Controlling application access via Windows Group Policies, pt. 1

These steps show how to set a group policy to either block specific applications or only allow specific applications to run. The policies only apply to applications launched through the Windows Explorer process (i.e. a shortcut, double-clicking an executable file, etc.). Setting either of these policies to Enabled will not block launch access to system processes, like the Task Manager, or programs launched from the command prompt.

The following points must be true:

• The computer(s) must be running Windows 2000 or higher.
• You have admin rights to the domain or local machine.

Blocking specific applications
This example will block access to solitaire (sol.exe).

1. Open the Group Policy editor for the domain or for local machine (gpedit.msc).
   1. Expand Administrative Templates under User Configuration.
   2. Click on System
2. In the left pane, double-click on Don’t run specified Windows applications.
3. Click Enabled and then click the button labeled Show… (next to List of disallowed applications).
4. In the Show Contents windows, click the button labeled Add.
5. Type the executable name you want to block. For this example, the executable is sol.exe.
   • The full path is not required.
6. Click OK (or press Enter) to close the Add Item window and then click OK to close the Show Contents window.
7. Click the Apply button on the Don’t run specified Windows applications window to set the policy and the click OK close the window.

If you are trying this on your local machine, try to run solitaire from either the shortcut in the Start Menu or by going to Start -> Run and typeing sol.exe (click OK or press Enter). You should receive a warning informing you that the operation was cancelled due to restrictions set by the administrator.

Allowing only specific applications
If there are only a relatively small number of programs users should be allowed to use (i.e. Office apps, etc.), it may be easier to only allow access to those applications instead of trying to block applications. This example will allow only Microsoft Word to be launched.

1. Open the Group Policy editor for the domain or for a single PC (gpedit.msc).
   1. Expand Administrative Templates under User Configuration.
   2. Click on System
2. In the left pane, double-click on Run only allowed Windows applications.
3. Click Enabled and then click the button labeled Show… (next to List of allowed applications).
4. In the Show Contents windows, click the button labeled Add.
5. Type the executable name you want to allow. For this example, the executable is winword.exe
   • The full path is not required.
6. Click OK (or press Enter) to close the Add Item window and then click OK to close the Show Contents window.
7. Click the Apply button on the Run only allowed Windows applications window to set the policy and the click OK close the window.

Blocking access to the command prompt
As stated at the beginning of the article, neither of these policies will block access to an application if it is launched from the command prompt. If you blocked access to solitaire, open up the command prompt (cmd.exe) and type in sol.exe (and press Enter). Solitaire will run instead of being blocked. You can easily block access to the command prompt by setting the policy Prevent access to the command prompt (located in the same place as the Don’t run specified Windows applications and Run only allowed Windows applications policy) to Enabled.

Note: Preventing access to the command prompt will not allow batch files to run. Do not enable this setting if you use batch files for logon, logoff, startup or shutdown scripts. Also, do not enable this setting if the users use Terminal Services.

Any one of these policies takes effect immediately if you are doing this via the local computer GP editor. If you are on a domain, you will either have to wait for the policy to replicate or go to the command line and run:

• Windows 2000 domain:
  secedit /refreshpolicy user_policy /enforce
• Windows 2003 domain:
  gpupdate /target:user /force
  • You do not need to use the /logoff or /boot switches because these policies do not require a system logoff/reboot.

Part 2 will deal with the ability of users to rename executables in order to get around this block.

Tell me and I’ll forget; show me and I may remember; involve me and I’ll understand. - Chinese Proverb

24.Jun.05 Active Directory, Tech Tip

You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.

11 Responses to “Controlling application access via Windows Group Policies, pt. 1”

1. Poe | June 25th, 2005 at 5:03 am

   Couldn’t someone just rename sol.exe to stupidgame.exe and redirect the shortcuts to defeat this?

2. wyckedone | June 25th, 2005 at 5:56 am

   Yes, if you were just blocking applications. That is where only allowing certain apps would work better.

3. Sook Chin | October 25th, 2005 at 6:25 am

   Hi Wyckedone,

   Got myself in a fix by tweaking the gpedit.msc. Hope you can shed some light on how to solve this problem of mine. Many Thanks!

   I have accidentally locked All programs by using the Group Policy Editor gpedit.msc. I am using Windows XP Professional edition Service Pack 1.
   I need to pass my laptop to someone else for a week and was trying to figure out a way to protect my laptop from being misuse by the other person (surf the net using my account, etc.). I stumbled upon gpedit.msc thru the Windows Help file and was “experimenting” with ways to prevent other people to run any other programs except one.

   I used the “Allowed programs” function in gpedit.msc (sorry can’t remember the actual wording) and allowed only the program to be run. The problem is that I have forgotten to also allow gpedit.msc to run, hence I’m locked out of accessing gpedit.msc.
   Now my laptop can only run that one program that I allowed in gpedit.msc.

   I am Very Much Appreciated! if you could enlighten me on any way to undo/reset that particular function in gpedit.msc?

   Thank you very much!

   Best regards,
   Sook Chin
   Malaysia

4. parthiban | January 2nd, 2006 at 12:01 am

   Unfortunately - i have restricted my gpedit policy by using gpdit - how to recover from this -

   now if i click on gpedit.msc - the error is = Restriced - pl help me

5. Redser | February 21st, 2006 at 8:56 am

   i’dd say you can edit it in safemode…

   reboot and hit F8 untill a black screen comes up with some optins you can choose from.

   use the arrow keys to select boot in safe mode and press enter.

   let it load and edit it in there.

6. vidit gupta | August 21st, 2007 at 10:00 am

   hii
   i set policy that run only allowed applications but it disabled all windows application now i can not open cmd, gpedit.msc, system restore and backup utilities.
   now what i should do plz help me

7. wyckedone | August 22nd, 2007 at 3:40 pm

   Try the steps outlined by Redser (comment above yours).

8. Uramium | February 4th, 2008 at 8:46 am

   I think the tricky user can rename the application to avoid the “Don’t run specified Windows applications” policy, but if there is a way to block running application depending on its CLSID, That’s would sound great

9. wyckedone | February 4th, 2008 at 11:09 am

   I think the tricky user can rename the application
   That’s what is covered in Part 2. Even those steps can be defeated in other ways (as shown in the comments). It’s not easy blocking resources, especially when dealing with someone that has the technical knowledge.

   I agree that blocking CLSID would be better. I believe there are 3rd party programs that do that but I can’t remember the program names. I’ll try to locate them. If you find them, let me know.

10. zua | July 31st, 2008 at 10:18 pm

    only once time can blocking,after reset back and 2nd time blocking the games still can play.

11. zua | July 31st, 2008 at 10:24 pm

    how to clear the register file on my pc,to clear the trial software?

Leave a Reply

Name

Mail (will not be published)

Website