Results 1 to 3 of 3

Thread: Group Policy problem

  1. #1
    Junior Member Sambo's Avatar
    Join Date
    Apr 2006
    Windsor near London

    Group Policy problem

    Hi i have just enabled and forced a group policy to stop programs like messenger running (on win 2003). to do this i went to the domain policy editor and run this through: User Configuration\Administrative Templates\System\
    and the setting:"Don't run specified Windows application" in the group policy editor. it seems to work fine apart from 1 pc can still run messenger and limewire even though i keep refreshing the policy.] And sometimes peolple can still get on messenger unless they close it and try to reopen the program then it wont open.

    I suppose this is 2 questions really.

    1. why does the group policy apply to most machines apart from 1 (it is inside the domain)

    2 how can some people intermittently get on the restricted program???

    i have heard that you can set a software restriction policy but i cant seem to work it out

    any ideas anyone, its annoying me

  2. #2
    Succeded in braking Windo TZ Veteran Dehcbad25's Avatar
    Join Date
    Apr 2002
    DE - USA
    well, in the machine that is not applying do gpupdate. It has been a while since I designed policies (I am scheduled to do it in this location in a couple of months) but I think /force forces the policy.
    Some policies are per user, and some per system, so Computer configuration gets applied when the system boots. Unless you restart the PC or server, the policies under that section might not apply, and the policies under User configuration affect the user profile, so at least a logoff is needed. Unless you did that, there is no point into continuing troubleshooting. Since you mention a server I am guessing it hasn't been restarted.
    For the software restriction it is not a Goup Policy problem. If you read in the explanation it describes that it only affects process started by explorer. Messenger can be 3 of different programs. messenger the service (this is used to put messages on the network, or current PC), Windows messenger (version 4.7 included in Windows XP) or Live Messenger (formerly MSN messenger).
    When you specify a program from there I think I can list at least 5 different ways to open the program even thought you have the policy. The policies are used in conjunction with other ones.
    Make sure that you are usign GPMC to edit the policies, and run a group policy result wizard against the pc/server with the user that you want to verify.
    Also have in mind that if the application has a different executable it will run. I just need to change the name of msnmsgr.exe to run the windows live messenger for example
    Software restrcition is the section that you actually want to work on, it allows to use hash as well as executable path. You can also disable folders.
    It has been quite a long time since the last software restriction (about 4 years), but it did take some testing to completely blocked it out. Thouth, it was easier for me, I just wanted to allow a group of PCs to access internet explorer with only 1 web page, and Outlook.
    Software restrcition policies are in User Configuration>Windows Settings>Security Settings>Software Restriction Policies.

  3. #3
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    If the user changes the executable name then it will run, if the user changes the application for an alternative like MSNMessenger to Trillian (for example) it will run. Some programs can be run by other little tricks, basically it's a waste of effort. A way that works is to get a firewall device which supports application security and you will be able to disable communications through it for things like Instant Messenger programs.
    I'm using Windows 7 - you got a problem with that?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts