But let’s try to run the built-in Calculator as Admin and User1 and look at the results: Now it’s time to test the policy: I will try to do the following under I) Domain\Admin (TestCompany\ExAdmin) account II) Domain\User1 (TestCompany\User1) account:ī) run MS Excel which was installed by the administrator andīoth 7Z and MS Excel Viewer open successfully because there’s the AppLockaer rule stating “(Default rule) Built-in\Administrators – All folders.” – exactly what I expected to see.Īgain, all works as expected. The first default rule that allows everyone to run programs located in the Program Files folder must be deleted – otherwise MS Excel Viewer will be implicitly allowed to run for all users.Īs for AppLocker policy to be enforces on a computer the Application Identity service must be running, let’s add to the Applocker GPO the enabelment of the Application Identity service in the …\Preferences\Control Panel\Service section:Īfter restarting my client Win10Ent (or running gpupdate /force ) – up to two times as group policy might just be read after the first restart/gpupdate and only after the second be applied – the policy must be applied and Application Identity service must be running: As I’d like to have the same policy for all of my clients I’ll create a GPO in AD and deploy it for the CLIENTS OU: Now I want any other non-administrative users to run only one of these programs – 7Zip and NOT MS Excel Viewer. To start with, let’s take a look at my client computer – Win10Ent (Applocker policies may be applied only to enterprise OS versions!):Īs we see there’re two recently installed programs – 7Zip and MS Excel Viewer – I’ve installed them under the TestCompany\ExAdmin account. Theoretically we must use a sample PC with the needed applications installed for creating an Applocker policy locally and then exporting it to Active Directory GPO, but for the sake of this test I will create my Applocker policy using 7Zip installed on my DC. Suppose our goal is to restrict users to run only a single third-party application installed by an administrator, for example 7Zip. As you already may know AppLocker rules function as an “allow” list meaning that you’re allowed to run only those applications which have the corresponding allow rules in the AppLocker policy. In this article I’d like to show how we can use Windows AppLocker in Windows 10 Enterprise to allow only a small subset of programs to run in an enterprise environment.
0 Comments
Leave a Reply. |