none
applocker dilema

    Question

  • I came across a question: If in applocker Domains admins are allowed to run iexplorer.exe , and then there is deny rule for domain users. Will domain admins be able to run iexplorer.exe ? Are domain admins part of domain users group ?

    Glenn Camilleri

    Tuesday, March 3, 2015 7:06 PM

Answers

All replies


  • Domain Users

    https://technet.microsoft.com/en-us/library/cc756898(v=ws.10).aspx

    This group contains all domain users. By default, any user account created in the domain becomes a member of this group automatically. This group can be used to represent all users in the domain. For example, if you want all domain users to have access to a printer, you can assign permissions for the printer to this group (or add the Domain Users group to a local group, on the print server, that has permissions for the printer).

    No default user rights.

    Tuesday, March 3, 2015 9:15 PM
  • > there is deny rule for domain users.
     
    Since in Applocker "deny" is the default behavior, why would one create
    an explicit "deny" rule?
     
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Wednesday, March 4, 2015 10:55 AM
  • Hi Glenn,

    How is it going? Agree with Martin. The following paragraph describes the rule behavior of Applocker:

    Understanding AppLocker Rules

    https://technet.microsoft.com/en-us/library/dd759068.aspx

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Monday, March 16, 2015 9:35 AM
    Moderator