Software Restrictions GPO applying oddly
I've adjusted a GPO for Windows XP in ConsoleOne
I added 4 items to be disallowed
I associated them to a user, waited a few minutes, logged into the workstation as the user, and the 4 programs ARE disallowed.
I then went into ZEN and created a new GPO that ALLOWED 2 of the 4 programs.
I then associated THAT GPO to the same user (obviously consoleone pops up that message and removes the user from the "old" GPO and associates them to the new one)
Waited a few minutes, logged into the workstation.
The new policy does not take effect.
We have the GPO set to cache (but not remain in effect on logout), and we only associate to a user object (or a container of users, not the workstation itself).
I realize that the GPO "software restrictions" is under the "computer" but we have other stuff in there that works just fine when the GPO is associated in ZEN to the USER object.
However, we do not do the "security" settings in the ZEN GPO (because then it mucks up our AD security settings such as password policies, etc.)
However, I would think that if THAT was the issue, the GPO would never apply in the first place.
To further complicate things, if I associate the "allow 2 of 4" GPO FIRST, it works, but then if I associate the "DISALLOW all 4" to the same user, it does not
(it's like only lets one of them work once).
BUT, all other settings behave/work normally
Kevin,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://support.novell.com/forums/
Similar Messages
-
Bypassing Software Restrictions GPO for disconnected machine
Hi all,
We use a Software Restrictions GPO to block users running an application on our network. We do have some users though who are allowed to run this application so we add them to an AD group which has deny permissions on the Software Restrictions GPO, hence
the GPO does not apply, hence they can run the application.
All is good apart from when someone disconnected to the network (i.e. working from home) decides they need to run the application. Although their account is added to the AD group, because they are disconnected nothing updates on their machine and they still
cannot run the application.
We advise that they need to visit the office, connect to the network so that AD Group Membership and Policy can update but some users object especially when they might not be planning to visit the office for some time.
Is there anyway we can work around this without too much of a compromise?Hi,
Any update?
Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.
Best Regards,
Andy Qi
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedback
here.
Andy Qi
TechNet Community Support -
Hello people!
I created a gpo to dissallowed an appliation to run and set it in a specific OU.
By default, this GPO is applied to Authenticated Users.
I'd like to set this GPO to be apply to all users in the domain less an specific group.
How to do it? I think is with security filtering, isn't it? But why?
My system is W2k8 R2 Standard SP1.
Many thanks.
André MartinsSecurity Filtering -> GPO -> Security-Group/Members -> Apply
vs.
Security Filtering -> GPO -> Security-Group/Members -> Deny
If you use "apply", the GPO will only apply to members of that group.
If you use "deny", the GPO will NOT apply to members of that group.
If your example it seems that you would have two groups listed in the Security Filtering:
Authenticated Users (apply)
Specific Group Name (deny)
(deny is the winner, so, even though the user might be a member of both groups, the deny will win, so this use would be exempted)
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
Software Restriction GPO on Windows 2003
Hi
I am running in a Win2k3 domain environment. I have Windows 7 and Windows XP clients. Most users are assigned to the local PC group USERS. However one application which the environment uses requires some users to be Administrators to the
local machine. How can I restrict all users from installing any software onto their PC and still allow the domain administrator to facilitate the required installs in the environment.
Can anyone provide guidance or a step by step guide on how this can be achieved.
ThanksHi,
>>How can I restrict all users from installing any software onto their PC and still allow the domain administrator to facilitate the required installs in the environment.
If we don't give users admin privileges, they won't have the right to install software. However, if we add users to local admin group, then we can't restrict these users. Besides, domain admins have the right to install software by default.
Best regards,
Frank Shen -
Software Restrictions Inconsistency
Hello,
We use Software Restrictions to block users from launching Outlook on their client machines. We do however allow some users to run Outlook and we do this by assigning them to a group which has Deny permissions to the Software Restrictions GPO.
This has been in place for some time and has been working well, but recently several users have complained that they cannot run Outlook any more. We check GPResult and this suggests that the Software Restrictions GPO is now being applied even though there
has been no change in AD Group Membership.
The issue is resolved by a combination of GPUpdate and reboots/logons but the same user may experience the same issue the next day.
As I say there have been no changes to Group Membership or the actual GPO.
We've configured UserEnv logging for some users but this just confirms that when the functionality is "broken" they are getting the Software Restrictions GPO applied and when it is subsequently "fixed" they are no longer applying
the Software Restrictions GPO. It doesn't explain WHY they see this change from one state to another.
The only other clue we have is this seems to only be affecting XP machines, none of our users using a Windows 7 machine have reported this issue, but it's not all the XP users who are seeing the problem.
This one has me stumped!Hi,
Thanks for your post.
Based on the question description, this issue could be possible caused by the
AdminSDHolder. To resolved it, please first follow the steps below to check if the users who encountered the issue belong to the protected groups.
Action Plan
==============
1. Click Start, click Administrative Tools, and then click
ADSI Edit.
2. Locate the user accounts above, right-click them, and then click
Properties.
3. Locate the attribute named AdminCount, check if the value of it is 1.
==============
If the value of the AdminCount is 1, this user account belongs to protected groups. Please
delete it from the protected groups, and change value of AdminCount to 0 manually.
Please refer to the article as below about detailed informationrelated AdminSDHolder.
AdminSDHolder, Protected Groups and SDPROP
http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx
Hope the information above is helpful to you.
forum case -
How to apply Software Restriction policy for specific user in local group policy object ?
I am working on implementing user based software restriction policy programmatically for local group policy object.
If i create a policy through Domain Controller,i do have option for software restriction policy in user configuration but in local group policy editor i don't have option for that.
When i look for the changes made by policy applied from Domain Controller in registry, they modifies registry values for specific users on path HKEY_USERS\(SID of User)\Softwares\Policies\Microsoft\Windows\Safer\Codeidentifiers
They also have registry.pol stored in SYSvol folder in Domain Controller. When i make the same changes in registry to block any other application, application is getting blocked.
I achieved what i wanted but is it right to modify registry values ?
PS:- I am using Igrouppolicyobject APII achieved what I wanted but is it right to modify registry values ?
You also can modify a registry programmatically based policy. Check this:
http://blogs.msdn.com/b/dsadsi/archive/2009/07/23/working-with-group-policy-objects-programmatically-simple-c-example-illustrating-how-to-modify-a-registry-based-policy.aspx
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
Changing or deleting a GPO with defined Software Restriction Policies
Why is it so hard to delete or update the Software Restriction Policies section of a GPO?
What has an exlusive lock on
\\domain\SYSVOL\domain\{GUID}\Macine\windowsnt\SecEdit\GptTmpl.inf?Hi,
>>Why is it so hard to delete or update the Software Restriction Policies section of a GPO?
Regarding how to remove a package deployed by group policy, we can follow
Remove a package section in the article below to do this.
How to use Group Policy to remotely install software in Windows Server 2008 and in Windows Server 2003
http://support.microsoft.com/kb/816102
>>What has an exlusive lock on \\domain\SYSVOL\domain\{GUID}\Macine\windowsnt\SecEdit\GptTmpl.inf?
Were you trying to delete the security settings file in the GPO? If you want to delete a GPO, you can follow the article below to do this.
Delete a Group Policy Object
https://technet.microsoft.com/en-us/library/cc770893.aspx
Best regards,
Frank Shen
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Software Restriction Policy not allowing Program Files directory on 64-bit machines
I've created a new software restriction policy, my default security level is set to "Disallowed", I have the standard built-in allowed locations:
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
and I added another exemption for the C:\Program Files (x86) directory:
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)%
However, on my 64-bit machines, there are still programs being blocked in C:\Program Files:
C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe
C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe
These same programs are not being blocked on my 32-bit machines, but the same policy is being applied to both and the programs are installed in the same locations on both.
I checked the registry on one of the 64-bit machines, and the default registry key exemption specified above:
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
does exist on the 64-bit machine and it is set to C:\Program Files, exactly like the 32-bit machines. So why are programs still being blocked here?
ShaunHi Shaun,
>>on my 64-bit machines, there are still programs being blocked in C:\Program Files:
Before going further, are all the applications under the path not able to run or just some ones? Besides, when we run the applications mentioned above, did it tip that it's blocked by group policy? Here, we can run command
gpresult/h gpreport.html with administrative privileges to collect group policy result report to check if this is caused by some other GPOs.
Best regards,
Frank Shen
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Hi,
We have applied Software restriction policies on a Test LAB to restrict the unwanted applications from running. We have made exception path, hash rules for genuine applications and software.
We have observed that if the exception list grows large then we cannot open or change GPO's and clients also cannot apply policy. Once we restore it back from Backup it works fine again.
I wanted to know is there any limitation to the exception list after which we should consider creating additional policy.
ThanksHi Sukhwin08,
Based on my knowledge, there is no limited about the amount of the Software restriction policy.
Please help to enable the GPSVC debug logging on problematic client machine if the SRP cannot apply successfully, this log records the detailed information about the group policy applying
process which is very useful for troubleshooting the group policy related issues. To do so, add the following registry entry:
Sub-key:HKEY_LOCAL_MACHINE \Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
Entry: GPSvcDebugLevel
Type: REG_DWORD
Value: 30002 (HEX)
After you make this change, run
gpupdate /force on the computer to reproduce the issue. After that, compress the %SystemRoot%\Debug\UserMode\ folder and check of there are any errors about the issue.
Please note: the registry key Diagnostics does not exist by default, we need to add it first. In addition, we can disable the debug logging after the troubleshooting.
Regards,
Lany Zhang -
Exchange 2010 EMC and EMS errors - BLOCKED by software restriction
EMC has this message:
Initialization failed "Execution calling 'GetSteppablePipeline" with "1" arguement: File D:\program files\Microsoft\Exchange Server\V14\RemoteScripts\ConsoleInitialize.ps1 cannot be loaded because its execution is blocked
by software restriction policies"
EMS has this error:
"There were errors in loading the format data file: D:\Program Files\Microsoft\Exchange 2010\V14\Bin\exchange.format.ps1x
ml, , D:\Program Files\Microsoft\Exchange 2010\V14\Bin\exchange.format.ps1xml : File skipped because of the following validation exception: File D:\Program Files\Microsoft\Exchange 2010\V14\Bin\exchange.format.ps1xml cannot be loaded because its execution is
blocked by software restriction policies. For more information, contact your system administrator."
All other powershell scripts work just fine. It is not the execution policy. That is set properly. Authenticode returns valid on the files. There are no settings it GPO to control or cause this. Email working fine. It just started
after a reboot for updates. Any other thoughts before I spend $500 for a call?
Server2008 Standard SP2
Update Rollup 4 v2 for Exchange Server 2010 SP2
Thank youThe long and short of it was Microsoft Certificates didn't update and were expired. I was not given a reason why this happened but the final solution after Microsoft spent 2 weeks on this was to first reinstall Exchange Service Pack 3, reboot. Install
update rollup 8, and reboot. This fixed the EMC but not the shell. Then they reinstalled the rollup 8 again and one more reboot. Everything now works. I'd say with all the other little tweaks they looked at as possible suspect and "other
things" they fixed in their efforts to solve this, I defiantly got my money's worth. Despite not really knowing what really caused the issue in the first place -
Software Restriction Policy help
This policy was working fine, then all of the sudden it is not working anymore.
Blocking from
%AppData%\*.exe
%AppData%\*\*.exe
Here is the error I get
An error has occurred while collecting data for Software Restriction
Policies.
This error impacts the following settings:
Software Restriction Policies
Software Restriction Policies/Security
Levels
Software Restriction Policies/Additional Rules
The following errors apply to all of the above
settings:
A certificate stored by this extension is not valid. Use the Group Policy
Management Editor to reconfigure the settings in this extension.Hi,
How is the issue going? Where did the certificate come from? For this is also related to the certificate, if the issue persists, we can also ask for suggestions in the
following security forum.
Security
http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best regards,
Frank Shen -
Software Restriction Policy exceptions for Spiceworks scanning
Is there a list of exceptions that should be added to allow Spiceworks to scan the network? I have a network with Software Restriction Policy blocking anything from running out of the temp folders, and I'm seeing this in the logs:
TextAccess to C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Spiceworks\spiceworks_upload.vbs has been restricted by your Administrator by location with policy rule {c5b16481-b6f1-41e2-a202-65ae9ceb3865} placed on path C:\Documents and Settings\Administrator\Local Settings\Temp\*
Will everything Spiceworks related run from the %temp%\Spiceworks folder, or are there other locations?
This topic first appeared in the Spiceworks CommunityHello,
C:\Program Files\Internet Explorer\iexplore.exe
You can try to use this variable:
%ProgramW6432%
It only exists on 64-Bit systems.
Otherwise you can create a WMI-Filter that will enable the policy only for 64-Bit systems.
select * from Win32_ComputerSystem WHERE SystemType LIKE "%64%"
MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs:
Let's go, use GPO!
Success! Well, sort of.
I had already tried the WMI Filter but using the system variable worked.
But it only worked for IE 9 and below. IE 10 and above are still displaying the same issues. Luckily we'll be on IE 9 for the foreseeable future so this isn't a big concern.
Thanks Matthias! -
Software Restriction Policies?
I have had several SysAdmin's around me state that the CryptoLocker malware has hit them hard. I have been looking into better ways to keep my systems protected and had a few implementation policy questions for those of you running a non-Active Directory environment.
The first question is regarding Software Restriction Policies. Anyone using this through the GPO inside ZENworks? Any recommendations on how best to deploy this to prevent disasters like Crypto?
The second question is regarding other areas, security wise, I should be working with? Recommendations on GPO settings that I should be posting? Other security settings outside of a GPO I should be working on?
I have been rather lucky so far with my Virus issues not being to large but I want to ensure I am doing all I can to ensure I keep the risk to a minimum.
Thanks.
RichardNo, it does not download it to Cache and run from there.
It runs it from where-ever the app runs it.
Most Browswers will run from from AppData and TEMP.
One of the Key item's for Crypto is making sure JAVA is updated and has
proper security settings.
You could also have a process that runs on user logon that wipes your
the HKCU RUN registry key.
These type of apps always pop themselves there, since they won't have
rights to write to any system keys.
Perhaps even have something that revokes the user's write rights to the key.
On 11/7/2013 12:46 PM, rhuhman wrote:
>
> I have a new issue/question regarding policies and how ZENworks
> functions. I set Software Restrictions on my main Computer GPO so that
> it doesn't allow EXE execution from AppData, LocalAppData, Temp, and tmp
> directories. I have one of the staff members show me an error stating
> the bundle for a website couldn't be executed due to a Group Policy
> enforcement.
>
> I guess I am lost now on how ZENworks launches bundles. I always thought
> it was downloaded into the cache location and launched from that
> location. (C:\Program Files\Novell\ZEnworks\cache\zmd)
>
> Which location do I need to worry about or is this unrelated to the GPO
> preventing exe execution.
>
> Thanks for the guidance.
>
> Richard
>
> -
Software Restriction Policy block zipped js file.
Trying to block zipped js files from running. Have applied the following path rule under our software restriction policies.
*.zip\*.js
*\*.zip\*.js
*.zip\test.js
Neither works to block.
Using "test.js" as path rule works fine.
Am I missing something here?
Also I have added JS as a file type in software restriction policies.Hi Allister Wade 2,
Here is a link for reference of Software Restriction Policies.
Software Restriction Policies
https://technet.microsoft.com/en-us/library/hh831534.aspx
All the failed rules including the letter "*", I am afraid this policy will not support the fuzzy query. Considering test.js will work well ,we would add an exact file path to be forbidden .
What is the purpose of this operation ?If it is used to forbid the ZIP software from running the js file .
As a work around ,we can change the js file association to have a check.(Control Panel\All Control Panel Items\Default
Programs)
Best regards
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
G4/OSX.39 INFURIATION- Software Restrictions!
I am denied Final Cut 4.x. I cannot upgrade Safari. I can NOT use Pro Tools 6.4 on OSX.4!
Software restrictions! I do not understand why I should not be able to install Pro Tools 6.4, which is not really that old, into OSX.4
Windows tried to do that to me... Denying the wise installer permission to install Sonar 2.x into XP, which works under under Windows 2000. The installer is blocked out! Because the direct x was version 8.something... And Windows XP had a higher DirectX version... Version 9.x
Well, All I did was install everything I wanted into Windows 2000 and upgraded it to XP- And then it worked, and installed the rest of the programs into XP. Later... cakewalk built a FIX on their website... which you ran first and it removed the software restriction.. Bully for them, that was a wise move.
Now the question here, is, can I do something like this with Pro Tools?
Because I basically refuse to throw away this Digi 001 that was perfectly good in 2003- That is another issue altogether, Digi ought to give software support for all their devices, regardless of how old, but they are doing the same thing... Trying to force everyone to use newer versions: Well I think the newer versions of Pro Tools ought to by default operate with the older Digi devices. The funny thing is... I got sick of the software restrictions so I pulled the Digi off of my G4 and shoved it into my AMD x64... Which crashes Pro Tools, but Sonar 5 detects the Digi 001 and I can use all my VST and DirectX plugins.
But... I really want to use the unit in thr mac, because I can use Pro Tools in that machine, and I can manupulate up to some 30 odd tracks, which I cannot do on the AMD PC.
I know some of this does not make sense to some people, but the point is, I am stuck with Leopard. Is that the proper name for OSX.3.9? But I am stuck with it cos of the Digi... And I because I am stuck, I can't gert very many new programs, they are all for OSX.5!
So, is there a way around these software/OS restrictions? I really have to have certain of these programs and the older versions are pretty scarce.Hello and welcome to Apple Discussions!
This is not Apple's fault - Protools 6.x is not compatible with OS 10.4 as per Digidesign. It is up to the software developer to coordinate their program with the intended OS. Get mad at Digidesign, not Apple.
Sometimes, people like you who love their old software but have a newer OS will get together independently and write a patch to allow compatibility. Unfortunately, no one has done this for Protools 6, and I doubt they ever will, considering how large of a project that would be.
The way around the restriction is to upgrade to all new equipment and a new OS (10.5 Leopard), or only use old equipment with it's intended OS. You could also have multiple startup disks, one with the older OS and and one with the newer. But you must use the software with its compatible OS. There is no way around it...
Maybe you are looking for
-
Itunes can't load. I get error message R6034, attempt to load the C runtime library incorrectly
After update, Itunes can't load. I get error message R6034, attempt to load the C runtime library incorrectly. I also get error code 7 (Windows error 1114), saying itunes wasn't installed correctly. Tried removing Itunes and installing again, but get
-
I "allowed" Java Deployment Toolkit, it made me upgrade java, and now there are ads everywhere
I was doing homework on masteringgenetics and there was this box in the top left hand corner that said to allow java deployment toolkit because some of the content on the website needed it so I clicked "always allow". This then took me to java's webs
-
Post Author: tmitchell CA Forum: Formula runnning a general ledger report need to set up a formula to show results "as of" a certain date for individual ledger accounts. Any Suggestions
-
Cannot update my apps as I can't sign in to my account
I can't not update or download apps as I cannot sign in my account
-
I've set up my main email account with the mail icon on my dock, and it seems like every time I log on I have trouble with it. At one point it wasn't letting me send any emails because it said my password was wrong (which it wasn't; I got that fixed)