none
AppLocker PowerShell Application Controlling policies

    Question

  • Hi,

    Trying to find out

    1.  Allow rules pertaining to %WINDIR%\ --- with exception to:

    %windir%\system32\windowspowershell\* &

    %windir%\syswow64\windowspowershell\*

    2. Another two exception rules to allow a security group to paths -- which are all x64 of PowerShell:

    %system32%\WindowsPowerShell\v1.0\PowerShell.exe; &

    %system32%\WindowsPowerShell\v1.0\powershell_isa.exe

    >>> without being in the security group, user is deny from x32 & x64 PowerShell/ISA --- this is what we want --- good;

    >>> when the user is added to the security group, they are ALLOW to run both x32 & x64 PowerShell/ISE too. ---  --- However .... are you can see, there is no rules that state to ALLOW users to use :

    %systemroot%\syswow64\WindowsPowerShell\v1.0 .... OR

    %windir\syswow64\WindowsPowerShell\v1.0.

    Supposing even being in the security group, user should not be allow to run x32 of PowerShell --- !!!

    any idea?

    Thank you


    Best Regards,

    Monday, May 30, 2016 7:45 AM

Answers

All replies

  • > %system32%\WindowsPowerShell\v1.0\PowerShell.exe; &
     
    %System32% applies to both x64 and x86 paths...
     
    Monday, May 30, 2016 10:12 AM
  • Hi,

    As you know, GPO can only be linked to Site, Domain and OU. In addition, GPO will also not applied to the Group objects by design. It only can be applied to User and Computer objects.

    To apply the Group Policy on the User and Computer objects based on Security Groups, you will need to use Security Filtering:

    Security filtering using GPMC

    http://technet.microsoft.com/en-us/library/cc781988(v=WS.10).aspx

    Please go through the following thread to get more information:

    How to apply Group policy on Security groups

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/0ff8eafc-d6ef-473e-8b4f-c52361c7c2f5/how-to-apply-group-policy-on-security-groups?forum=winserverGP

    Besides, you could try to use the Administrative Template "Don't run specified Windows Applications" and put Powershell and the Powershell_ISE for x86 in there. You can then link it in the OUs that you don't want the users to have access to X86 PowerShell.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, May 31, 2016 2:44 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Ray'Weil Friday, June 03, 2016 12:45 AM
    Thursday, June 02, 2016 7:13 AM
    Moderator