none
Restricting Software

    Question

  • I have a request to restrict install and exe of the software for users with admin rights.

    I have setup app locker and software restrictions both for hash and path.

    software restrictions for user and computer.

    For testing I am installing an app as a user A then login with user B.

    The application is executed as a system, and the window is open with the prompt for credentials.

    If I close and try to open, then I am getting access denied from the GPO.

    Is there any way to restrict exe from the system account?

    Thank you.

    Friday, June 03, 2016 4:16 PM

Answers

  • Hi NT,

    Thanks for your post.

    For testing I am installing an app as a user A then login with user B.

    The application is executed as a system, and the window is open with the prompt for credentials.

    If I close and try to open, then I am getting access denied from the GPO.

    >>>To restrict users with admin right to run software, you could check All users instead of All users except local administrator under Apply software restriction policies to the following users.

    In applocker, you could add Exception in the path rule which action=allow, user=administrator.

    In addition, as far as I know, Software Restriction Policy cannot prevent system account from running any program.

    For more information, you could refer to the article below.

    Using Software Restriction Policies to Protect Against Unauthorized Software

    https://technet.microsoft.com/en-us/library/bb457006.aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 06, 2016 6:26 AM
    Moderator

All replies

  • Hi NT,

    Thanks for your post.

    For testing I am installing an app as a user A then login with user B.

    The application is executed as a system, and the window is open with the prompt for credentials.

    If I close and try to open, then I am getting access denied from the GPO.

    >>>To restrict users with admin right to run software, you could check All users instead of All users except local administrator under Apply software restriction policies to the following users.

    In applocker, you could add Exception in the path rule which action=allow, user=administrator.

    In addition, as far as I know, Software Restriction Policy cannot prevent system account from running any program.

    For more information, you could refer to the article below.

    Using Software Restriction Policies to Protect Against Unauthorized Software

    https://technet.microsoft.com/en-us/library/bb457006.aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 06, 2016 6:26 AM
    Moderator
  • Hi,

    Are there any updates?

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 16, 2016 1:58 AM
    Moderator