none
Software Restriction - how to allow specific users to use a specific application

    Question

  • I want to use Software Restriction to block a specific application for all users except a few of them.

    Lets say I have an OU name - "Company", under this OU is a bunch of sub-OU - name "HR", "Marketing", "IT", etc.

    In order to block that specific application for all users. I create a policy with a Path rule which set to Disallowed and link it to OU - "Company". In Security Filtering, add "Domain Users" 

    This application allow only a few HR staff to use. So I create another policy with a Path rule which set to Unrestricted and link it to OU - "HR". In Security Filtering, add a custom group name "HR-special-users". The username of those HR staff who need to use that application were add to this group.

    Now, the problem is only the policy in OU - "Company" work. Those users in group - "HR-special-users" also can't open that application.

    How can I make a policy rule which allow specific users to use a specific application while the other users were blocked ?

    Monday, March 14, 2016 10:15 AM

Answers

  • > This application allow only a few HR staff to use. So I create another
    > policy with a Path rule which set to Unrestricted and link it to OU -
     
    This second path rule has to be "more specific" to be elected.
     
    If both rules are identical, the deny rule will always win.
     
    Alternatively, block the GPO with the "general" deny rule for the
    members of this group - GPMC, Delegation, Advanced -> "apply GPO - deny".
     
    Monday, March 14, 2016 10:51 AM

All replies

  • > This application allow only a few HR staff to use. So I create another
    > policy with a Path rule which set to Unrestricted and link it to OU -
     
    This second path rule has to be "more specific" to be elected.
     
    If both rules are identical, the deny rule will always win.
     
    Alternatively, block the GPO with the "general" deny rule for the
    members of this group - GPMC, Delegation, Advanced -> "apply GPO - deny".
     
    Monday, March 14, 2016 10:51 AM
  • Hi,

    I agree with above. You just need create a group and add these users which you want to deny apply the GPO. The delegate the group with deny “apply group policy”.

    Here is an article below for your reference.

    How to prevent domain Group Policies from applying to certain user or computer accounts

    https://support.microsoft.com/en-us/kb/816100

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 15, 2016 9:14 AM
    Moderator