none
Software Restriction Policy via GPO

    Question

  • Greetings,

     I have a question about Software Restriction Policy and permissions thru the GPO. We are running a Server 2008 R2 Standard domain and our workstations are Windows 7 Professional. We created the software restriction policy under PCs, not the users and applied this GPO to all Computer OUs in our domain. However when running Windows Updates or trying to apply a hotfix manually, when you click on the file, it extracts that file to the local "C" drive which is protected by the policy thus it does not install.

    I know that I can edit the software restriction policy and select to apply the rule to all users except local admins. Here is where the problem lies, there is only (1) local admin we want to allow to run any software. We do not want the rest of the local admin to have this same permission. Is there a way to limit the scope to allow only (1) specific local admin to be exempt from the software restriction policy while the other local admins are still bound by its restriction in our current configuration?

    Thanks for any input you may have.




    Thursday, February 11, 2016 6:05 PM

Answers

  • > permission. Is there a way to limit the scope to allow only (1) specific
    > local admin to be exempt from the software restriction policy while the
    > other local admins are still bound by its restriction in our current
    > configuration?
     
    There's no sense in this requirement. If I am an admin, I can easily
    circumvent all restrictions that anything (even GPO) applies to me...
     
    And as you already mentioned: You cannot circumvent this issue anyway as
    long as you are not using AppLocker.
     
    Thursday, February 18, 2016 2:30 PM

All replies

  • Hi,

    You could use security groups to filter the scope of the group policy object.

    You could click the Advanced button on the Delegation tab, and delegate the adminitrators group deny apply the policy.

     

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 12, 2016 1:57 AM
    Moderator
  • Hi Jay,

        Thanks for the suggestion, however the software restriction policy was configured on the Computer Configuration, not user configuration policy. Adding the user, will this still work? I just tried it and the policy is  still blocking me.

    Regards,

    Keith

    Friday, February 12, 2016 4:54 PM
  • Hi Keith,

    Based on my test, you could set security levels to Basic User (Set as Default).

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 15, 2016 10:36 AM
    Moderator
  • > permission. Is there a way to limit the scope to allow only (1) specific
    > local admin to be exempt from the software restriction policy while the
    > other local admins are still bound by its restriction in our current
    > configuration?
     
    There's no sense in this requirement. If I am an admin, I can easily
    circumvent all restrictions that anything (even GPO) applies to me...
     
    And as you already mentioned: You cannot circumvent this issue anyway as
    long as you are not using AppLocker.
     
    Thursday, February 18, 2016 2:30 PM
  • Hi,

    Are there any updates?

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 22, 2016 1:10 AM
    Moderator