none
How to disable .EXE files to be run from Group Policy RRS feed

Answers

  • All exe files icluding calc.exe, notepad.exe and explorer.exe or just some exe files?
    There are different approaches to this.

    If you're trying to block a single executable that you're familiar with you can disable it from a GPO using the setting:
    User Configuration/Administrative Templates/System/Don't run specified Windows applications

    Another option is to specify only the applications you want to allow Using:
    User Configuration/Administrative Templates/System/Run only specified Windows applications
    This one would probably take a lot of work to populate for a system with many applications installed or for a corporate environment.

    None of the two mentioned settings takes into account that a user can name their exe file what they want so renaming mydangerousapp.exe to explorer.exe would make it a perfectly legitimate executable.

    A more robust and managable way of securing your systems by controlling which applications that can be launched is Software Restriction Policies.
    Check this article for an introduction to Software Restriction Policies: http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

    • Marked as answer by aalmurar Monday, September 14, 2009 6:10 AM
    Sunday, September 13, 2009 10:45 AM

All replies

  • All exe files icluding calc.exe, notepad.exe and explorer.exe or just some exe files?
    There are different approaches to this.

    If you're trying to block a single executable that you're familiar with you can disable it from a GPO using the setting:
    User Configuration/Administrative Templates/System/Don't run specified Windows applications

    Another option is to specify only the applications you want to allow Using:
    User Configuration/Administrative Templates/System/Run only specified Windows applications
    This one would probably take a lot of work to populate for a system with many applications installed or for a corporate environment.

    None of the two mentioned settings takes into account that a user can name their exe file what they want so renaming mydangerousapp.exe to explorer.exe would make it a perfectly legitimate executable.

    A more robust and managable way of securing your systems by controlling which applications that can be launched is Software Restriction Policies.
    Check this article for an introduction to Software Restriction Policies: http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

    • Marked as answer by aalmurar Monday, September 14, 2009 6:10 AM
    Sunday, September 13, 2009 10:45 AM
  • Hello,

    When we download this particular software, it runs an executable.  We don't want this executable to run.  The system starts this .exe.

    Does this policy stop executables from running when the system runs them? Does this only apply to .exe's that users are running.

    Hope this makes sense.

    Kind regards,

    Sam Colman

    Tuesday, February 4, 2014 9:39 AM
  • Hi i bane EXE files From group policy but the problem was occurred after one weak users cant right click on their desktops (right click policy set to default).
    Wednesday, October 11, 2017 3:45 PM