Thursday, October 8, 2015

How to: Software Restriction policy for AD Domain Users

Now it’s time to prevent users of an Active Directory Domain Services from using specific applications.
Surprisingly enough, it’s much easier to restrict software than websites. You just need to access thedomain controller and follow these steps.
Open the Server Manager and launch the Group Policy Management:
Software Restriction policy for AD Domain Users
Create a new Group Policy Object:
Software Restriction policy for AD Domain Users
Give a name to the new GPO:
Software Restriction policy for AD Domain Users
Edit the Computer Configuration:
Software Restriction policy for AD Domain Users
You will find the Software Restriction Policies under the path Computer Configuration –> Windows Settings –> Security Settings. Create New Software Restriction Policies:
Software Restriction policy for AD Domain Users
Under the Security Levels you will be able to configure the default software execution permissions for the desired group. Unrestricted (the default setting) doesn’t restrict software execution while Basic User allows only the execution of applications that don’t need Administrator rightsDisallowed forbids software execution. With a right-click you can set a new default configuration:
Software Restriction policy for AD Domain Users
The Additional Rules are really important to restrict application usage. These rules override the default settings, so you can restrict all the applications and create specific rules to allow the execution of some of them or you can allow the execution of all the applications as default settings and restrict the few ones that bother you. We suggest to use the Path Rule, to restrict or allow the execution of files with a specific path:
Software Restriction policy for AD Domain Users
In this example we are going to allow unrestricted execution for Mozilla Firefox. We can use the%UserProfile% parameter to create dynamic paths and restrict applications installed in the user folders:
Software Restriction policy for AD Domain Users
Your policy is ready. Now drag and drop it in the distribution group:
Software Restriction policy for AD Domain Users
The policy will be now enforced:
Software Restriction policy for AD Domain Users

No comments:

Post a Comment