none
Applocker two rules

    Question

  • Hello,

    I need some help using the Applocker GPO.

    What I want to do:

    1. Allow all applications (excepted e.x. MSAccess) -> only Access should be blocked

    2. AD Group containing computer accounts on which Access could be used.

    What I did:

    1. Created a rule Allow - Path "*" - Exception MSAccess

    -> this rule is working if its the only rule

    2. Rule Allow (added AD group Allow_MSACCESS) - Publisher (difined MSAccess)

    3. Added my test client to the AD group Allow_MSACCESS

    Result (after a view gpupdates andrestarts): Access is still blocked

    How do i combine these rules?

    Tuesday, February 16, 2016 6:43 AM

Answers

  • > 3. Added my test client to the AD group Allow_MSACCESS
     
    As already mentioned: AppLocker rules themselves do not apply to
    computers, but to users. So you need to apply this rule to all users,
    but in the security filter of the GPO, filter it to the clients where
    you want to have that rule.
     
    • Proposed as answer by Jay GuModerator Friday, February 19, 2016 1:17 AM
    • Marked as answer by Strahle_fz Monday, February 22, 2016 2:27 PM
    Thursday, February 18, 2016 2:01 PM

All replies

  • Add your user account for allowing the rule not the computer account.

    Regards, MC Manikandan


    • Edited by MC Manikandan Tuesday, February 16, 2016 7:14 AM text update
    • Proposed as answer by Jay GuModerator Friday, February 19, 2016 1:17 AM
    Tuesday, February 16, 2016 7:14 AM
  • Hi,

    To merge two or more Applocker policies

    1. Open an XML policy file in a text editor or XML editor, such as Notepad.
    2. Select the rule collection where you want to copy rules from. The following image shows the four rule collections.

    1. Select the rules that you want to add to another policy file, and then copy the text.
    2. Open the policy where you want to add the copied rules.
    3. Select and expand the rule collection where you want to add the rules.
    4. At the bottom of the rule list for the collection, after the closing element, paste the rules that you copied from the first policy file. Verify that the opening and closing elements are intact, and then save the policy.
    5. Upload the policy to a reference computer to ensure that it is functioning properly within the GPO.

    For detailed information, you could refer to the article below.

    Merge AppLocker Policies Manually

    https://technet.microsoft.com/en-us/library/ee791754%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    Here is an article below about Merge AppLocker Policies by Using Set-ApplockerPolicy for your reference.

    https://technet.microsoft.com/en-us/library/ee791816(v=ws.10).aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, February 17, 2016 7:50 AM
    Moderator
  • > 3. Added my test client to the AD group Allow_MSACCESS
     
    As already mentioned: AppLocker rules themselves do not apply to
    computers, but to users. So you need to apply this rule to all users,
    but in the security filter of the GPO, filter it to the clients where
    you want to have that rule.
     
    • Proposed as answer by Jay GuModerator Friday, February 19, 2016 1:17 AM
    • Marked as answer by Strahle_fz Monday, February 22, 2016 2:27 PM
    Thursday, February 18, 2016 2:01 PM