Introduction Useful as a quick temporary fix for blocking applications that Active Directory users abuse daily. Handy if you want to ...
Introduction
Useful as a quick temporary fix for blocking applications that Active Directory users abuse daily. Handy if you want to have a quick fix for blocking users from the Internet, or more accurately their browsers. I had to do this when our WatchGuard was down.
Steps (8 total)
Under Administrative Tools, open Group Policy Management and expand Group Policy Objects.
Right Click on Group Policy Objects and select new, name the new policy accordingly.
Right click on your new policy and edit. here under User Configuration expand Policies > Windows Settings >Security Settings>Software Restriction Policies
Right Click Software Restriction Policies and select New Software Restriction Policy.
Right Click on Additional Rules and select new Path Rule. ( the easiest way to do this)
Now all we need to do is specify the path of the .exe that we wish to block. im going to use internet explorer for this. so in the path im going to put C:\Program Files\Internet Explorer\iexplore.exe and C:\Program Files (x86)\Internet Explorer\iexplorer.exe
I had to add two paths since internet explorer exists under x86 as well
Notice under security level we have three options
- Disallowed blocks all software defined
- Basic user lets the software run but without any administrator access
-Unrestricted allows the software to run
- Disallowed blocks all software defined
- Basic user lets the software run but without any administrator access
-Unrestricted allows the software to run
we will be using Disallowed
Now that we have configured the GPO to block internet explorer we can go on to applying it to the users.
I have my users assigned to different organizational units, so we just need to right click on the OU we want to test this on and select " Link an existing gpo" from here a prompt will appear where you can select the gpo we created.
now we just need to update the group policy.
to do this we open cmd and run a gpupdate or a gpupdate/force.
when this is done we just let a user from the OU relog into their account and try to open internet explorer.
when this is done we just let a user from the OU relog into their account and try to open internet explorer.
if i didnt leave anything out then it should work like a charm.
Conclusion
I should point out that this is to block applications for users, if users require strict access then there is another method similar to this to allow applications instead of blocking them. For example using the other method we can give them access to only MS Word by only adding word.exe or whatever its called to the list of applications we would allow.
Please fell free to update me on anything ive missed or mistakes ive made..or if there is a better way to do it,..idk :)
No comments
Post a Comment