none
AppLocker GPO

    Question

  • If a user have Local Administrator rights to a computer, does it overwrite the AppLocker GPO (machine-based)?

    thank you


    Best Regards,

    Wednesday, May 18, 2016 1:07 AM

Answers

  • > If a user have Local Administrator rights to a computer, does it
    > overwrite the AppLocker GPO (machine-based)?
     
    Not out of the box - but an administrator can circumvent any restriction
    that you apply to her. If she manages to delete the safer2 registry key
    or to stop the AppIdSvc, she can get rid of AppLocker easily :)
     
    • Marked as answer by BlueBerries Thursday, May 19, 2016 12:37 AM
    Wednesday, May 18, 2016 8:59 AM
  • If the GPO is based on the machine, it would apply to all users using the computer. The key point is what the GPO's scope is.

    Just like Martin said, administrator has the highest right for the machine, he can easily modify a GPO. 

    • Marked as answer by BlueBerries Thursday, May 19, 2016 12:37 AM
    Wednesday, May 18, 2016 9:08 AM

All replies

  • Hi BlueBerries,

    I have tested for this.

    I create an AppLocker policy to deny everyone to run CMD.exe, and the result is that the local administrator cannot run CMD.

    So I think local administrator do not overwrite the AppLocker GPO.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, May 18, 2016 7:21 AM
    Moderator
  • > If a user have Local Administrator rights to a computer, does it
    > overwrite the AppLocker GPO (machine-based)?
     
    Not out of the box - but an administrator can circumvent any restriction
    that you apply to her. If she manages to delete the safer2 registry key
    or to stop the AppIdSvc, she can get rid of AppLocker easily :)
     
    • Marked as answer by BlueBerries Thursday, May 19, 2016 12:37 AM
    Wednesday, May 18, 2016 8:59 AM
  • If the GPO is based on the machine, it would apply to all users using the computer. The key point is what the GPO's scope is.

    Just like Martin said, administrator has the highest right for the machine, he can easily modify a GPO. 

    • Marked as answer by BlueBerries Thursday, May 19, 2016 12:37 AM
    Wednesday, May 18, 2016 9:08 AM