Re: Software Restrictions

"Kevin Wheeler" <kevin.wheeler@xxxxxxxxxx> wrote in message
news:uPLRNDeFGHA.516@xxxxxxxxxxxxxxxxxxxxxxx
> Herb,
>
> Ok, here are the results. When I denied Project Users Read & Apply
> Policy,
> my test user could access all restricted applications to include Project.
> It seems as though the first policy took affect and skipped the second
> policy. Then I removed the deny on Read in the first policy and then the
> user could not access any of the restricted applications to include
> Project.
> However, when the test user tries to access a restricted applications that
> he should not have access to, there are 2 pop ups. The first one is "THIS
> OPERATION HAS BEEN CANCELLED DUE TO RESTRICTION IN EFFECT ON THIS
> COMPUTER.
> PLEASE CONTACT YOUR SYSTEM ADMINISTRATOR." The second message is "UNABLE
> TO
> RUN THIS COMMAND". However when the user tries to connect to Project, the
> application that he does have access to according to the second policy, he
> only gets that first pop up message. Any Ideals?
>

The above account just confused me so that I am unsure
how to respond.

(I know you understood what you mean but it is easy for
us to get lost in the "back references".)

Sorry.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

> Kevin
> "Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
> news:eWqBY1ZFGHA.3176@xxxxxxxxxxxxxxxxxxxxxxx
>> "Kevin Wheeler" <kevin_wheeler@xxxxxxxxxxx> wrote in message
>> news:u61IM7YFGHA.3200@xxxxxxxxxxxxxxxxxxxxxxx
>> >I want to implement 2 GPOs to restrict certain software. It is a
>> >Windows
>> >2000 Domain with Windows 2000 Pro workstations.
>>
>>
>> > The first policy will restrict about 10 applications and this policy
> will
>> > be applied to the Domain Users security group.
>>
>> Since policies must be LINKED to Sites, Domain, or OUs you
>> would probably link such a policy to the DOMAIN and then
>> FILTER it using the Group "Domain Users".
>>
>> But there is probably no reason not to just use Everyone unless
>> you REALLY mean just domain users.
>>
>> This is basically going to apply to just about 'everyone' (who is
>> a real user) anyway.
>>
>> But you CAN set it in the User section of the GPO and have it
>> apply to (such) groups.
>>
>> > I created a second group called project users.
>>
>> Notice that policy for Domain Users (or everyone) is going to
>> apply to "Project Users" by default (unless you deny them "Apply_Policy"
>> permission.)
>>
>> > In the 1st GPO, project application is one of the restricted
> applications.
>> > The 2nd GPO will have the sames applications listed except Project, and
>> > this GPO will be applied to the Project Users security group.
>>
>> You will have to set the permission on the first to DENY this group
>> Apply, and ONLY grant this Group Apply on the 2nd.
>>
>> > In logic, this should work, however, when I added my test user to the
>> > Project Users group, he couldn't access the any of the restricted
>> > applications, by design, but he also couldn't acces the Project
>> > application.
>>
>> Because he is a Domain User -- your starting premise was wrong
>> and all of your logic was built on that: GPOs that apply to Domain
>> Users also apply to pretty much everyone unless you deny that.
>>
>> > Can someone tell me what I'm doing wrong? Does it have something to do
>> > with the test user being a member of both Domain Admins and Project
> Users?
>> > How can I get this to work?
>>
>> Yes. See above.
>>
>> 1st GPO: Allow Read & Apply for Domain Users
>> Deny (Read &) Apply for Project Users
>>
>> 2nd GPO: Allow Read & Apply for Project Users
>>
>> It's a straight forward permission problem.
>>
>> But do notice that you have left out other problems, e.g.,
>> Admins are also Domain Users.
>>
>> You might want a MORE SPECIFIC group for such policies or
>> you must Deny admins apply to keep them from being locked out
>> too.
>>
>> Think what is going to happen when the Admin tries to run any
>> other program to FIX something.
>>
>> --
>> Herb Martin, MCSE, MVP
>> Accelerated MCSE
>> http://www.LearnQuick.Com
>> [phone number on web site]
>>
>>
>
>


.

Relevant Pages

  • Re: Software Restrictions
    ... When I denied Project Users Read & Apply Policy, ... user could not access any of the restricted applications to include Project. ... >>I want to implement 2 GPOs to restrict certain software. ... >> be applied to the Domain Users security group. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Prevent Application from home directory
    ... Yes you can use SRP (software restriction policy) disallowed path rule to ... restrict your applications under %HOMEDRIVE%%HOMEPATH% ... "Pete" wrote in message ... >> disk quotas to restrict users from having enough ...
    (microsoft.public.win2000.security)
  • Re: XPPro : Restrict the programs a user can run
    ... this option only controls whether those applications can be started by the ... Local Computer Policy ... This setting only prevents users from running programs that are started by the Windows Explorer process. ... >> restrict users to allow ONLY the specified programs to be run ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Win 2000 secutity
    ... You could restrict access to your computer by either computers or users. ... Ipsec can also be used ... computer has an ipsec require policy and the other computers have a compatible ipsec ... the local users on your computer, ...
    (microsoft.public.win2000.security)
  • Re: GPO Troubles
    ... Resulting Set of Policy gives an error that some .adm files can't be loaded from some policies (none of which is the restrict C: ... When I log on as the user I don't have access, but that would be normal, as the user has no permissions on the file, just the admins and the computer accounts. ... On the workstations gpresult shows that the policy is applied, but it's _not_. ...
    (microsoft.public.windows.server.general)
Loading