Solved

Create AppLocker rule in GPO for a local user account

Posted on 2015-01-30
3
589 Views
Last Modified: 2015-02-06
I would like to create an applocker rule in a GPO that applies to a local user that has been created on a group of machines.  When I assign an applocker rule, it doesn't let me enter a user, but forces me to select a domain user or a local user that exists on the machine I am using to edit the GPO.

I tried just creating the user on my machine I am using to edit the GPO, but it seems to tie the rule to the SID for that account on that computer which certainly wouldn't be the same SID on all of the other computers.  They would have different SID's for the local account.

How can I apply an applocker rule to a local user in a GPO?
0
Comment
Question by:gacus
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40580645
you can't create a GPO for a local account
GPO is applied to an OU which implies domain accounts
0
 
LVL 1

Author Comment

by:gacus
ID: 40580660
That is not true.  GPO apply to either to computers or users(domain accounts).  In this case the Applocker policy applies to the computer machine policy.  Within the Applocker policy rules you can select the users that this applies to.  You can clearly select "Everyone" which includes local users and the (LOCAL) BUILTIN\Administrator.  I just want to specify a different local account.

All of my computers that I am referring to are joined to the domain and I am applying the policy to the machine.
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40582766
You can't apply to Applocker rule to single local user account from domain based GPO

Your rule will be applied to all local users including administrator on specific group of machines (when you apply rule to everyone) and to domain users who will logon to those machines

Even if you use conventional software restriction policies, it will behave in same way
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows Modify Permissions 19 65
Monitoring solutions 8 73
Setup new Win2012 DC, remove SBS 2011 5 22
DC with error SChannel ID 36888 3 45
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question