none
Different AppLocker GPO's policy merge behavior = duplicate rules of same name

    General discussion

  • I'm stuck. Current scenario:

    gpo #1: AppLocker_ClientPC

    • pretty much default rules
    • WINDIR rule with exceptions for temp directory, a few other directories that allow write by standard users, and a few problem exe's used to bypass applocker

    gpo #2: AppLocker_Addon_OpticalDiskDriveD; WMI filter scopes this gpo only to devices that have an optical disk drive, D:

    • default rules - I don't want any chance that someone links this somewhere without also linking AppLocker_ClientPC and result in a system where nothing can be run except from D:

    When these 2 GPO's merge their rules, the rule for WINDIR is duplicated in final on-the-client policy even though the rules have the same name and path. Therefore the exceptions on this rule within AppLocker_ClientPC are not honored and standard users can execute those should-be-blocked locations and files.

    In final client policy, how can I get the WINDIR allow rule exceptions that I want from gpo #1, while minimizing the possibility of someone incorrectly scoping/link ordering gpo #2 and screwing up affected client systems?


    born to learn!

    Monday, January 23, 2017 6:46 PM

All replies

  • > In final client policy, how can I get the WINDIR allow rule exceptions that I want from gpo #1, while minimizing the possibility of someone incorrectly scoping/link ordering gpo #2 and screwing up affected client systems?
     
    To be honest, I totally fail to understand your issue... Some screen shots of your GPOs and rules would be extremely helpful.
     
    Tuesday, January 24, 2017 8:40 AM
  • So if anyone comes across the same issue it is easily solved by just using a path or hash rule with the %REMOVABLE% applocker variable. That allowed me to kill off the other gpo's that were using wmi query to detect optical drive at a certain letter and this approach works a lot better.

    born to learn!

    Wednesday, February 15, 2017 3:30 PM