How to: Software Restriction policy for AD Domain Users

A couple of weeks ago we talked about website restrictions and how to enforce them without using a proxy. Now it’s time to prevent users of an Active Directory Domain Services from using specific applications.

Surprisingly enough, it’s much easier to restrict software than websites. You just need to access the domain controller and follow these steps.

Open the Server Manager and launch the Group Policy Management:

Software Restriction policy for AD Domain Users

Create a new Group Policy Object:

Software Restriction policy for AD Domain Users

Give a name to the new GPO:

Software Restriction policy for AD Domain Users

Edit the Computer Configuration:

Software Restriction policy for AD Domain Users

You will find the Software Restriction Policies under the path Computer Configuration –> Windows Settings –> Security Settings. Create New Software Restriction Policies:

Software Restriction policy for AD Domain Users

Under the Security Levels you will be able to configure the default software execution permissions for the desired group. Unrestricted (the default setting) doesn’t restrict software execution while Basic User allows only the execution of applications that don’t need Administrator rights. Disallowed forbids software execution. With a right-click you can set a new default configuration:

Software Restriction policy for AD Domain Users

The Additional Rules are really important to restrict application usage. These rules override the default settings, so you can restrict all the applications and create specific rules to allow the execution of some of them or you can allow the execution of all the applications as default settings and restrict the few ones that bother you. We suggest to use the Path Rule, to restrict or allow the execution of files with a specific path:

Software Restriction policy for AD Domain Users

In this example we are going to allow unrestricted execution for Mozilla Firefox. We can use the %UserProfile% parameter to create dynamic paths and restrict applications installed in the user folders:

Software Restriction policy for AD Domain Users

Your policy is ready. Now drag and drop it in the distribution group:

Software Restriction policy for AD Domain Users

The policy will be now enforced:

Software Restriction policy for AD Domain Users

Comments