Re: Software restriction policy problem

Hello Theo,

Check out this one:

Skip Administrators
An administrator may want to disallow the running of programs for most users, but allow administrators to run all programs. For example, a customer may have a shared machine that multiple users connect to using Terminal Server. The administrator may want users to be able to run only specific applications on the machine, but allow members of the local administrators group to run any program. To do this, use the Skip Administrators option.

If the software restriction policy is created in a GPO attached to an object in Active Directory, the preferred way to use this option is to deny the Apply Group Policy permission on the GPO to a group containing the administrators. This way less network traffic is consumed downloading GPO settings that do not apply to administrators. However, software restriction policies defined in Local Security Policy objects have no way to filter, based on users. In this case, the Skip Administrators option should be used.

To turn on Skip Administrators

.. In the Enforcement Properties dialog box, select the following option (as shown in Figure 2).

Apply software restriction policies to the following users > All users except local administrators

Note Setting the Skip Administrators option is only valid for machine policies.

Note In Windows Vista, setting the Skip Administrators option is only valid for elevated applications. For all un-elevated applications, this option will not work as software restriction policies use the (Lower) user account control (UAC) token, which does not contain admin group SID. For more information about UAC, see http://www.microsoft.com/technet/windowsvista/security/uac.mspx



Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm

I have set up a software restriction policy on my Vista Ultimate PC at
home. This works fine. However, as a side affect I can no longer open
PDF (adobe reader) or Word (2007) documents from a CD or USB flash
drive by double clicking them. They will open if dropped onto an
already running program. They open fine from the main drive.

I have restricted it so ordinary users can only run programs from
"program files" and the "windows" directory.

Can anyone help?

Theo Carr-Brion



.

Relevant Pages

  • Re: Help needed setting up roaming administrator
    ... >Administrators group (just type in Administrators, don't browse for it, ... >add your Roaming Local Admins group to the Members of this group section ... GPO associated with the OU that contains the computers I want to use ... restricted group and to define the groups the restricted group will ...
    (microsoft.public.win2000.security)
  • Re: Software Restriction Policy
    ... > How to Start Software Restriction Policies ... > guidelines that are set up by administrators when they run programs. ... > Prevent any files from running on your local computer, ... > The only file types that are affected by certificate rules are those ...
    (microsoft.public.windowsxp.security_admin)
  • Re: network restrictions
    ... administrators as local administrators have the ability to override ... Software Restriction Policies are ... SRP and other Group Policy is easily applied to domain computers. ... "Christopher S. Coviello" wrote in message ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Want to add users to their local Admin group
    ... > Above assumes adding user to Administrators group on more than one PC. ... > operation on more than on PC, I think we should use GPO here. ... Restricted groups would be great if we could ... PC-1 with user Joe, PC-2 with user Mary, and PC-3 with user Peter. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Domain Users to have Local Admin rights
    ... all machines that are with scope of the GPO carrying the Restricted ... their local Administrators group. ... We have various admin accounts other then administrator ...
    (microsoft.public.windows.server.security)