none
DC | Run only specified Windows applications - Admin bypass RRS feed

  • Question

  • Hi,

    I currently have a Domain Controller with a policy which Runs only specified Windows applications, this is so we can restrict users from opening unauthorised software.

    We would like to install software on the accounts with this security setting enabled however, it blocks the installation .exe. Is it possible to set it up so that it allows any installation media to be run when running as administrator? As it still blocks the installation even when running as an admin.

    In the perfect world, we want users to block all software except that on the list except, be able to run files and programs if we run as admin (and enter admin credentials), mainly used when needing to install software.

    Thanks in advance,


    • Edited by Narey3117 Wednesday, February 13, 2019 3:26 PM
    Wednesday, February 13, 2019 3:24 PM

All replies

  • Have you considered something like Applocker?
    Wednesday, February 13, 2019 3:31 PM
  • hi,
    1 which policy do you deploy for blocking application install ?can you detail explain it ?
    2 Is it user policy or machine policy ?
       if it is machine policy ,is there user policy to implement this function then we can delegation filter administrator ?
      

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 14, 2019 10:52 AM
    Moderator
  • Hi, thanks for the response.

    1. I'm using the "Run only specified Windows applications" which can be found at "User Configuration > Policies > Administrative Templates > System". Basically, you input what process names you want to allow through (for example spotify.exe) and it blacklists everything else. This means that if I have a new installer, I can't run it because it's not part of the run only list.

    I'd like a quick and dirty way to bypass this if I need to install software on a machine, on the fly. So ideally I could right click, run as admin, input admin credentials and bypass the blocker so that I can run the installer really quick.

    2. As from above, it's currently a User Configuration policy.


    • Edited by Narey3117 Thursday, February 14, 2019 2:49 PM
    Thursday, February 14, 2019 2:08 PM
  • hi,

    In my opinion, if an application which need to be installed on client computer and restricted to run, it will be not we need.
    0add the applications which need to be run or installed on client computer to the list of "run only specified windows applications"
    1 add the restricted test domain user account to the power users group of local computer.
    for example i set "run only specified windows applications" gpo for test109 and add 7zip as allowed application .add test109 to local computer poweruser group(test109 is not in local administrators group).
    after i logon test109 domain account ,when i run 7z1085x64.exe install application. It need to use administrator account to install 7zip application.




    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, February 22, 2019 2:23 PM
    Moderator