GPO blocking newer version and allowing older


  • Hello.

    For my work, I use Windows 7 Enterprise on a laptop and I have become accustomed to using Python interpreter to facilitate different activities I do.

    For reasons unknown to me, the administrators refuse to install an official Python release in my working environment; I managed to get away by installing a bit old portable release of Python (Python

    Recently the group policies were updated and now I can't start Python 2.7; however, I can execute an even older release of Python (2.4) which is a bit annoying as it has some more limitations.

    Anyway, I would like to understand how the GPO work. It seems you can block a specific version of an executable (the process name being the same, one runs and the other one is blocked). Can anybody explain me how the GPO work? What parameters are looked at to block one executable?



    Thursday, July 28, 2016 2:06 PM


All replies

  • You can see the group policies being applied to your user account by opening a command prompt and entering:

    gpresult /h output.html

    This generates an HTML report of the user policies being applied.  If you are sure that the block is from a GPO, you'll likely find that in either a section for Software Restriction Policies or a section for Application Control -> AppLocker.  It's also possible that the block is from a third party application whitelisting product.


    When you attempt to run the blocked application, do you get any sort of notification that the application is being blocked?  Another place you could check for clues would be the Application event log.

    • Edited by Ryan-Smith Thursday, July 28, 2016 3:03 PM Edit
    Thursday, July 28, 2016 2:59 PM
  • Hi,
    Am 28.07.2016 um 16:06 schrieb dalsinao:
    > What parameters are looked at to block one executable?
    My guess, your admins using SRP (Software Restriction Policies) and a
    Blacklist of executables the know, depending on a Hash of the exe.
    Or the are running AppLocker, which can work signature based and the
    rule can be set to "smaller/equal/higher than version x"
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
    Homepage: - deutsch
    Thursday, July 28, 2016 4:02 PM