Re: Software Restrictions

Herb,

Ok, here are the results. When I denied Project Users Read & Apply Policy,
my test user could access all restricted applications to include Project.
It seems as though the first policy took affect and skipped the second
policy. Then I removed the deny on Read in the first policy and then the
user could not access any of the restricted applications to include Project.
However, when the test user tries to access a restricted applications that
he should not have access to, there are 2 pop ups. The first one is "THIS
OPERATION HAS BEEN CANCELLED DUE TO RESTRICTION IN EFFECT ON THIS COMPUTER.
PLEASE CONTACT YOUR SYSTEM ADMINISTRATOR." The second message is "UNABLE TO
RUN THIS COMMAND". However when the user tries to connect to Project, the
application that he does have access to according to the second policy, he
only gets that first pop up message. Any Ideals?

Kevin
"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:eWqBY1ZFGHA.3176@xxxxxxxxxxxxxxxxxxxxxxx
> "Kevin Wheeler" <kevin_wheeler@xxxxxxxxxxx> wrote in message
> news:u61IM7YFGHA.3200@xxxxxxxxxxxxxxxxxxxxxxx
> >I want to implement 2 GPOs to restrict certain software. It is a Windows
> >2000 Domain with Windows 2000 Pro workstations.
>
>
> > The first policy will restrict about 10 applications and this policy
will
> > be applied to the Domain Users security group.
>
> Since policies must be LINKED to Sites, Domain, or OUs you
> would probably link such a policy to the DOMAIN and then
> FILTER it using the Group "Domain Users".
>
> But there is probably no reason not to just use Everyone unless
> you REALLY mean just domain users.
>
> This is basically going to apply to just about 'everyone' (who is
> a real user) anyway.
>
> But you CAN set it in the User section of the GPO and have it
> apply to (such) groups.
>
> > I created a second group called project users.
>
> Notice that policy for Domain Users (or everyone) is going to
> apply to "Project Users" by default (unless you deny them "Apply_Policy"
> permission.)
>
> > In the 1st GPO, project application is one of the restricted
applications.
> > The 2nd GPO will have the sames applications listed except Project, and
> > this GPO will be applied to the Project Users security group.
>
> You will have to set the permission on the first to DENY this group
> Apply, and ONLY grant this Group Apply on the 2nd.
>
> > In logic, this should work, however, when I added my test user to the
> > Project Users group, he couldn't access the any of the restricted
> > applications, by design, but he also couldn't acces the Project
> > application.
>
> Because he is a Domain User -- your starting premise was wrong
> and all of your logic was built on that: GPOs that apply to Domain
> Users also apply to pretty much everyone unless you deny that.
>
> > Can someone tell me what I'm doing wrong? Does it have something to do
> > with the test user being a member of both Domain Admins and Project
Users?
> > How can I get this to work?
>
> Yes. See above.
>
> 1st GPO: Allow Read & Apply for Domain Users
> Deny (Read &) Apply for Project Users
>
> 2nd GPO: Allow Read & Apply for Project Users
>
> It's a straight forward permission problem.
>
> But do notice that you have left out other problems, e.g.,
> Admins are also Domain Users.
>
> You might want a MORE SPECIFIC group for such policies or
> you must Deny admins apply to keep them from being locked out
> too.
>
> Think what is going to happen when the Admin tries to run any
> other program to FIX something.
>
> --
> Herb Martin, MCSE, MVP
> Accelerated MCSE
> http://www.LearnQuick.Com
> [phone number on web site]
>
>


.

Relevant Pages

  • Re: Software Restrictions
    ... > my test user could access all restricted applications to include Project. ... > It seems as though the first policy took affect and skipped the second ... >>>I want to implement 2 GPOs to restrict certain software. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Prevent Application from home directory
    ... Yes you can use SRP (software restriction policy) disallowed path rule to ... restrict your applications under %HOMEDRIVE%%HOMEPATH% ... "Pete" wrote in message ... >> disk quotas to restrict users from having enough ...
    (microsoft.public.win2000.security)
  • Re: XPPro : Restrict the programs a user can run
    ... this option only controls whether those applications can be started by the ... Local Computer Policy ... This setting only prevents users from running programs that are started by the Windows Explorer process. ... >> restrict users to allow ONLY the specified programs to be run ...
    (microsoft.public.windowsxp.security_admin)
  • Re: User accounts
    ... Restrict Users from Running Specific Applications ... Create a new DWORD value and name it "DisallowRun" ... If you are the person who applies Group Policy, ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: event id 1085 problem
    ... The new Windows Group Policy Guide from Microsoft Press!!! ... > The following applications were found in policy GPO. ... > Assigned application FPP Dashboard. ... > Software installation extension returning with final error code 1612. ...
    (microsoft.public.windows.group_policy)