• Hi......,

    I have a problem the users on my doain, they are playing games and running programs ( portable )

    so wonder

    1- is there any restrictions to prevent running any portables programs applications on users PC ?

    2- is it possible to prevent running any exe file from any drive except system drive ( C: ) ?

    thanks in advance.........

    Thursday, June 17, 2010 2:31 PM


All replies

  • Hi,
    You may wish to cut down your users' access to programs with software
    restriction policies:


    -- Mike Burr
    Thursday, June 17, 2010 9:50 PM
  • Yeah.. software restriction policies are one method.  And if they're running Windows 7, you also have a new functionality called AppLocker that adds the ability to create a white-lists of applications; not just black-lists.  And you have more flexibility through something called "Publishing Rules" for how you target applications, installations, or scripts that you want to allow or block.


    Kevin Remde US IT Evangelism - Microsoft Corporation
    Friday, June 18, 2010 10:02 AM
  • OK.... but what if the user managed by anyway to get a game or an application that doesn't need to be installed

    does the applocker or software restriction policies will prevent the user from running it?

    and what about the second question ?

    is there any thing makes me able to prevent any exe file to be running from any drive except C:\ ???

    thanks in advance

    Thursday, June 24, 2010 6:02 AM
  • AppLocker (again, this one requires a Windows 7 desktop) can be configured with "White Lists" - so you can list just the programs that are allowed to be run.  Anything that's not on your list of approved applications will not be allowed to run.  So if they bring in some game or other application that they don't need, it is blocked. 

    To your second question:  Both Software Restriction Policies and AppLocker can be set up that way. 


    Kevin Remde US IT Evangelism - Microsoft Corporation
    Thursday, June 24, 2010 11:17 AM
  • thanks for a lot

    when I asked the question I didn't know how it works, so I built it and understood it.

    but I faced another problem:

    the policy applied only on users but not a group of them, for example: the policy applies on "user1" but if I put this user on a group "group1"

    the restriction doesn't work at all

    I don't think this policy applies for users not groups

    so is there any way to solve this problem?

    many thanks....

    Thursday, June 24, 2010 2:13 PM
  • By default, group policy is "linked" to Site, Domain, OU, or some Sub-OU, and always "filtered" to apply to all authenticated users and computers.  If you want to further limit the application of policy to a specific group or groups, you need to change the default filtering to some specific group.

    Check out these articles of how group policy filtering works:

    PS - this really isn't the forum for questions about Group Policy.  Please ask any further questions in the Windows Server Group Policy forum:


    Kevin Remde US IT Evangelism - Microsoft Corporation
    Friday, June 25, 2010 1:01 PM