestricted

But it did not seem to work....

Any help would be appreciated.

----------------------------------------------------------------------------------------------------------------------------------------------------------
Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Software Restriction Policies

Path: %localAppData%\*.exe
Security Level: Disallowed
Description: Don’t allow executables from AppData (Win 7)

Path: %localAppData%\*\*.exe
Security Level: Disallowed
Description: Don’t allow executables from AppData subfolders (Win 7)

Path: %localAppData%\Temp\*.zip\*.exe
Security Level: Disallowed
Description: Prevent unarchived executables in email attachments from running in the user space (Win 7)

Path: %localAppData%\Temp\7z*\*.exe
Security Level: Disallowed
Description: Prevent 7zipped executables in email attachments from running in the user space (Win 7)

Path: %localAppData%\Temp\Rar*\*.exe
Security Level: Disallowed
Description: Prevent Rar executables in email attachments from running in the user space (Win 7)

Path: %localAppData%\Temp\wz*\*.exe
Security Level: Disallowed
Description: Prevent Winzip executables in email attachments from running in the user space (Win 7)

The following paths are for Windows XP machines (if you still have them; I put these in just in case with the same disallow security settings)
%AppData%\*.exe
%AppData%*\*\*.exe
0
Comment
Question by:doctor069
1 Comment
 
LVL 47

Accepted Solution

by:
dstewartjr earned 500 total points
Comment Utility
Try using the path

%localAppData%\*\ACTUALFILENAMEHERE.exe

with unrestricted.

This way until the filename actually matches what you have placed here, it wont run.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now