none
AppLocker GPO: Allow only Auhorized user for PowerShell

    Question

  • In AppLocker GPO, how can I create a DENY rule to deny 'everyone' from PowerShell & PowerShell ISE (both x64 & x86) & ALLOW it to only authorized users?

    My thought is:

    Create two DENY rules (one for x64, one for x86) to deny 'everyone':

    1. DENY

    %system32%\WindowsPowerShell\v1.0\powershell.exe

    2. DENY

    %syswow64%\WindowsPowerShell\v1.0\powershell.exe

    But from my understanding, deny rule always take precedent, how can I go about ALLOW authorized users to use PowerShell?

    Please shed some lights.


    Best Regards,

    Wednesday, May 18, 2016 8:20 AM

Answers

  • Hi BlueBerries,

    You could try these actions below.

    1. Create a rule
    2. Click Allow in permission tab and click Select to select the group which could use PowerShell
    3. Click Publisher and Click next on Conditions tab
    4. Click Browse and select x64 PowerShell.exe on Publisher and click next
    5. Click next on Exceptions
    6. Click Create on name tab

    7. There is a prompt after click create and click yes

    8.  If you do not want administrator to run PowerShell.exe, you need double-click action=ALLOW user=administrator and add x64 PowerShell.exe to Exceptions. If you allow administrator to run PowerShell.exe, just ignore the step

    9.  Then you double-click both ACLs which action=ALLOW user=everyone and add x64 PowerShell to Exceptions.

    10. repeat these steps above for x86 PowerShell.

    Best Regards,

    Jay

    Be


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.




    Thursday, May 19, 2016 3:10 AM
    Moderator

All replies

  • > Create two DENY rules (one for x64, one for x86) to deny 'everyone':
     
    You do not need deny rules when you enable AppLocker - deny is default.
    You only need allow rules for the users in question.
     
    Wednesday, May 18, 2016 8:58 AM
  • Thanks Martin,

    At the moment, there is a Executable Rules to ALLOW a security group (SG) to x64 of PowerShell (%system32%\WindowsPowerShell\v1.0\powershell.exe) --- which seem working. It DENY everyone else but only members of that SG to use x64 PowerShell.

    However, the mystery that I am having is that users are able to use x86 of PowerShell & PowerShell ISE.

    There is no ALLOW rules for x86 of PowerShell (cannot find). If DENY is by default, should it DENY x86 of PowerShell too?

    if not, how to DENY 'everyone' & only allowed authorized users to use both version of PowerShell?

    Thank you


    Best Regards,



    • Edited by BlueBerries Thursday, May 19, 2016 12:41 AM
    Thursday, May 19, 2016 12:26 AM
  • Hi BlueBerries,

    You could try these actions below.

    1. Create a rule
    2. Click Allow in permission tab and click Select to select the group which could use PowerShell
    3. Click Publisher and Click next on Conditions tab
    4. Click Browse and select x64 PowerShell.exe on Publisher and click next
    5. Click next on Exceptions
    6. Click Create on name tab

    7. There is a prompt after click create and click yes

    8.  If you do not want administrator to run PowerShell.exe, you need double-click action=ALLOW user=administrator and add x64 PowerShell.exe to Exceptions. If you allow administrator to run PowerShell.exe, just ignore the step

    9.  Then you double-click both ACLs which action=ALLOW user=everyone and add x64 PowerShell to Exceptions.

    10. repeat these steps above for x86 PowerShell.

    Best Regards,

    Jay

    Be


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.




    Thursday, May 19, 2016 3:10 AM
    Moderator