Solved

Windows Server Group Policy Whitelist

Posted on 2015-01-15
1
84 Views
Last Modified: 2015-02-22
Hi -

I recently added a system based group policy the stop exe files from running in app data (see below) I have a program that users must run under "C:\Users\%username%\AppData\Local\BroadIn" But cant ont seems to add the exception the the group policy.

I tried...

Path:  %USERPROFILE%:\AppData\Local\BroadIn\*.exe but it did not seem to work
Security Level: Unrestricted

But it did not seem to work....

Any help would be appreciated.

----------------------------------------------------------------------------------------------------------------------------------------------------------
Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Software Restriction Policies

Path: %localAppData%\*.exe
Security Level: Disallowed
Description: Don’t allow executables from AppData (Win 7)

Path: %localAppData%\*\*.exe
Security Level: Disallowed
Description: Don’t allow executables from AppData subfolders (Win 7)

Path: %localAppData%\Temp\*.zip\*.exe
Security Level: Disallowed
Description: Prevent unarchived executables in email attachments from running in the user space (Win 7)

Path: %localAppData%\Temp\7z*\*.exe
Security Level: Disallowed
Description: Prevent 7zipped executables in email attachments from running in the user space (Win 7)

Path: %localAppData%\Temp\Rar*\*.exe
Security Level: Disallowed
Description: Prevent Rar executables in email attachments from running in the user space (Win 7)

Path: %localAppData%\Temp\wz*\*.exe
Security Level: Disallowed
Description: Prevent Winzip executables in email attachments from running in the user space (Win 7)

The following paths are for Windows XP machines (if you still have them; I put these in just in case with the same disallow security settings)
%AppData%\*.exe
%AppData%*\*\*.exe
0
Comment
Question by:doctor069
1 Comment
 
LVL 47

Accepted Solution

by:
Donald Stewart earned 500 total points
ID: 40551507
Try using the path

%localAppData%\*\ACTUALFILENAMEHERE.exe

with unrestricted.

This way until the filename actually matches what you have placed here, it wont run.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question