none
Local security policy of AppLocker is not overridden by Domain Group Policy

    Question

  • Hi,

    We was using local AppLocker policy in our client machine. But now we want to allow some other applications to b installed in the Client Machine by creating the AppLocker policy and importing them in the Windows Server Group Policy so that it will be override local AppLocker Policy. When we type Gpresult command in the client computer I can see the name of policy but this is not allowing our new applications. It behaves as same old Applocker Policy.

    But when I Import same policy locally then it starts working. But i want this policy will implemented only through GPO so that we can update our Applocker policy Time to time.

    Thanks


    Abhishek

    Monday, March 28, 2016 7:02 AM

All replies

  • Hi Abhishek,

    AppLocker policies are distributed through known processes and by known means within the domain through Group Policy. But AppLocker policies can also be set on individual computers if the person has administrator privileges, and those policies might be contrary to the organization's written security policy. The enforcement settings for local policies are overridden by the same AppLocker policies in a Group Policy Object (GPO). However, because AppLocker rules are additive, a local policy that is not in a GPO will still be evaluated for that computer.

    For more information, you could refer to the article below.

    Security Considerations for AppLocker

    https://technet.microsoft.com/en-us/library/ee844118.aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 29, 2016 2:35 AM
    Moderator
  • Hello Jay,

    Actually we have new set of applications which was not applied in our earlier old policies. Now we want to implement the new policy which will contain rule for allowing that policies through GPO.

    When we apply this policy locally it is working fine, but when we try to implement it through GPO, there is no effect taking place.

    Can you suggest me where i am getting wrong.


    Abhishek

    Tuesday, March 29, 2016 3:51 AM
  • Hi Abhishek,

    Would you run GPresult /h C:\gpresult.html and post it to us for further research?

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, April 04, 2016 6:15 AM
    Moderator
  • Check the security filtering of your GPO and verify that the gpo is linked well.

    Kind regards,

    Tim
    MCITP, MCTS, MCSA
    http://directoryadmin.blogspot.com

    This posting is provided 'AS IS' with no warranties or guarantees and confers no rights.

    "If this thread answered your question, please click on "Mark as Answer"

    Saturday, April 09, 2016 6:24 AM
  • Hi Tim,

    When we run the gpresult command in the client computer we can see that the policy is applied. but it is not implementing the new rule.


    Abhishek

    Saturday, April 09, 2016 6:41 AM