none
Software restriction polices

    Question

  • Good morning,

    We have domain controller in Windows Server 2012 R2.

    We do a test because we have some strange things.

    We create an OU "Tests" and we link two user GPO that run powershell script on user logon. The script create file in c:\temp.

    The two file are well create.

    Then we create a new user GPO with software restriction polices to block powershell.

    On the OU we have the two user GPO that create a file and the user GPO that block powershell. The linked group Policy objects are :

    1. GPO Create file 1

    2. GPO Software restriction polices

    3. GPO Create file 2

    When we log in, no file is create. It's as the order is not applied. It should create "file 2" but its does nothing. On the event viewer of the client computer, we see a warning "SoftwareRestrictionPolicy" for access powershell.exe

    We understood that the GPO create file 1 is not applied but we don't understood why GPO Create file 2 is not applied.

    Carn you help us please ?

    Thank you so much for your help and have a nice afternoon.
    Best Regards

    Tuesday, December 1, 2015 1:15 PM

All replies

  • > 1. GPO Create file 1
    > 2. GPO Software restriction polices
    > 3. GPO Create file 2
     
    This order does not really matter in your case. GPO processing consists
    of several components, so called client side extensions. These CSEs are
    called in a defined order, and each CSE receives the GPOs that has
    settings for it.
     
    information on that.
     
    So since the SRP CSE is called way before scripts, SRP blocks
    Powershell. Later the scripts CSE tries to run powershell, but it is
    already blocked, so none of the scripts can execute.
     
    Tuesday, December 1, 2015 1:47 PM
  • Hi,

    Yes. I agree with Martin.

    Could you change the script extension as .bat or any other windows files. So that it will create appropriately and wont look for the power shell.

    Tuesday, December 1, 2015 2:19 PM
  • Thank you so much for your quick answer.

    We don't really understand.

    We block the bat too. We block all type of script. So we want to apply some logon script and then disable with software restriction polices. It's not possible ?

    Thanks a lot.

    Tuesday, December 1, 2015 3:10 PM
  • > It's not possible ?
     
    No, it isn't. Logon scripts execute in the context of the logged on
    user, so all restrictions that apply to the user also apply to your
    logon scripts.
     
    Tuesday, December 1, 2015 3:36 PM
  • :-(

    We think that the order of group Policy will apply in all context.

    In the GPO Software restriction polices, we block REG too and we enable the parameter "Disable regedit from running silently"

    And on the same OU, we have user GPO that define registry item in HKEY_CURRENT_USER. The order is before the block script. These registry entry will apply or not too ?

    Thank you so much.

    Wednesday, December 2, 2015 7:20 AM
  • Good morning,

    Can somebody answer me ?I

    And is there another way to specified the application order of the GPO ?

    Thank you so much and have a nice day.

    Thursday, December 10, 2015 10:21 AM