none
Software Restriction Policy - Machine Policy Section - local Administrators

    Question

  • Hello,

    I have an issue with GPO and Software Restriction Policy.

    I have defined a computer policy containing SRP and excluded it for local Administrators.

    I am logged in with my domain user who is in the local administrators group on the Windows 7 client computer.

    **Default setting is restricted - for all Software except dlls. And it should be applied to all except local Administrators.**

    Still the SRP settings restrict programms altough I am in the local Administrators Group.

    Can someone give me advice?

    Regards.


    • Edited by ollivetti Wednesday, May 04, 2016 11:59 AM
    Wednesday, May 04, 2016 11:59 AM

Answers

  • > I am logged in with my domain user who is in the local administrators
    > group on the Windows 7 client computer.
     
    This thing is misleading... It applies to the builtin local
    administrator himself only, not to members of the local administrators
    group.
     
    Monday, May 09, 2016 10:50 AM

All replies

  • HI..

    Check if you any other SRM policy in place - if yes look for that settings( chances of overriding).

    Also, give try -  try program with ""Run as administrator"".

    I hope you have followed the steps.

    https://technet.microsoft.com/en-us/library/cc776536(v=ws.10).aspx


    Devaraj G | Technical solution architect

    Wednesday, May 04, 2016 2:41 PM
  • Hi Ollivetti,

    Thanks for your post.

    Are there any updates?

    If the reply above has resolved your problem, please mark it as answer as it would be helpful to anyone who encounters the similar problem.

    Thank you.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 09, 2016 8:09 AM
    Moderator
  • > I am logged in with my domain user who is in the local administrators
    > group on the Windows 7 client computer.
     
    This thing is misleading... It applies to the builtin local
    administrator himself only, not to members of the local administrators
    group.
     
    Monday, May 09, 2016 10:50 AM
  • Hello thank you for your replies.

    @Martin - yes it seems your are right! I testet it and I experienced what you mentioned. But from my point of view that's then useless to set SRP on machine policy.

    Well I will have to set it on user policy then.

    Regards

    Thursday, May 12, 2016 8:55 AM
  • > what you mentioned. But from my point of view that's then useless to set
    > SRP on machine policy.
     
    Somehow - yes, it is useless. But it was introduced 16 years ago, and at
    that time, it was rocket science :-)
     
    Today, I'd suggest to using AppLocker if your clients are enterprise SKUs.
     
    Thursday, May 12, 2016 9:59 AM
  • Thank you for your advice. I will look at applocker and give it a try.

    Can you set it on per machine basis and exclude Administrators similar like in the SRP?

    Regards

    Friday, May 13, 2016 1:47 PM
  • Hi,

    AppLocker is included with enterprise-level editions of Windows. You can author AppLocker rules for a single computer or for a group of computers. For a single computer, you can author the rules by using the Local Security Policy editor (secpol.msc). For a group of computers, you can author the rules within a Group Policy Object by using the Group Policy Management Console (GPMC).

    For more information about AppLocker, you could refer to the article below.

    AppLocker Overview

    https://technet.microsoft.com/en-us/library/hh831440.aspx?f=255&MSPPError=-2147217396

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, May 17, 2016 7:12 AM
    Moderator