asked on Software Restriction Policy - 'Allow' GPO beneath 'Deny' GPO
I want to restrict all but one room of computers using a piece of software.
I have setup a Software Restriction Policy (as a loopback policy, so all users who log onto the computer have it applied) of deny to the software path .exe on the top level computer OU.
I then setup an identical loopback SRP policy to allow the software path .exe in a sub OU containing the computers I want to run the software.
Policy processing shows both polices are being applied but the software is still denied on all computers...
Is this the wrong approach?
I have setup a Software Restriction Policy (as a loopback policy, so all users who log onto the computer have it applied) of deny to the software path .exe on the top level computer OU.
I then setup an identical loopback SRP policy to allow the software path .exe in a sub OU containing the computers I want to run the software.
Policy processing shows both polices are being applied but the software is still denied on all computers...
Is this the wrong approach?
SoftwareActive Directory
Last Comment
McKnife
Standard windows process. Deny trumps allows. No matter where in the order
An alternate solution would be to block that deny gpo at that ou:
https://support.microsoft.com/en-us/help/816100/how-to-prevent-domain-group-policies-from-applying-to-certain-user-or
https://support.microsoft.com/en-us/help/816100/how-to-prevent-domain-group-policies-from-applying-to-certain-user-or
ASKER
Thanks, can you block a specific GPO on a specific OU? The link you sent is blocking users from getting any GPO?
Yet Another solution would be on the original GPO that has the deny, set the security to deny that one computer.
So edit the gpo, hit the delegation tab, select the advanced tab. Add the one computer you want to have access, then deny it read
So edit the gpo, hit the delegation tab, select the advanced tab. Add the one computer you want to have access, then deny it read
The Block inheritance, will block all above GPO's. Not typically the idea solution. Depending on your gpo structure, you could re-link desired blocked gpo's from above directly to the OU, but usually not a very elegant solution.
To block specific GPOs, That is as I explained using the delegation tab.
Using Denies are always a challenge.
Another option would be to revisit your OU structure. Does the sub ou containing the desired need to be under the ou containing the deny
You could change it to have a general Workstation OU at the top, Then sub OU of the Workstations OU with computers with the deny and another sub OU of the Workstations OU with computers without the deny. This would be a much cleaner architecture, GPO's that you want applied to all are at the Workstations OU, then the specific one to the sub OU.
To block specific GPOs, That is as I explained using the delegation tab.
Using Denies are always a challenge.
Another option would be to revisit your OU structure. Does the sub ou containing the desired need to be under the ou containing the deny
You could change it to have a general Workstation OU at the top, Then sub OU of the Workstations OU with computers with the deny and another sub OU of the Workstations OU with computers without the deny. This would be a much cleaner architecture, GPO's that you want applied to all are at the Workstations OU, then the specific one to the sub OU.
About "deny trumps allow" - with SRP, it's different. The more precise rule wins, read https://www.sysadmins.lv/blog-en/software-restriction-policies-rule-ordering.aspx But yes, since both of your rules are precise path rules right down to the name of the .exe, in that case, I suspect deny would indeed win.
You should simply use security filtering right at the GPO and not create sub-OUs for this.
You should simply use security filtering right at the GPO and not create sub-OUs for this.
ASKER
Ok, how do I set security filtering so only computers in a group or OU can run the software? Can u be a bit more specific please?
Thanks
Thanks
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
OK mcknife so are you agreeing with pber suggestion?
"Yet Another solution would be on the original GPO that has the deny, set the security to deny that one computer.
So edit the gpo, hit the delegation tab, select the advanced tab. Add the one computer you want to have access, then deny it read"
Thanks
"Yet Another solution would be on the original GPO that has the deny, set the security to deny that one computer.
So edit the gpo, hit the delegation tab, select the advanced tab. Add the one computer you want to have access, then deny it read"
Thanks
You would deny read and apply, but I guess the outcome would be the same.