Is it possible to allow programs from the "windows" and "program files" folders to run, and to prohibit the rest on client PCs?

O

obormotikdenis2015-06-04 10:59:49

Active Directory

obormotikdenis, 2015-06-04 10:59:49

in an educational institution, it is necessary to allow the execution of certain programs from the program folders file and windows. There were attempts through gpo-execution of certain programs, but as I understand it, it blocks on the server instead of client ones.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

R

Rsa97, 2015-06-04
@Rsa97

It is through politics. On the domain controller, in the Group Policy snap-in, create a new object and associate it with a group containing those computers on which you want to enter a ban. In this object, add the entries
Computer Configuration -> Policies -> Windows Configuration -> Security Settings -> Software Restriction Policies ->
RMB Additional Rules, Create a rule for the path
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%, level - Unlimited
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%, level - Unlimited
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)%, level - Unlimited
-> Security levels -> Forbidden, click the "Default" button
If you want local admins to be able to run programs from other folders, then
-> Apply
Apply the policy to all users except local administrators.

R

Ruslan, 2015-06-04
@flay_er

Of course available. Read about Applocker, distribute and enjoy through GPO.

I

Ivan, 2015-06-04
@LiguidCool

There are local GPOs, and there are domain GPOs - apparently you rule the wrong ones.