none
Restrict Local User to Access Certain Application Via Domain Group Policy

    Question

  • Hi,

    I have a domain environment and have modified default GPO policy "Don't run specified Windows applications" to restrict domain users.

    I have similar requirement for the local users including administrator to restrict certain application, I researched and found we have to achieve by modifying the local group policy on individual computer.

    Doing manually on all thousand system is a challenge to edit local group policy, is there a way I can restrict local users accessing certain application by domain group policy?

    - Charles 

    Friday, July 08, 2016 4:44 AM

Answers

  • Thanks for your response.

    Since there is constraint on the licensing and cost is involved.

    Customer is OK to do it manually on local GPO or remotely using the GPO editor tool.

    Regards,

    Charles Derber

    Wednesday, July 13, 2016 2:38 PM

All replies

  • Hi Charles,

    What client operating system are you running?

    If it's the Enterprise SKU of the Windows 7 or later vintage, you should be looking at a feature known as AppLocker (which is only available on the Enterprise SKU). You can read more about AppLocker here.

    If you are not running Enterprise, you can look at the older "Software Restriction Policies" feature which goes back to the Server 2003/XP days and doesn't require the Enterprise SKU. You can read more about Software Restriction Policies here.

    The feature you're using originally shipped with Windows 2000 and is quite limited in it's application - much as you're in the process of finding out. Both of the above features are much richer and granular in what they can achieve.

    Cheers,
    Lain

    Friday, July 08, 2016 5:54 AM
  • OS versions are Windows XP SP3 & Windows 7 SP1

    I have gone through app locker as well but does it restrict local user?

    https://technet.microsoft.com/en-us/itpro/windows/keep-secure/applocker-overview 

    - Charles Derber

    Friday, July 08, 2016 10:45 AM
  • Hi Charles,

    Yes, AppLocker certainly can restrict local user accounts as it works at the computer level, not the user level.

    Without going through it step-by-step, you create rules that can be applied to any Windows security principal at all, including local accounts.

    Just remember that AppLocker is only available on Windows 7 or above and it must be the Enterprise SKU, not Professional, as it is a Software Assurance (SA) benefit.

    Cheers,
    Lain

    Friday, July 08, 2016 4:23 PM
  • Thanks for your response.

    Since there is constraint on the licensing and cost is involved.

    Customer is OK to do it manually on local GPO or remotely using the GPO editor tool.

    Regards,

    Charles Derber

    Wednesday, July 13, 2016 2:38 PM