none
"This program is blocked by group policy"

    Question

  • Hi all.

    I have searched Google a fair bit on this but shockingly I just can't find an actual answer.  The Group Policy forum is where I should have started rather than finally come to :)

    I am no genius with GP, I use it in the most basic ways in very small orgs.  My users appear to all have the same problem, when they insert a removable media device that has software on it that might run or autorun, I get the "This program is blocked by group policy, contact your admin" message.  I don't believe this ccurs with removable media just as just plain USB storage sticks.  So far the two examples I know of are for an Internet providers USB broadband mobility stick, and another user that is using some Kodak products (SD card, camera, and even the Kodak CD I think). 

    Environment is 2008 R2, Win7 Pro workstations, all users are local admin on their machine.  All users are in the default Users container, and all computers are in the Computer container.  To my recollection I have never set a GPO that would directly or indirectly cause all users problems like this.  The only thing that has had indirect consequences that I know of in the past, was because we use many of the options available under Folder Redirection, including redirecting the Desktop.  In some cases, when a user has tried to launch an exe or what not that was on the desktop, it failed because it's trying to launch in truth on their user folder on the server, not really on the Windows Desktop.  I'm not sure if that might impact my current problem. 

    To start, where can I go to actually check GPO's for this?  Is this the Software Restriction Policy?  If so, which one governs, the one in User Configuration or Copmputer Configuration?  In both cases I went to GPMC and under both, it would say I had to go to the Actions menu to create a New Software Restriction policy.  I did so (just picking the item in the Actions menu), and the resutlt was some choices under the actual GPO now, none of which I've yet configured. 

    So, I need to torublesahoot this ut also to know where such a thing causing this error message would be set under normal circumstances.  Also, could antivirus cause this?  I can't see the error saying "group policy" if it did though. 

    Thank you very much. 

    Friday, July 12, 2013 4:15 PM

Answers

  • Hello all.  Sorry that I took a while to reply. 

    I have found the issue - Symantec Endpoint Protection has the Application and Device Control function, and there was a setting to Block All Programs from running from removable media.  When I unchecked this, no longer after, people reported that the group policy error went away.  I suspect that Symantec perhaps edits the registry on each computer to make the changes that prevent this, hence why there was a generic Windows error about group policy and not a Symantec-specific error screen.  I didn't test, but since the prolbme seems resolved, I woulnd't be able to now. 

    Thank you kindly to all for your suggestions.  I've made note of the troubleshooting steps for future rererence as well. 

    Friday, July 19, 2013 8:04 PM
  • Hi,

    Thanks for posting your issue in the forum.

    Based on your description, I suspect that maybe Software Restriction Policy has been configured in the domain. At this time, I suggest we could try to collect the following information to narrow down the cause of the issue.

    GPMC.log

    ==================

    a. On domain controller, click Start ->Run, type GPMC.MSC, it will load the GPMC console.

    b. Right click on "Group Policy Result" and choose wizard to generate a report for the problematic computer and user account (please place appropriately). (Choose computer and select the proper user in the wizard)

    c. Right click  the resulting group policy result and click the "Save Report…" => save report to save the report to a HTML file.

     

    Once we get the report, please check if the Software Restriction Policy has been configured and applied to the problematic computers and users. If so, please disable the policy setting to see if the issue persists.

    In addition, please try to refer to the following articles for detailed information about Software Restriction Policy and how to troubleshoot Group Policy problems.

    Software Restriction Policies

    http://technet.microsoft.com/en-us/library/hh831534.aspx

    Troubleshooting Group Policy Problems

    http://technet.microsoft.com/en-us/library/cc787386(v=ws.10).aspx

    Hope this helps.

    Best Regards,

    Andy Qi

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Andy Qi
    TechNet Community Support

    Tuesday, July 16, 2013 10:16 AM
    Moderator

All replies

  • Anybody? 
    Monday, July 15, 2013 4:13 PM
  • Hi,

    Thanks for posting your issue in the forum.

    Based on your description, I suspect that maybe Software Restriction Policy has been configured in the domain. At this time, I suggest we could try to collect the following information to narrow down the cause of the issue.

    GPMC.log

    ==================

    a. On domain controller, click Start ->Run, type GPMC.MSC, it will load the GPMC console.

    b. Right click on "Group Policy Result" and choose wizard to generate a report for the problematic computer and user account (please place appropriately). (Choose computer and select the proper user in the wizard)

    c. Right click  the resulting group policy result and click the "Save Report…" => save report to save the report to a HTML file.

     

    Once we get the report, please check if the Software Restriction Policy has been configured and applied to the problematic computers and users. If so, please disable the policy setting to see if the issue persists.

    In addition, please try to refer to the following articles for detailed information about Software Restriction Policy and how to troubleshoot Group Policy problems.

    Software Restriction Policies

    http://technet.microsoft.com/en-us/library/hh831534.aspx

    Troubleshooting Group Policy Problems

    http://technet.microsoft.com/en-us/library/cc787386(v=ws.10).aspx

    Hope this helps.

    Best Regards,

    Andy Qi

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Andy Qi
    TechNet Community Support

    Tuesday, July 16, 2013 10:16 AM
    Moderator
  • On the problem machine run RSoP.msc

    -> Click Start

    -> Type rsop.msc

    This will load up the current GP settings that are applied for the user. If you believe that it is a group policy that is not completing correctly simply right click on either computer or user and go to properties. Under Error information it will give you the GP that is causing the issue and why.

    Using RSoP you can also examing every GP that is set by going down the levels, if you find the setting causing the issue it will advise you which GPO is setting that policy. You can also run in Planning mode to add GPO or remove GPO and test whether setting are added correctly.

    Tuesday, July 16, 2013 10:27 AM
  • Hi,

    Can you please Navigate to Computer configuration-->Policies-->Administrative Templates -->System.

    And under Removable Storage Access if you can check if any policy is configured ?

    Thanks,

    Swapnil


    Thanks, Swapnil Prajapati

    Tuesday, July 16, 2013 10:58 AM
  • Hello all.  Sorry that I took a while to reply. 

    I have found the issue - Symantec Endpoint Protection has the Application and Device Control function, and there was a setting to Block All Programs from running from removable media.  When I unchecked this, no longer after, people reported that the group policy error went away.  I suspect that Symantec perhaps edits the registry on each computer to make the changes that prevent this, hence why there was a generic Windows error about group policy and not a Symantec-specific error screen.  I didn't test, but since the prolbme seems resolved, I woulnd't be able to now. 

    Thank you kindly to all for your suggestions.  I've made note of the troubleshooting steps for future rererence as well. 

    Friday, July 19, 2013 8:04 PM
  • Hello,

    What version of Symantec Endpoint Protection are you running?

    By default, the ADC policy "Block All Programs from running from removable drives [AC2]" is unchecked as seen in the screenshot below.

    It may have happened that the policy was enabled by the Administrator manually.

    Hope that helps!!

    Thursday, August 08, 2013 12:35 PM
  • Hi Mithun, nice to see you here on this forum as well. 

    This is SEP 12.1.2015.2015 .  It was unchecked by default, I must have checked it at some point in the past when installing v 12, but didn't realize it would have such a generic error screen.  It is too bad Symantec does not have a way to insert a Symantec-speciic screen in there. 

    Monday, August 12, 2013 6:39 PM
  • Hello all.  Sorry that I took a while to reply. 

    I have found the issue - Symantec Endpoint Protection has the Application and Device Control function, and there was a setting to Block All Programs from running from removable media.  When I unchecked this, no longer after, people reported that the group policy error went away.  I suspect that Symantec perhaps edits the registry on each computer to make the changes that prevent this, hence why there was a generic Windows error about group policy and not a Symantec-specific error screen.  I didn't test, but since the prolbme seems resolved, I woulnd't be able to now. 

    Thank you kindly to all for your suggestions.  I've made note of the troubleshooting steps for future rererence as well. 

    This worked !

    Thanks

    Tuesday, October 08, 2013 10:29 PM
  • F-cking Symantec was my problem too.  Can't just disable Symantec either.  You have to got in and uncheck that stupid box!

    L-ski

    Wednesday, April 16, 2014 1:32 AM