Software Restriction Policy - 'Allow' GPO beneath 'Deny' GPO

Pete
Pete used Ask the Experts™
on
I want to restrict all but one room of computers using a piece of software.

I have setup a Software Restriction Policy (as a loopback policy, so all users who log onto the computer have it applied) of deny to the software path .exe on the top level computer OU.
I then setup an identical loopback SRP policy to allow the software path .exe in a sub OU containing the computers I want to run the software.

Policy processing shows both polices are being applied but the software is still denied on all computers...

Is this the wrong approach?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
PberSolutions Architect

Commented:
Standard windows process.  Deny trumps allows.  No matter where in the order
PberSolutions Architect

Commented:

Author

Commented:
Thanks, can you block a specific GPO on a specific OU? The link you sent is blocking users from getting any GPO?
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

PberSolutions Architect

Commented:
Yet Another solution would be on the original GPO that has the deny, set the security to deny that one computer.
So edit the gpo, hit the delegation tab, select the advanced tab.  Add the one computer you want to have access, then deny it read
PberSolutions Architect

Commented:
The Block inheritance, will block all above GPO's.  Not typically the idea solution.  Depending on your gpo structure, you could re-link desired blocked gpo's from above directly to the OU, but usually not a very elegant solution.
To block specific GPOs, That is as I explained using the delegation tab.

Using Denies are always a challenge.

Another option would be to revisit your OU structure.  Does the sub ou containing the desired need to be under the ou containing the deny
You could change it to have a general Workstation OU at the top, Then sub OU of the Workstations OU with computers with the deny and another sub OU of the Workstations OU with computers without the deny.  This would be a much cleaner architecture, GPO's that you want applied to all are at the Workstations OU, then the specific one to the sub OU.
Distinguished Expert 2018

Commented:
About "deny trumps allow" - with SRP, it's different. The more precise rule wins, read https://www.sysadmins.lv/blog-en/software-restriction-policies-rule-ordering.aspx But yes, since both of your rules are precise path rules right down to the name of the .exe, in that case, I suspect deny would indeed win.

You should simply use security filtering right at the GPO and not create sub-OUs for this.

Author

Commented:
Ok, how do I set security filtering so only computers in a group or OU can run the software? Can u be a bit more specific please?
Thanks
Solutions Architect
Commented:
I think it would get tricky with just security filtering since we are dealing with both computer and user GPOs.  you would need the add domain users to the security filtering.   Authenticated users includes computers, so that has to be removed.  then create a group that contains only the computers you want blocked and put that in the security filtering as well.
Distinguished Expert 2018
Commented:
You have a policy that restricts that .exe and we saw that it wins. Make that policy only readable by the computers that should get that restriction. There is nothing more to it. Security filtering needs to be understood, yes, but that's an altogether different question and not just a small side note here.

Author

Commented:
OK mcknife so are you agreeing with pber suggestion?

"Yet Another solution would be on the original GPO that has the deny, set the security to deny that one computer.
So edit the gpo, hit the delegation tab, select the advanced tab.  Add the one computer you want to have access, then deny it read"

Thanks
Distinguished Expert 2018

Commented:
You would deny read and apply, but I guess the outcome would be the same.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial