Software Restriction Policy - 'Allow' GPO beneath 'Deny' GPO

I want to restrict all but one room of computers using a piece of software.

I have setup a Software Restriction Policy (as a loopback policy, so all users who log onto the computer have it applied) of deny to the software path .exe on the top level computer OU.
I then setup an identical loopback SRP policy to allow the software path .exe in a sub OU containing the computers I want to run the software.

Policy processing shows both polices are being applied but the software is still denied on all computers...

Is this the wrong approach?
LVL 1
PeteAsked:
Who is Participating?
 
PberSolutions ArchitectCommented:
I think it would get tricky with just security filtering since we are dealing with both computer and user GPOs.  you would need the add domain users to the security filtering.   Authenticated users includes computers, so that has to be removed.  then create a group that contains only the computers you want blocked and put that in the security filtering as well.
0
 
PberSolutions ArchitectCommented:
Standard windows process.  Deny trumps allows.  No matter where in the order
1
 
PberSolutions ArchitectCommented:
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
PeteAuthor Commented:
Thanks, can you block a specific GPO on a specific OU? The link you sent is blocking users from getting any GPO?
0
 
PberSolutions ArchitectCommented:
Yet Another solution would be on the original GPO that has the deny, set the security to deny that one computer.
So edit the gpo, hit the delegation tab, select the advanced tab.  Add the one computer you want to have access, then deny it read
0
 
PberSolutions ArchitectCommented:
The Block inheritance, will block all above GPO's.  Not typically the idea solution.  Depending on your gpo structure, you could re-link desired blocked gpo's from above directly to the OU, but usually not a very elegant solution.
To block specific GPOs, That is as I explained using the delegation tab.

Using Denies are always a challenge.

Another option would be to revisit your OU structure.  Does the sub ou containing the desired need to be under the ou containing the deny
You could change it to have a general Workstation OU at the top, Then sub OU of the Workstations OU with computers with the deny and another sub OU of the Workstations OU with computers without the deny.  This would be a much cleaner architecture, GPO's that you want applied to all are at the Workstations OU, then the specific one to the sub OU.
1
 
McKnifeCommented:
About "deny trumps allow" - with SRP, it's different. The more precise rule wins, read https://www.sysadmins.lv/blog-en/software-restriction-policies-rule-ordering.aspx But yes, since both of your rules are precise path rules right down to the name of the .exe, in that case, I suspect deny would indeed win.

You should simply use security filtering right at the GPO and not create sub-OUs for this.
0
 
PeteAuthor Commented:
Ok, how do I set security filtering so only computers in a group or OU can run the software? Can u be a bit more specific please?
Thanks
0
 
McKnifeCommented:
You have a policy that restricts that .exe and we saw that it wins. Make that policy only readable by the computers that should get that restriction. There is nothing more to it. Security filtering needs to be understood, yes, but that's an altogether different question and not just a small side note here.
0
 
PeteAuthor Commented:
OK mcknife so are you agreeing with pber suggestion?

"Yet Another solution would be on the original GPO that has the deny, set the security to deny that one computer.
So edit the gpo, hit the delegation tab, select the advanced tab.  Add the one computer you want to have access, then deny it read"

Thanks
0
 
McKnifeCommented:
You would deny read and apply, but I guess the outcome would be the same.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.