Software Restriction Policy - 'Allow' GPO beneath 'Deny' GPO

I want to restrict all but one room of computers using a piece of software.

I have setup a Software Restriction Policy (as a loopback policy, so all users who log onto the computer have it applied) of deny to the software path .exe on the top level computer OU.
I then setup an identical loopback SRP policy to allow the software path .exe in a sub OU containing the computers I want to run the software.

Policy processing shows both polices are being applied but the software is still denied on all computers...

Is this the wrong approach?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

PberSolutions ArchitectCommented:
Standard windows process.  Deny trumps allows.  No matter where in the order
PberSolutions ArchitectCommented:
PeteAuthor Commented:
Thanks, can you block a specific GPO on a specific OU? The link you sent is blocking users from getting any GPO?
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

PberSolutions ArchitectCommented:
Yet Another solution would be on the original GPO that has the deny, set the security to deny that one computer.
So edit the gpo, hit the delegation tab, select the advanced tab.  Add the one computer you want to have access, then deny it read
PberSolutions ArchitectCommented:
The Block inheritance, will block all above GPO's.  Not typically the idea solution.  Depending on your gpo structure, you could re-link desired blocked gpo's from above directly to the OU, but usually not a very elegant solution.
To block specific GPOs, That is as I explained using the delegation tab.

Using Denies are always a challenge.

Another option would be to revisit your OU structure.  Does the sub ou containing the desired need to be under the ou containing the deny
You could change it to have a general Workstation OU at the top, Then sub OU of the Workstations OU with computers with the deny and another sub OU of the Workstations OU with computers without the deny.  This would be a much cleaner architecture, GPO's that you want applied to all are at the Workstations OU, then the specific one to the sub OU.
About "deny trumps allow" - with SRP, it's different. The more precise rule wins, read But yes, since both of your rules are precise path rules right down to the name of the .exe, in that case, I suspect deny would indeed win.

You should simply use security filtering right at the GPO and not create sub-OUs for this.
PeteAuthor Commented:
Ok, how do I set security filtering so only computers in a group or OU can run the software? Can u be a bit more specific please?
PberSolutions ArchitectCommented:
I think it would get tricky with just security filtering since we are dealing with both computer and user GPOs.  you would need the add domain users to the security filtering.   Authenticated users includes computers, so that has to be removed.  then create a group that contains only the computers you want blocked and put that in the security filtering as well.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
You have a policy that restricts that .exe and we saw that it wins. Make that policy only readable by the computers that should get that restriction. There is nothing more to it. Security filtering needs to be understood, yes, but that's an altogether different question and not just a small side note here.
PeteAuthor Commented:
OK mcknife so are you agreeing with pber suggestion?

"Yet Another solution would be on the original GPO that has the deny, set the security to deny that one computer.
So edit the gpo, hit the delegation tab, select the advanced tab.  Add the one computer you want to have access, then deny it read"

You would deny read and apply, but I guess the outcome would be the same.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.