Windows 7 Policy missing from Group Policy Management

Similar Messages

• Can't Remove IE Maintenance settings from group policy

  Dear Techies,
  In group policy under IE Maintenance I configured
  some settings like home page and proxy settings etc, now I removed all
  settings from group policy, I cleared every thing but still I can see the IE settings under group policy.
  1)automatically detect settings                   Disabled
  2)automatic browser configuration             Not configured.
  Now
  the problem is I am giving some proxy settings in IE manually when I
  restarted the system proxy settings are getting empty and again I have to
  give them.
  Please tell the procedure to remove IE Maintenance completely from group policy.
  can anybody please help me to solve this issue.
  Thanks in advance for your valuable support.
  Regards,
  Phani Kumar .B

  Hi,
  If GPO settings are not removed completely or settings were not saved correctly, this issue may occur.
  Let’s try to check if Registry settings was changed when changing IE proxy settings.
  1.    Open IE and change proxy settings. Click OK to apply.
  2.    Open "regedit", navigate to
  HKCU\software\Microsoft\Windows\CurrentVersion\Internet Settings
      In the right panel, are Proxy settings correct?
  3.    Log off and test. If the issue persists, please help to collect gpresult log.
  Run "gpresult /v >>c:\gpresult.log", send gpresult.log to [email protected]
  4.    On DC, open GPO, navigate to Computer Configuration\Administrative Templates\System\Group Policy,
  Double-click Internet Explorer Maintenance policy processing, Make sure it’s Note Configured or Disabled.
  Navigate to IE Maintenance, right-click Internet Explorer Maintenance, choose Reset Browser settings. Delete all file in the following folder.     
  \\FQDN\Sysvol\FQDN\Policies\<GPOGUID>\User\Microsoft\IEAK
  Note: Replace FQDN and <GPOGUID> accordingly.
  5.    On client, delete files in the following folder.
  %windir%\System32\GroupPolicy\User\Microsoft\IEAK
  Documents and Settings\<<username>>\Application Data\Microsoft\Internet Explorer\Custom Settings\Custom0\
  Documents and Settings\<<username>>\Application Data\Microsoft\Network\Connections\pbk\Rasphone.pbk (for connection settings)
  Thanks.
  This posting is provided "AS IS" with no warranties, and confers no rights.

• How to Enable USB Internet Dongles and only Block USB storage device from Group Policy

  Hi ,
  I have a very urgent requirement , Is there a way to disable the USB and only enable to Internet Dongle using Group policy.
  Regards,
  Schan.

  Hi,
  Checkout the below link for restricting the access for USB devices using Group Policy,
  http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Control-USB-Devices-Group-Policy.html
  Checkout the below thread on similar discussion,
  http://social.technet.microsoft.com/Forums/en-US/89c8a8f0-da98-4cc9-8044-1e457e26840e/how-to-disable-usb-internet-dongle-datacard-from-group-policy-server-2008-r2?forum=winserverGP
  Regards,
  Gopi
  www.jijitechnologies.com

• I have removed some ADM templates from group policy but are still showing in RSOP

  I removed some old custom ADM templates from group policy but they are still showing up when I run RSOP.MSC.
  How do I get RSOP.msc not to show these old custom ADM templates?  I'm not able to find what I'm looking for in my searches. 

  Hi,   
  Even you remove these custom ADM templates, the policy settings configured by these custom ADM templates still exist. We can try to import these ADM templates again then un-configure
  the policy settings set by these custom ADM templates. After refreshing the policy settings, we can delete the custom ADM templates.
  Best Regards,
  Erin
  Thanks.  That almost works.  When I import a new updated template with a different name but with some of the same settings, the old template shows up again.

• ORA-15042: ASM disk "2" is missing from group number "1"

  Hi,
  I'm working on an Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production With the Automatic Storage Management option.
  Into the ASM I had 3 diskgroups:
  - ARCHIVELOG (4 disks)
  - ONLINELOG (1 disks)
  - DATA (10 disks)
  When I try to startup the ASM instance I got:
  A-15042: ASM disk "2" is missing from group number "1"The diskgroup won't be mounted.
  I would like to remove that disk and later add a new one.
  I can I do that?
  I'm not able to mount the ARCHIVELOG diskgroup.
  I tried the command
  SQL> alter diskgroup archivelog drop disk ARCH3 force;
  alter diskgroup archivelog drop disk ARCH3 force
  ERROR at line 1:
  ORA-15032: not all alterations performed
  ORA-15001: diskgroup "ARCHIVELOG" does not exist or is not mountedThanks in advance,
  Samuel
  Edited by: Samuel Rabini on Jan 10, 2012 4:11 PM

  As that database is on AWS, I tried this:
  - drop diskgroup archivelog
  - detach of those 4 disks
  - create new 4 disks
  - attach new disks
  - assign those disks to ASM with oracleasm utilty
  - create diskgroup archivelog
  It worked.
  But because I was on AWS and more because it was the ARCHIVELOG diskgroup.
  What would I had to do if it was the DATA diskgroup?
  Thanks

• Group Policy Guru? Group Policy and Windows 7 erratic and inconsistant.

  (*If you don't feel like reading everything, skip to the bottom two paragraphs for my questions)
  I've had a premier call open with MS since August. This week I had a Microsoft Technician in-house.  Though we eliminated some possibilities, we're not really closer to a cause or solution.
  Every time we work with an expert, I get a different explanation to describe the situation we are viewing.
  Quick summery of the issue:  We've been using Group Policy to manage most Windows XP and 7 settings for years, but starting the middle of last year, we began having clients with machines where some or all group policies would fail to apply. 
  These could be long assigned policies, new polices, or changes to policies.  It would never affect everyone or even a majority at once, and the resolution is never the same.  Sometimes a GPUDPATE /FORCE sometimes fixed automajically the next day,
  sometimes (but very rarely) longer.
  Troubleshooting History:
  What we found in early troubleshooting, that these machines, had errors in Event Viewer for Netlogon, Time-Sync, and Group Policy.  The other issue we noticed, was that our GPRESULT /H reports were missing security groups and the denied section was
  nothing but SSID's.  The first issue pointed me to:
  Event ID 5719 and event ID 1129 may be logged when a non-Microsoft DHCP Relay Agent is used
  I installed these Hot Fixes.  No change to any of the errors in event viewer, or to our Group Policy problems.
  Initial work with Premier Support found that Netlogon, Time-Sync, and Group Policy, were failing before loading of the network stack.  The suggestion was to apply the group policy setting "Always wait for the network at computer startup and
  logon".  At the time, this seemed not to work.  The policy was set on a test bed of laptops and desktops, and no changes in behavior were seen after 3 days.
  Windows 7 Clients intermittently fail to apply group policy at startup
  For some time after this, we were collecting GPSVC and NetTrace logs for Premeir Support, trying to document and troubleshoot the problem.  Eventually we got fed up and asked our TAM to call in a pro to get this resolved.  We were sent an engineer
  for 3 days.  For three days we banged away on this issue.  We verified AD and replication health, we tried numerous fixes and workarounds.  I learned 3 different desriptions of how Group Policy works, and in the end we thought we had a workaround
  using the "Always wait for the network at computer startup and logon" because of a single success late in the day.  On day 3 we tried replicating this fix, and quickly realized that the same issue we were having preventing other GPOs to apply,
  were also preventing our "fix" GPO from applying.  So we went the route of using a registry entry.  I also had a problem that even though it was making the process more consistant, it was still taking 3 reboots for a Computer Policy, assigned
  to a computer object via Security Group, to fully take affect on a computer.
  I used the registry methods in the above article.  It didn't work, no sign it was having the same affect the GPO had had.
  Our support engineer claimed this was the proper method, but that path wasn't even close in a Windows 7 SP1 registry, and after creating all the keys that were not present, it still didn't work.
  Always wait for the network at computer startup and logon - AzureWeb
  We ran out of time, our engineer returned home.
  I can understand how these errors indicate a problem applying Group Policy at boot.  But to me it doesn't explain why it doesn't correct post boot, and after a GPUDPATE /FORCE and a reboot.
  It also doesn't explain why we were working fine for years, then all of a sudden DHCP is being outrun by background services.  (By the way logging showed DHCP wasn't significantly delayed, out boot process was actually excellent, health wise.) 
  Why all of a sudden is this not behaving optimly?  No changes to network design or function.  No changes to the domain since 2008 R2 was installed in 2011.
  Today I'm reading through all these KB's and articles again, and took some time to read:
  [Forum FAQ] Common steps to start troubleshooting Group Policy
  application and it's links below.
  We ran though all of that before and during the 3-day onsite.  It's not getting us any closer to the cause or a solution.
  I found and begin some deep reading in this link today.  It has some additional information I will try to use next week:
  Group Policy Basics - Part 3: How Clients Process GPOs
  The one unanswered question I have is this.  How is group policy supposed to apply to a computer, when that policy is applied to a AD Security Group, in which the computer object is a member?
  Before we began having this problem, we would assign a computer GPO, then ask the user to reboot.  If it were a user GPO, we'd ask the user to log off, or reboot.  Either way, if we allowed a few minutes for AD and FRS replication, the user would
  log back in with that new policy in affect.  A new imaged machine would boot with all the GPO's linked to that domain and assigned to "Authenticated Users", already in affect.  Admin groups would be present in administrators, proxy settings
  would be set in Internet Explorer, etc.
  Now I'm aked to beleive this was never the case from Premeier Support and Microsoft Engineers.  That those policies require the equilent of a "GPUPDATE /FORCE" that was executed by the Local_System account.  That 3 reboots may
  be nessessary for a group policy to be applied.  One for the AD Security Group to be applied.  One for the Computer Policy to be applied.  And a final one for the policy in the GPO to be applied to Windows.
  Can someone confirm or correct this information please?  It's imperitive to my troubleshootng.
  There's no place like 127.0.0.1

  That key is empty on all of my machines I have checked today.  Working and problematic alike.
  GPRESULT logs, when ran as me, historically would show the group polices applied, denied, and the AD group membership all by name.  About 6 months ago I noticed this changed.
  Now they show the applied GPO's by name, a few of the denied GPO's by name, most by SID, and only 2 to 3 AD groups, though PowerShell shows all the AD groups assigned.  This happens after several AD security and distribution groups are added to the
  machine (Radia software distribution uses Dist groups to assign software).
  A check showed no groups with long legacy Kerberos keys.
  When we make a change to AD Security Group membership, to assign or deny a Group Policy, is usually when we encounter this problem.  It will usually fix itself in 24 hours of the machine being left up and running.  But no amount of GPUPDATE /FORCE
  and rebooting will cause the changes to take affect.
  During this time, the Group Policies will show assigned to the computer in the GPRESULT log.
  Yesterday I began looking into Spanning Tree configuration on our network being a possible cause for the boot up issues.  I'm waiting on responses from our Network group to confirm our configuration.
  There's no place like 127.0.0.1

• Cannot install program after begin removed from Group Policy published programs

  Hello,
  We recently attempted to publish a program through Group Policy to allow users to install it but due to some requirements of the installer, it did not work. We removed it as a published program and now someone who attempted to install it through that method
  cannot install the program at all. When they attempt to run the MSI from their local machine (not from a server share) they get an error saying "The feature you are trying to use is on a network resource that is unavailable". We tried putting a copy
  of the MSI in the network location it was looking for (which is where it was when it was a published program) and ran in to the same errors as before when it was a published program.
  When we ran the installer as a different user that had admin access the program installed correctly and without issue. To avoid having to run as a different user in case the computer only has one admin account, is there a way to clear the user account's
  memory of the msi or something?
  Thanks.

  Hi,
  Based on my knowledge, deployed msi application will be installed before the computer allows a user to logon if you choose Assign. Otherwise, you need to use Control Panel\Programs\Programs and Features\install a program from internet to get the msi
  installed.
  Did you mean to deploy a MSI file to each computers? Is it not the method written in this KB?
  How to use Group Policy to remotely install software in Windows Server 2008 and in Windows Server 2003
  https://support.microsoft.com/kb/816102?wa=wsignin1.0#method6
  If you just deploy a file from a shared network location, make sure that all your users has the permission to access the Network location.
  Also, please check the policy under Applocker if there is any policy block the installation of MSI for your domain user except the admin account.
  Kate Li
  TechNet Community Support

• WIndows Server 2008 Broken Group Policy

  Facing weird issue since last week , i can not edit the GP with administrative priviliges 
  Restore the sysvol folder via last backup ; have ran GPO tool commands but no luck 
  Attach is the error iam getting during editing any GPO
  any thoughts here to resolve this issue will be highly appriciated 
   event id # 4
  source # security-kerberos 
  Log Name# system

  Hi Nicholas,
  Before going further, sorry for the late response.
  Here, did these errors occur when we edit all GPOs or just this specific GPO? Besides, do we have other domain controllers? If yes, we can try to edit the GPO from another DC to see if the issue persists. Moreover, please make sure that the user account
  we were using to edit the GPO is not denied access to it.
  At this moment, regarding error message Failed to open the Group Policy Object. You may not have appropriate rights,
  the following article can be referred to for troubleshooting.
  Group Policy Error Message When Appropriate Sysvol Contents Are Missing
  http://support.microsoft.com/en-us/kb/253268
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Windows 2008 R2 Standard Group Policy to Add Device and Printer in start menu of Windows 7 Users

  i need to add for Device and printers option in start menu of windows 7 client log on system,how to assign the group policy enable?  

  Hi,
  Are you trying to put a software icon to start for easy of end user use? If so you can refer the following related third party article solution:
  The related third party article:
  How to Push Shortcuts to the Desktop With Group Policy
  http://www.ehow.com/how_8390530_push-shortcuts-desktop-group-policy.html
  Hope this helps.
  *** This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites;
  therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure
  that you completely understand the risk before retrieving any software from the Internet. ***

• Windows 7 DNS and Group Policy Issues

  Hi,
  We have several suites of Windows 7 domain connected PC's.
  In one of the suites I have been called into look at 3 different PC's where the users have not got mapped drives, desktop backgrounds, internet connectivity - because their group policies have not applied.
  When I look at the error logs I find DNS 1014 errors, and Group Policy 1054 errors.
  I have looked at the logs on the switches, and there is nothing on them - Could a pupil pulling the network cable out cause these errors?... Possibly they could have put it back in before I got back in the room.
  The user logs off of the PC and back on again and are fine, as are the users that logon after them.
  We have 2 DC's/DNS servers, which I would have thought would be able to cope with the load here.
  Please let me know what you think the likely cause could be.

  Hello John555444,
  What is your current situation?
  Is this issue resolved?
  Best regards,
  Fangzhou CHEN
  Fangzhou CHEN
  TechNet Community Support

• Shutdown oracle from group policy

  I try to shutdown an Oracle 9i database as part of the shutdown script that runs when my Windows 2003 Server is being shutdown. I am getting a priviledge violation: This is my script
  set oracle_sid=SID
  set oracle_home=d:\oracle\SID\920
  sqlplus sys/password@"SID as sysdba" @shutdownimmediate.sql
  The script file contains:
  shutdown immediate
  exit
  I have added the local system account to the ORA_DBA, ORA_DEV_DBA, ORA_DEV_OPER groups without success.
  Has anyone out there successfully used the group policy editor (gpedit.msc) to make Oracle part of the shutdown procedure?

  Hi,
  You could use powershell command to enable this:
  Step-By-Step: Enabling BranchCache in Microsoft Windows Server 2012
  http://blogs.technet.com/b/canitpro/archive/2013/05/13/step-by-step-enabling-branchcache-in-microsoft-windows-server-2012.aspx
  Or you could create another GPO to check the result.
  More detail information:
  http://technet.microsoft.com/library/hh848392.aspx
  Regards.
  Vivian Wang

• Using multiple LISTBOX in single Policy of Microsoft Group Policy .adm file?

  OK, I am writing a .adm file and here is code for a policy within a category
  CATEGORY !!A_CATEGORY
  POLICY !!A_POLICY
  KEYNAME "Software\Policies\ABC\ListBoxes"
  PART !!PART_1_Text LISTBOX
  ALUEPREFIX "FirstListBox"
  END PART
  PART !!DestPort_Label LISTBOX
  VALUEPREFIX "SecondListBox"
  END PART
  END POLICY
  END CATEGORY
  The .adm file is successfully loaded in group policy editor without any problem and shows two list boxes too. I can give input for both list boxes and apply/ok without any problem. The real problem is that on registry location "Software\Policies\ABC\ListBoxes",
  there comes only registry values as SecondListBox1, SecondListBox2, SecondListBox3 .... and no values for FirstListBox. Ideally, there should also be FirstListBox1, FirstListBox2, FirstListBox3 ...
  I did some experiments and found that only the registry values with last PART (i.e. SecondListBox) are shown in registry and all other PART values before that are ignored. Lastly, the problem is only with multiple LISTBOX in a single policy. I can use multiple
  CHECKBOX, COMBOBOX, DROPDOWNLIST, EDITTEXT, TEXT and NUMERIC within a single policy without any problem both in Windows 2003 Server and Windows 2008R2 Server
  Baig

  > and no values for FirstListBox. Ideally, there should also be
  > FirstListBox1, FirstListBox2, FirstListBox3 ...
  Since you do not use "ADDITIVE" it seems the whole key is cleaned out
  before processing the second list. Give it a try :)
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• URL and Google windows are missing from the window display. What is going on?

  Running Firefox 18.0 on a MacBookPro recently purchased. The windows are suddenly missing from the Firefox display window.

  Make sure that toolbars like the "Navigation Toolbar" and the "Bookmarks Toolbar" are visible:
  *"View > Toolbars"
  Open the Customize window to set which toolbar items to display:
  *View > Toolbars > Customize
  *Check that the "Bookmarks Toolbar items" is on the Bookmarks Toolbar
  *If the "Bookmarks Toolbar items" is not on the Bookmarks Toolbar then drag it back from the toolbar palette in the customize window to the Bookmarks Toolbar
  *If missing items are in the toolbar palette then drag them back from the Customize window on the toolbar
  *If you do not see an item on a toolbar and in the toolbar palette then click the "Restore Default Set" button to restore the default toolbar set up
  *https://support.mozilla.org/kb/How+to+customize+the+toolbar
  *https://support.mozilla.org/kb/Back+and+forward+or+other+toolbar+items+are+missing
  You can also check for problems with the localstore.rdf file.
  *http://kb.mozillazine.org/Corrupt_localstore.rdf

• Windows 8 - Folder Redirection policy missing from GP Results.

  Hi guys! This has been giving me a hard time the last day or so.  I've got some Win8 machines in our 2003 domain. I've got some GPO's applying with WMI filtering for win8 machines. Mostly these are ok, but i'm having a huge problem with Desktop Folder
  Redirection. 
  After a fresh build and first login, everything works fine. Drive mappings are all there and the Desktop is redirected to to users home drive on the file server. This is being done with Advanced settings using group membership and set to "Create a folder
  for each user under the root path" \\dfs1\users. This location is correct and permissions are fine of course as everything works for a while.
  After a little while or some unknown event, this redirection stops working.
  check these two screengrabs. These are different users on different machines. The machines are identical, are in the same OU and have the same image. The users are different but have the same group memberships and are in the same OU. 
  This is a working machine. Not the Folder Redirection component was processed and the Policy exists.
  This machine is not working. Folder Redirection is processed, but the Policy is missing. Running a gpresult /v on this machine yields: 
   Folder Redirection
       N/A
  It was working fine yesterday and this morning. Now at some point a policy refresh stopped it from working. Just trying to figure out what! These are the exact settings currently in place for our win 7 machines which all work just fine. Going a bit crazy
  tbh and usually when i post questions i figure it out shortly afterwards anyway huhu. Any help is appreciated! 
  h 

  well I though this issue was gone when I switched to a new Task Sequence in SCCM every machine that was built with that was working fine with Folder Redirection happening as it's meant to be. That was for about a week, now it's back to not working.
  here's a snippet of the gpsvc.log file pertaining to FD.
  GPSVC(43c.11f4) 08:59:47:231 ProcessGPOs(User): Processing extension Folder Redirection
  GPSVC(43c.11f4) 08:59:47:231 ReadStatus: Read Extension's Previous status successfully.
  GPSVC(43c.11f4) 08:59:47:231 CompareGPOLists: The lists are the same.
  GPSVC(43c.11f4) 08:59:47:231 CompareGPOLists: The lists are the same.
  GPSVC(43c.11f4) 08:59:47:231 GPLockPolicySection: Sid = S-1-5-21-2272506071-1675830810-3538462175-3230, dwTimeout = 30000, dwFlags = 0x0
  GPSVC(43c.11f4) 08:59:47:231 CGPApplicationService::LockPolicySection.
  GPSVC(43c.11f4) 08:59:47:231 WaitForServiceInitialization: Beginning WaitForSingleObject.
  GPSVC(43c.11f4) 08:59:47:231 WaitForServiceInitialization: Completed WaitForSingleObject.
  GPSVC(43c.11f4) 08:59:47:231 CPolicyCriticalSectionCollection: LockPolicySection called for user <S-1-5-21-2272506071-1675830810-3538462175-3230>
  GPSVC(43c.11f4) 08:59:47:231 SID = S-1-5-21-2272506071-1675830810-3538462175-3230
  GPSVC(43c.11f4) 08:59:47:231 bMachine = 0
  GPSVC(43c.11f4) 08:59:47:231 Global Sync Lock Called
  GPSVC(43c.11f4) 08:59:47:231 Writer Lock got immediately.
  GPSVC(43c.11f4) 08:59:47:231 Global Lock taken successfully
  GPSVC(43c.11f4) 08:59:47:231 ProcessGPOList: Entering for extension Folder Redirection
  GPSVC(43c.11f4) 08:59:47:231 UserPolicyCallback: Setting status UI to Applying Folder Redirection policy...
  GPSVC(43c.11f4) 08:59:47:231 ProcessGPOList: No changes. CSE will not be passed in the IwbemServices intf ptr
  GPSVC(43c.5d0) 08:59:47:231 CGroupPolicySession::QueueItemForPolicyApplication::-- (Status: 997)
  GPSVC(43c.5d0) 08:59:47:231 CGPApplicationService::UserLogonEvent::-- (Status: 997)
  GPSVC(43c.11f4) 08:59:47:231 ProcessGPOList: Extension Folder Redirection returned 0x0.
  GPSVC(43c.11f4) 08:59:47:231 ProcessGPOList: Extension Folder Redirection status was not updated because there was no changes and no transition or rsop wasn't enabled
  GPSVC(43c.11f4) 08:59:47:231 CGPApplicationService::UnLockPolicySection.
  GPSVC(43c.11f4) 08:59:47:231 WaitForServiceInitialization: Beginning WaitForSingleObject.
  GPSVC(43c.11f4) 08:59:47:231 WaitForServiceInitialization: Completed WaitForSingleObject.
  GPSVC(43c.5d0) 08:59:47:231 Setting GPsession state = 1
  GPSVC(43c.5d0) 08:59:47:231 User SID = <S-1-5-21-2272506071-1675830810-3538462175-3230>
  GPSVC(43c.11f4) 08:59:47:231 CPolicyCriticalSectionCollection: UnLocked successfully
  GPSVC(43c.5d0) 08:59:47:231 CGroupPolicySession::QueueItemForPolicyApplication::++ (bTriggered: 0, bConsole: 1)
  GPSVC(43c.5d0) 08:59:47:231 PolicyApplicationState is True.
  GPSVC(43c.5d0) 08:59:47:231 AsyncThreadsProcessing is False.

• How to disable .EXE files to be run from Group Policy

  I would like to know how to disable .exe files from GP?
  Thanks in advance

  All exe files icluding calc.exe, notepad.exe and explorer.exe or just some exe files?
  There are different approaches to this.
  If you're trying to block a single executable that you're familiar with you can disable it from a GPO using the setting:
  User Configuration/Administrative Templates/System/Don't run specified Windows applications
  Another option is to specify only the applications you want to allow Using:
  User Configuration/Administrative Templates/System/Run only specified Windows applications
  This one would probably take a lot of work to populate for a system with many applications installed or for a corporate environment.
  None of the two mentioned settings takes into account that a user can name their exe file what they want so renaming mydangerousapp.exe to explorer.exe would make it a perfectly legitimate executable.
  A more robust and managable way of securing your systems by controlling which applications that can be launched is Software Restriction Policies.
  Check this article for an introduction to Software Restriction Policies: http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx