| Author | Messages | |
jsclmedave
Posts:67
 | | 08/20/2010 4:57 PM |
| Single site, Single domain.
2 DCs - 2003 SP1
50 users - 90% WIN 7 Pro - 10% XP
They had a GP with a White List created. They decided to expand it for other
users so they made a copy of the original GP with the White List.
Now they are having major issues -
1) In copied GP cannot view white list objects
2) As of TODAY cannot see white list objects in original GP
3) If they add an app to the white list allow, SOME users can not open the
app. They receive the not allowed error.
a) Tried gpupdate /force
b) Tried rebooting PC multiple times
c) They move the User to an Admin OU, they can now open the app, once the
Users are moved back to the Users OU the app will continue to work.
This happens randomly with users and apps, no pattern, has been cases where
it was a single person only.
*Time permitting* - I will attempt to get screen shots this weekend and will
try to pull settings from OU using Darren's GP Compare tool.
This is going to be a major issue when they start pushing out new
applications in the near future.
I am stumped at this point and am not sure where to start... I am thinking
it may be a registry issue but again not sure where to start.
Tim Bolton
148 2nd Street North
Central City Iowa, 52214
SMS - xxxxxxxxxxxxxxxx
Microsoft Certified IT Professional
Blog - Http://timbolton.net/
"Applying computer technology is simply finding the right wrench to pound in
the correct screw." ~ Steve Riley
| |
Tim Bolton | |
| jeromelcruz
Posts:120
| | 08/20/2010 5:31 PM |
| Tim,
Straight off, make sure you are using a consistent GPMC Editor. Do not be switching between versions in Win XP, Win 7, W2K3 SP1….
Also, if work was done using a Windows 7 device… I would stick with that version from now on (unless someone knows of a known Issue with Win7 GPMC and configuring SRP policies with it).
Lastly, I assume that the context of “White Listing” here implies the use of SRP (Software Restriction Policies) which all of the client systems should utilize versus AppLocker based policy settings (which is unique to Windows 7/W2K8 systems alone). Oh, and I would NOT be using ‘both’ SRP and AP settings at the same time. If you ‘want’ to use both, then target a separate GPO at each set of devices (one GPO configuring SRP policy settings for the Win XP systems and one GPO configuring AppLocker settings for the Windows 7 systems).
Jerry Cruz | Group Policies Product Manager | Windows Server and Infrastructure Architecture
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Tim Bolton
Sent: Friday, August 20, 2010 8:31 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] White List Issue
Single site, Single domain.
2 DCs - 2003 SP1
50 users - 90% WIN 7 Pro - 10% XP
They had a GP with a White List created. They decided to expand it for other users so they made a copy of the original GP with the White List.
Now they are having major issues -
1) In copied GP cannot view white list objects
2) As of TODAY cannot see white list objects in original GP
3) If they add an app to the white list allow, SOME users can not open the app. They receive the not allowed error.
a) Tried gpupdate /force
b) Tried rebooting PC multiple times
c) They move the User to an Admin OU, they can now open the app, once the Users are moved back to the Users OU the app will continue to work.
This happens randomly with users and apps, no pattern, has been cases where it was a single person only.
Time permitting - I will attempt to get screen shots this weekend and will try to pull settings from OU using Darren's GP Compare tool.
This is going to be a major issue when they start pushing out new applications in the near future.
I am stumped at this point and am not sure where to start... I am thinking it may be a registry issue but again not sure where to start.
Tim Bolton
148 2nd Street North
Central City Iowa, 52214
SMS - xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Microsoft Certified IT Professional
Blog - Http://timbolton.net/
"Applying computer technology is simply finding the right wrench to pound in the correct screw." ~ Steve Riley
| | | |
| jsclmedave
Posts:67
| | 08/20/2010 6:06 PM |
| Thanks Jerry!
I am using - via VPN and RDP - WIN 7 Ultimate to RDP into another WIN 7
Ultimate machine, then using the RSAT / GPMC on that WIN 7 machine to make
backups etc.
The admin person is using this machine to perform his edits as well.
Yes I am talking about Software Restriction Polices and not App Locker. I
will verify that App Locker is NOT being used today.
They are making the setting at \user configuration\administrative
templates\system …. “Run only specified Windows applications”
They are telling me that the list are not showing anything, but the apps are
still able to be run. Which I take as they have been tattooed into the
registry..(?)
I am not sure why the list are now empty...
Very strange...
Tim Bolton
148 2nd Street North
Central City Iowa, 52214
SMS - xxxxxxxxxxxxxxxx
Microsoft Certified IT Professional
Blog - Http://timbolton.net/ <http://timbolton.net/>
"Applying computer technology is simply finding the right wrench to pound in
the correct screw." ~ Steve Riley
On Fri, Aug 20, 2010 at 11:06 AM, Cruz, Jerome L
<xxxxxxxxxxxxxxxx>wrote:
> Tim,
>
>
>
> Straight off, make sure you are using a consistent GPMC Editor. Do not be
> switching between versions in Win XP, Win 7, W2K3 SP1….
>
>
>
> Also, if work was done using a Windows 7 device… I would stick with that
> version from now on (unless someone knows of a known Issue with Win7 GPMC
> and configuring SRP policies with it).
>
>
>
> Lastly, I assume that the context of “White Listing” here implies the use
> of SRP (Software Restriction Policies) which all of the client systems
> should utilize versus AppLocker based policy settings (which is unique to
> Windows 7/W2K8 systems alone). Oh, and I would NOT be using ‘both’ SRP and
> AP settings at the same time. If you ‘want’ to use both, then target a
> separate GPO at each set of devices (one GPO configuring SRP policy settings
> for the Win XP systems and one GPO configuring AppLocker settings for the
> Windows 7 systems).
>
>
>
> *Jerry Cruz* | Group Policies Product Manager | Windows Server and
> Infrastructure Architecture **
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Tim Bolton
> *Sent:* Friday, August 20, 2010 8:31 AM
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* [gptalk] White List Issue
>
>
>
> Single site, Single domain.
>
>
>
> 2 DCs - 2003 SP1
>
>
>
> 50 users - 90% WIN 7 Pro - 10% XP
>
>
>
> They had a GP with a White List created. They decided to expand it for
> other users so they made a copy of the original GP with the White List.
>
>
>
> Now they are having major issues -
>
>
>
> 1) In copied GP cannot view white list objects
>
>
>
> 2) As of TODAY cannot see white list objects in original GP
>
>
>
> 3) If they add an app to the white list allow, SOME users can not open the
> app. They receive the not allowed error.
>
> a) Tried gpupdate /force
>
> b) Tried rebooting PC multiple times
>
> c) They move the User to an Admin OU, they can now open the app, once the
> Users are moved back to the Users OU the app will continue to work.
>
>
>
>
>
> This happens randomly with users and apps, no pattern, has been cases where
> it was a single person only.
>
>
>
> *Time permitting* - I will attempt to get screen shots this weekend and
> will try to pull settings from OU using Darren's GP Compare tool.
>
>
>
> This is going to be a major issue when they start pushing out new
> applications in the near future.
>
>
>
> I am stumped at this point and am not sure where to start... I am thinking
> it may be a registry issue but again not sure where to start.
>
>
>
>
>
>
>
> Tim Bolton
>
> 148 2nd Street North
>
> Central City Iowa, 52214
>
> SMS - xxxxxxxxxxxxxxxx
>
>
>
> Microsoft Certified IT Professional
>
>
>
> Blog - Http://timbolton.net/ <http://timbolton.net/>
>
>
>
> "Applying computer technology is simply finding the right wrench to pound
> in the correct screw." ~ Steve Riley
>
>
>
>
>
| |
Tim Bolton | |
| jeromelcruz
Posts:120
| | 08/20/2010 6:49 PM |
| Okay, so let’s call that particular setting the Cromagnon’s ‘white listing’ tool. It certainly is not SRP, nor AppLocker. It also has SEVERE limitations:
Limits the Windows programs that users have permission to run on the computer. If you enable this setting, users can only run programs that you add to the List of Allowed Applications.
This setting only prevents users from running programs that are started by the Windows Explorer process. It does not prevent users from running programs such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt, Cmd.exe, this setting does not prevent them from starting programs in the command window that they are not permitted to start by using Windows Explorer.
Note: It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. Note: To create a list of allowed applications, click Show, click Add, and then enter the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe).
The data behind that setting is:
Registry Key HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value RestrictRun
Enabled 1
Disabled 0
And the list of allowed programs is stored in:
Registry Key Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
Value RestrictApps_RestrictAppsList
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Things you can start to look at:
1) Validate that the GPO’s Registry.Pol file is correct:
Download: \\FQDN_Domain_Name\sysvol\ FQDN_Domain_Name \Policies\{GPO’s_GUID}]\User\registry.pol
At a command prompt, run RegView registry.pol
(I believe that regview is in the W2K3 ResKit)
Look see if the RestrictRun key is there and whether the registry.pol file is intact (nothing specific here, but I’ve seen it come out garbled or indicate that the file was corrupt, etc.).
2) Validate that the GPO is reaching all the targeted devices: Go to a device and run the GPRESULT command
3) You could hand re-build the GPO or restore from a backup.
4)
Jerry Cruz | Group Policies Product Manager | Windows Server and Infrastructure Architecture
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Tim Bolton
Sent: Friday, August 20, 2010 9:42 AM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] White List Issue
Thanks Jerry!
I am using - via VPN and RDP - WIN 7 Ultimate to RDP into another WIN 7 Ultimate machine, then using the RSAT / GPMC on that WIN 7 machine to make backups etc.
The admin person is using this machine to perform his edits as well.
Yes I am talking about Software Restriction Polices and not App Locker. I will verify that App Locker is NOT being used today.
They are making the setting at \user configuration\administrative templates\system …. “Run only specified Windows applications”
They are telling me that the list are not showing anything, but the apps are still able to be run. Which I take as they have been tattooed into the registry..(?)
I am not sure why the list are now empty...
Very strange...
Tim Bolton
148 2nd Street North
Central City Iowa, 52214
SMS - xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Microsoft Certified IT Professional
Blog - Http://timbolton.net/<http://timbolton.net/>
"Applying computer technology is simply finding the right wrench to pound in the correct screw." ~ Steve Riley
On Fri, Aug 20, 2010 at 11:06 AM, Cruz, Jerome L <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Tim,
Straight off, make sure you are using a consistent GPMC Editor. Do not be switching between versions in Win XP, Win 7, W2K3 SP1….
Also, if work was done using a Windows 7 device… I would stick with that version from now on (unless someone knows of a known Issue with Win7 GPMC and configuring SRP policies with it).
Lastly, I assume that the context of “White Listing” here implies the use of SRP (Software Restriction Policies) which all of the client systems should utilize versus AppLocker based policy settings (which is unique to Windows 7/W2K8 systems alone). Oh, and I would NOT be using ‘both’ SRP and AP settings at the same time. If you ‘want’ to use both, then target a separate GPO at each set of devices (one GPO configuring SRP policy settings for the Win XP systems and one GPO configuring AppLocker settings for the Windows 7 systems).
Jerry Cruz | Group Policies Product Manager | Windows Server and Infrastructure Architecture
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Tim Bolton
Sent: Friday, August 20, 2010 8:31 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: [gptalk] White List Issue
Single site, Single domain.
2 DCs - 2003 SP1
50 users - 90% WIN 7 Pro - 10% XP
They had a GP with a White List created. They decided to expand it for other users so they made a copy of the original GP with the White List.
Now they are having major issues -
1) In copied GP cannot view white list objects
2) As of TODAY cannot see white list objects in original GP
3) If they add an app to the white list allow, SOME users can not open the app. They receive the not allowed error.
a) Tried gpupdate /force
b) Tried rebooting PC multiple times
c) They move the User to an Admin OU, they can now open the app, once the Users are moved back to the Users OU the app will continue to work.
This happens randomly with users and apps, no pattern, has been cases where it was a single person only.
Time permitting - I will attempt to get screen shots this weekend and will try to pull settings from OU using Darren's GP Compare tool.
This is going to be a major issue when they start pushing out new applications in the near future.
I am stumped at this point and am not sure where to start... I am thinking it may be a registry issue but again not sure where to start.
Tim Bolton
148 2nd Street North
Central City Iowa, 52214
SMS - xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Microsoft Certified IT Professional
Blog - Http://timbolton.net/<http://timbolton.net/>
"Applying computer technology is simply finding the right wrench to pound in the correct screw." ~ Steve Riley
| | | |
| dmarelia
Posts:394
| | 08/20/2010 7:13 PM |
| I would follow on from what Jerry has said and to suggest that if your goal is really to control application execution, I would run screaming from the method you’re using now ☺. In addition to the limitations below, it is a simple matter of renaming a given executable and you can get around any limitations in place. It really isn’t real whitelisting.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Cruz, Jerome L
Sent: Friday, August 20, 2010 10:40 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] White List Issue
One additional item to note:
Some of these older registry settings SEVERELY limited the total character path lengths. Even though a DWORD, some had operational character limits of 260 characters—until like Win XP SP2 came around where ‘some’ of them were extended to support longer lengths..like 4,096. I don’t know whether there are any limits to the RestrictApps_RestrictAppsList registry key, but it’s something to consider if you have a LOT of application entries in your list. Maybe a recent addition put it ‘over the line’.
Jerry Cruz | Group Policies Product Manager | Windows Server and Infrastructure Architecture
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Cruz, Jerome L
Sent: Friday, August 20, 2010 10:32 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] White List Issue
Okay, so let’s call that particular setting the Cromagnon’s ‘white listing’ tool. It certainly is not SRP, nor AppLocker. It also has SEVERE limitations:
Limits the Windows programs that users have permission to run on the computer. If you enable this setting, users can only run programs that you add to the List of Allowed Applications.
This setting only prevents users from running programs that are started by the Windows Explorer process. It does not prevent users from running programs such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt, Cmd.exe, this setting does not prevent them from starting programs in the command window that they are not permitted to start by using Windows Explorer.
Note: It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. Note: To create a list of allowed applications, click Show, click Add, and then enter the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe).
The data behind that setting is:
Registry Key HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value RestrictRun
Enabled 1
Disabled 0
And the list of allowed programs is stored in:
Registry Key Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
Value RestrictApps_RestrictAppsList
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Things you can start to look at:
1) Validate that the GPO’s Registry.Pol file is correct:
Download: \\FQDN_Domain_Name\sysvol\<file:///\\FQDN_Domain_Name\sysvol\> FQDN_Domain_Name \Policies\{GPO’s_GUID}]\User\registry.pol
At a command prompt, run RegView registry.pol
(I believe that regview is in the W2K3 ResKit)
Look see if the RestrictRun key is there and whether the registry.pol file is intact (nothing specific here, but I’ve seen it come out garbled or indicate that the file was corrupt, etc.).
2) Validate that the GPO is reaching all the targeted devices: Go to a device and run the GPRESULT command
3) You could hand re-build the GPO or restore from a backup.
4)
Jerry Cruz | Group Policies Product Manager | Windows Server and Infrastructure Architecture
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Tim Bolton
Sent: Friday, August 20, 2010 9:42 AM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] White List Issue
Thanks Jerry!
I am using - via VPN and RDP - WIN 7 Ultimate to RDP into another WIN 7 Ultimate machine, then using the RSAT / GPMC on that WIN 7 machine to make backups etc.
The admin person is using this machine to perform his edits as well.
Yes I am talking about Software Restriction Polices and not App Locker. I will verify that App Locker is NOT being used today.
They are making the setting at \user configuration\administrative templates\system …. “Run only specified Windows applications”
They are telling me that the list are not showing anything, but the apps are still able to be run. Which I take as they have been tattooed into the registry..(?)
I am not sure why the list are now empty...
Very strange...
Tim Bolton
148 2nd Street North
Central City Iowa, 52214
SMS - xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Microsoft Certified IT Professional
Blog - Http://timbolton.net/<http://timbolton.net/>
"Applying computer technology is simply finding the right wrench to pound in the correct screw." ~ Steve Riley
On Fri, Aug 20, 2010 at 11:06 AM, Cruz, Jerome L <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>> wrote:
Tim,
Straight off, make sure you are using a consistent GPMC Editor. Do not be switching between versions in Win XP, Win 7, W2K3 SP1….
Also, if work was done using a Windows 7 device… I would stick with that version from now on (unless someone knows of a known Issue with Win7 GPMC and configuring SRP policies with it).
Lastly, I assume that the context of “White Listing” here implies the use of SRP (Software Restriction Policies) which all of the client systems should utilize versus AppLocker based policy settings (which is unique to Windows 7/W2K8 systems alone). Oh, and I would NOT be using ‘both’ SRP and AP settings at the same time. If you ‘want’ to use both, then target a separate GPO at each set of devices (one GPO configuring SRP policy settings for the Win XP systems and one GPO configuring AppLocker settings for the Windows 7 systems).
Jerry Cruz | Group Policies Product Manager | Windows Server and Infrastructure Architecture
From: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx> [mailto:xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>] On Behalf Of Tim Bolton
Sent: Friday, August 20, 2010 8:31 AM
To: xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Subject: [gptalk] White List Issue
Single site, Single domain.
2 DCs - 2003 SP1
50 users - 90% WIN 7 Pro - 10% XP
They had a GP with a White List created. They decided to expand it for other users so they made a copy of the original GP with the White List.
Now they are having major issues -
1) In copied GP cannot view white list objects
2) As of TODAY cannot see white list objects in original GP
3) If they add an app to the white list allow, SOME users can not open the app. They receive the not allowed error.
a) Tried gpupdate /force
b) Tried rebooting PC multiple times
c) They move the User to an Admin OU, they can now open the app, once the Users are moved back to the Users OU the app will continue to work.
This happens randomly with users and apps, no pattern, has been cases where it was a single person only.
Time permitting - I will attempt to get screen shots this weekend and will try to pull settings from OU using Darren's GP Compare tool.
This is going to be a major issue when they start pushing out new applications in the near future.
I am stumped at this point and am not sure where to start... I am thinking it may be a registry issue but again not sure where to start.
Tim Bolton
148 2nd Street North
Central City Iowa, 52214
SMS - xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
Microsoft Certified IT Professional
Blog - Http://timbolton.net/<http://timbolton.net/>
"Applying computer technology is simply finding the right wrench to pound in the correct screw." ~ Steve Riley
| | | |
| jsclmedave
Posts:67
| | 08/20/2010 7:23 PM |
| Ok that is a great start and I will backup and read up on Software
Restriction Polices. (egg on face) I really thought this was how to set
this up. I will also look at AppLocker. Perhaps this would be a better
option for their users with WIN 7 machines. I will place the XP PCs that
are left into their own OU. With only 50 users this should not be a big
issue...
Thanks for the great heads up and I will post findings!
Tim Bolton
148 2nd Street North
Central City Iowa, 52214
SMS - xxxxxxxxxxxxxxxx
Microsoft Certified IT Professional
Blog - Http://timbolton.net/
"Applying computer technology is simply finding the right wrench to pound in
the correct screw." ~ Steve Riley
On Fri, Aug 20, 2010 at 12:39 PM, Cruz, Jerome L
<xxxxxxxxxxxxxxxx>wrote:
> One additional item to note:
>
>
>
> Some of these older registry settings SEVERELY limited the total character
> path lengths. Even though a DWORD, some had operational character limits of
> 260 characters—until like Win XP SP2 came around where ‘some’ of them were
> extended to support longer lengths..like 4,096. I don’t know whether there
> are any limits to the RestrictApps_RestrictAppsList registry key, but it’s
> something to consider if you have a LOT of application entries in your list.
> Maybe a recent addition put it ‘over the line’.
>
>
>
> *Jerry Cruz* | Group Policies Product Manager | Windows Server and
> Infrastructure Architecture**
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Cruz, Jerome L
> *Sent:* Friday, August 20, 2010 10:32 AM
>
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* RE: [gptalk] White List Issue
>
>
>
> Okay, so let’s call that particular setting the Cromagnon’s ‘white listing’
> tool. It certainly is not SRP, nor AppLocker. It also has SEVERE
> limitations:
>
> Limits the Windows programs that users have permission to run on the
> computer. If you *enable* this setting, users can only run programs that
> you add to the List of Allowed Applications.
>
> This setting only prevents users from running programs that are started by
> the Windows Explorer process. It *does not prevent* users from running
> programs such as Task Manager, which are started by the system process or by
> other processes. *Also*, if users have access to the command prompt,
> Cmd.exe, this setting *does not prevent them* from starting programs in
> the command window that they are not permitted to start by using Windows
> Explorer.
>
> Note: It is a requirement for third-party applications with Windows 2000 or
> later certification to adhere to this setting. Note: To create a list of
> allowed applications, click Show, click Add, and then enter the application
> executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe).
>
> The data behind that setting is:
>
> *Registry Key*HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
>
> *Value* RestrictRun
>
> *Enabled* 1
>
> *Disabled* 0
>
> And the list of allowed programs is stored in:
>
> *Registry Key*Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
>
> *Value* RestrictApps_RestrictAppsList
>
> = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
> = = = = = = = = = =
>
> Things you can start to look at:
>
>
>
> 1) Validate that the GPO’s Registry.Pol file is correct:
>
>
>
> Download: \\*FQDN_Domain_Name*\sysvol\* FQDN_Domain_Name* \Policies\{*
> GPO’s_GUID*}]\User\registry.pol
>
> At a command prompt, run *RegView registry.pol*
>
> (I believe that regview is in the W2K3 ResKit)
>
> Look see if the RestrictRun key is there and whether the *registry.pol*file is intact (nothing specific here, but I’ve seen it come out garbled or
> indicate that the file was corrupt, etc.).
>
>
>
> 2) Validate that the GPO is reaching all the targeted devices: Go to
> a device and run the GPRESULT command
>
>
>
> 3) You could hand re-build the GPO or restore from a backup.
>
>
>
> 4)
>
> *Jerry Cruz* | Group Policies Product Manager | Windows Server and
> Infrastructure Architecture**
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Tim Bolton
> *Sent:* Friday, August 20, 2010 9:42 AM
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* Re: [gptalk] White List Issue
>
>
>
> Thanks Jerry!
>
>
>
> I am using - via VPN and RDP - WIN 7 Ultimate to RDP into another WIN 7
> Ultimate machine, then using the RSAT / GPMC on that WIN 7 machine to make
> backups etc.
>
>
>
> The admin person is using this machine to perform his edits as well.
>
>
>
> Yes I am talking about Software Restriction Polices and not App Locker. I
> will verify that App Locker is NOT being used today.
>
>
>
> They are making the setting at \user configuration\administrative
> templates\system …. “Run only specified Windows applications”
>
>
>
> They are telling me that the list are not showing anything, but the apps
> are still able to be run. Which I take as they have been tattooed into the
> registry..(?)
>
>
>
> I am not sure why the list are now empty...
>
>
>
> Very strange...
>
>
>
> Tim Bolton
> 148 2nd Street North
> Central City Iowa, 52214
> SMS - xxxxxxxxxxxxxxxx
>
> Microsoft Certified IT Professional
>
> Blog - Http://timbolton.net/ <http://timbolton.net/>
>
> "Applying computer technology is simply finding the right wrench to pound
> in the correct screw." ~ Steve Riley
>
> On Fri, Aug 20, 2010 at 11:06 AM, Cruz, Jerome L <xxxxxxxxxxxxxxxx>
> wrote:
>
> Tim,
>
>
>
> Straight off, make sure you are using a consistent GPMC Editor. Do not be
> switching between versions in Win XP, Win 7, W2K3 SP1….
>
>
>
> Also, if work was done using a Windows 7 device… I would stick with that
> version from now on (unless someone knows of a known Issue with Win7 GPMC
> and configuring SRP policies with it).
>
>
>
> Lastly, I assume that the context of “White Listing” here implies the use
> of SRP (Software Restriction Policies) which all of the client systems
> should utilize versus AppLocker based policy settings (which is unique to
> Windows 7/W2K8 systems alone). Oh, and I would NOT be using ‘both’ SRP and
> AP settings at the same time. If you ‘want’ to use both, then target a
> separate GPO at each set of devices (one GPO configuring SRP policy settings
> for the Win XP systems and one GPO configuring AppLocker settings for the
> Windows 7 systems).
>
>
>
> *Jerry Cruz* | Group Policies Product Manager | Windows Server and
> Infrastructure Architecture
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Tim Bolton
> *Sent:* Friday, August 20, 2010 8:31 AM
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* [gptalk] White List Issue
>
>
>
> Single site, Single domain.
>
>
>
> 2 DCs - 2003 SP1
>
>
>
> 50 users - 90% WIN 7 Pro - 10% XP
>
>
>
> They had a GP with a White List created. They decided to expand it for
> other users so they made a copy of the original GP with the White List.
>
>
>
> Now they are having major issues -
>
>
>
> 1) In copied GP cannot view white list objects
>
>
>
> 2) As of TODAY cannot see white list objects in original GP
>
>
>
> 3) If they add an app to the white list allow, SOME users can not open the
> app. They receive the not allowed error.
>
> a) Tried gpupdate /force
>
> b) Tried rebooting PC multiple times
>
> c) They move the User to an Admin OU, they can now open the app, once the
> Users are moved back to the Users OU the app will continue to work.
>
>
>
>
>
> This happens randomly with users and apps, no pattern, has been cases where
> it was a single person only.
>
>
>
> *Time permitting* - I will attempt to get screen shots this weekend and
> will try to pull settings from OU using Darren's GP Compare tool.
>
>
>
> This is going to be a major issue when they start pushing out new
> applications in the near future.
>
>
>
> I am stumped at this point and am not sure where to start... I am thinking
> it may be a registry issue but again not sure where to start.
>
>
>
>
>
>
>
> Tim Bolton
>
> 148 2nd Street North
>
> Central City Iowa, 52214
>
> SMS - xxxxxxxxxxxxxxxx
>
>
>
> Microsoft Certified IT Professional
>
>
>
> Blog - Http://timbolton.net/ <http://timbolton.net/>
>
>
>
> "Applying computer technology is simply finding the right wrench to pound
> in the correct screw." ~ Steve Riley
>
>
>
>
>
>
>
| |
Tim Bolton | |
| jsclmedave
Posts:67
| | 08/20/2010 8:35 PM |
| "Which editions of Windows 7 and Windows Server 2008 R2 support AppLocker
rules? - AppLocker rules can be enforced on computers running *Windows 7
Ultimate, Windows 7 Enterprise,* or any edition of Windows Server 2008 R2
except Windows Web Server 2008 R2 and Windows Server 2008 R2 Foundation."
I will have to look at Software Restriction Policies features unless they
are able to upgrade to Ultimate...
Tim Bolton
148 2nd Street North
Central City Iowa, 52214
SMS - xxxxxxxxxxxxxxxx
Microsoft Certified IT Professional
Blog - Http://timbolton.net/
"Applying computer technology is simply finding the right wrench to pound in
the correct screw." ~ Steve Riley
On Fri, Aug 20, 2010 at 1:09 PM, Tim Bolton <xxxxxxxxxxxxxxxx> wrote:
> Agree 100%..! I was going off of what I was told and did not question it.
> Will really look hard at AppLocker for their WIN 7 machines. The XPs will
> be gone soon (couple weeks) so they should not be an issue.
>
> I would like nothing more than to have them running at optimum
> proficiency. Years ago this was my first network, so its like revisiting a
> family member. <g>
>
> Any advice or links will be greatly appreciated...
>
>
> Thanks Everyone!!
>
>
>
>
> Tim Bolton
> 148 2nd Street North
> Central City Iowa, 52214
> SMS - xxxxxxxxxxxxxxxx
>
> Microsoft Certified IT Professional
>
> Blog - Http://timbolton.net/ <http://timbolton.net/>
>
> "Applying computer technology is simply finding the right wrench to pound
> in the correct screw." ~ Steve Riley
>
>
> On Fri, Aug 20, 2010 at 12:59 PM, Darren Mar-Elia <
> xxxxxxxxxxxxxxxx> wrote:
>
>> I would follow on from what Jerry has said and to suggest that if your
>> goal is really to control application execution, I would run screaming from
>> the method you’re using now J. In addition to the limitations below, it
>> is a simple matter of renaming a given executable and you can get around any
>> limitations in place. It really isn’t real whitelisting.
>>
>>
>>
>> Darren
>>
>>
>>
>> *From:* xxxxxxxxxxxxxxxx [mailto:
>> xxxxxxxxxxxxxxxx] *On Behalf Of *Cruz, Jerome L
>> *Sent:* Friday, August 20, 2010 10:40 AM
>>
>> *To:* xxxxxxxxxxxxxxxx
>> *Subject:* RE: [gptalk] White List Issue
>>
>>
>>
>> One additional item to note:
>>
>>
>>
>> Some of these older registry settings SEVERELY limited the total character
>> path lengths. Even though a DWORD, some had operational character limits of
>> 260 characters—until like Win XP SP2 came around where ‘some’ of them were
>> extended to support longer lengths..like 4,096. I don’t know whether there
>> are any limits to the RestrictApps_RestrictAppsList registry key, but
>> it’s something to consider if you have a LOT of application entries in your
>> list. Maybe a recent addition put it ‘over the line’.
>>
>>
>>
>> *Jerry Cruz* | Group Policies Product Manager | Windows Server and
>> Infrastructure Architecture**
>>
>>
>>
>> *From:* xxxxxxxxxxxxxxxx [mailto:
>> xxxxxxxxxxxxxxxx] *On Behalf Of *Cruz, Jerome L
>> *Sent:* Friday, August 20, 2010 10:32 AM
>> *To:* xxxxxxxxxxxxxxxx
>> *Subject:* RE: [gptalk] White List Issue
>>
>>
>>
>> Okay, so let’s call that particular setting the Cromagnon’s ‘white
>> listing’ tool. It certainly is not SRP, nor AppLocker. It also has SEVERE
>> limitations:
>>
>> Limits the Windows programs that users have permission to run on the
>> computer. If you *enable* this setting, users can only run programs that
>> you add to the List of Allowed Applications.
>>
>> This setting only prevents users from running programs that are started by
>> the Windows Explorer process. It *does not prevent* users from running
>> programs such as Task Manager, which are started by the system process or by
>> other processes. *Also*, if users have access to the command prompt,
>> Cmd.exe, this setting *does not prevent them* from starting programs in
>> the command window that they are not permitted to start by using Windows
>> Explorer.
>>
>> Note: It is a requirement for third-party applications with Windows 2000
>> or later certification to adhere to this setting. Note: To create a list of
>> allowed applications, click Show, click Add, and then enter the application
>> executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe).
>>
>> The data behind that setting is:
>>
>> *Registry Key*HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
>>
>> *Value* RestrictRun
>>
>> *Enabled* 1
>>
>> *Disabled* 0
>>
>> And the list of allowed programs is stored in:
>>
>> *Registry Key*Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
>>
>> *Value* RestrictApps_RestrictAppsList
>>
>> = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
>> = = = = = = = = = = =
>>
>> Things you can start to look at:
>>
>>
>>
>> 1) Validate that the GPO’s Registry.Pol file is correct:
>>
>>
>>
>> Download: \\*FQDN_Domain_Name*\sysvol\* FQDN_Domain_Name* \Policies\{*
>> GPO’s_GUID*}]\User\registry.pol
>>
>> At a command prompt, run *RegView registry.pol*
>>
>> (I believe that regview is in the W2K3 ResKit)
>>
>> Look see if the RestrictRun key is there and whether the *registry.pol*file is intact (nothing specific here, but I’ve seen it come out garbled or
>> indicate that the file was corrupt, etc.).
>>
>>
>>
>> 2) Validate that the GPO is reaching all the targeted devices: Go to
>> a device and run the GPRESULT command
>>
>>
>>
>> 3) You could hand re-build the GPO or restore from a backup.
>>
>>
>>
>> 4)
>>
>> *Jerry Cruz* | Group Policies Product Manager | Windows Server and
>> Infrastructure Architecture**
>>
>>
>>
>> *From:* xxxxxxxxxxxxxxxx [mailto:
>> xxxxxxxxxxxxxxxx] *On Behalf Of *Tim Bolton
>> *Sent:* Friday, August 20, 2010 9:42 AM
>> *To:* xxxxxxxxxxxxxxxx
>> *Subject:* Re: [gptalk] White List Issue
>>
>>
>>
>> Thanks Jerry!
>>
>>
>>
>> I am using - via VPN and RDP - WIN 7 Ultimate to RDP into another WIN 7
>> Ultimate machine, then using the RSAT / GPMC on that WIN 7 machine to make
>> backups etc.
>>
>>
>>
>> The admin person is using this machine to perform his edits as well.
>>
>>
>>
>> Yes I am talking about Software Restriction Polices and not App Locker. I
>> will verify that App Locker is NOT being used today.
>>
>>
>>
>> They are making the setting at \user configuration\administrative
>> templates\system …. “Run only specified Windows applications”
>>
>>
>>
>> They are telling me that the list are not showing anything, but the apps
>> are still able to be run. Which I take as they have been tattooed into the
>> registry..(?)
>>
>>
>>
>> I am not sure why the list are now empty...
>>
>>
>>
>> Very strange...
>>
>>
>>
>> Tim Bolton
>> 148 2nd Street North
>> Central City Iowa, 52214
>> SMS - xxxxxxxxxxxxxxxx
>>
>> Microsoft Certified IT Professional
>>
>> Blog - Http://timbolton.net/ <http://timbolton.net/>
>>
>> "Applying computer technology is simply finding the right wrench to pound
>> in the correct screw." ~ Steve Riley
>>
>> On Fri, Aug 20, 2010 at 11:06 AM, Cruz, Jerome L <
>> xxxxxxxxxxxxxxxx> wrote:
>>
>> Tim,
>>
>>
>>
>> Straight off, make sure you are using a consistent GPMC Editor. Do not be
>> switching between versions in Win XP, Win 7, W2K3 SP1….
>>
>>
>>
>> Also, if work was done using a Windows 7 device… I would stick with that
>> version from now on (unless someone knows of a known Issue with Win7 GPMC
>> and configuring SRP policies with it).
>>
>>
>>
>> Lastly, I assume that the context of “White Listing” here implies the use
>> of SRP (Software Restriction Policies) which all of the client systems
>> should utilize versus AppLocker based policy settings (which is unique to
>> Windows 7/W2K8 systems alone). Oh, and I would NOT be using ‘both’ SRP and
>> AP settings at the same time. If you ‘want’ to use both, then target a
>> separate GPO at each set of devices (one GPO configuring SRP policy settings
>> for the Win XP systems and one GPO configuring AppLocker settings for the
>> Windows 7 systems).
>>
>>
>>
>> *Jerry Cruz* | Group Policies Product Manager | Windows Server and
>> Infrastructure Architecture
>>
>>
>>
>> *From:* xxxxxxxxxxxxxxxx [mailto:
>> xxxxxxxxxxxxxxxx] *On Behalf Of *Tim Bolton
>> *Sent:* Friday, August 20, 2010 8:31 AM
>> *To:* xxxxxxxxxxxxxxxx
>> *Subject:* [gptalk] White List Issue
>>
>>
>>
>> Single site, Single domain.
>>
>>
>>
>> 2 DCs - 2003 SP1
>>
>>
>>
>> 50 users - 90% WIN 7 Pro - 10% XP
>>
>>
>>
>> They had a GP with a White List created. They decided to expand it for
>> other users so they made a copy of the original GP with the White List.
>>
>>
>>
>> Now they are having major issues -
>>
>>
>>
>> 1) In copied GP cannot view white list objects
>>
>>
>>
>> 2) As of TODAY cannot see white list objects in original GP
>>
>>
>>
>> 3) If they add an app to the white list allow, SOME users can not open the
>> app. They receive the not allowed error.
>>
>> a) Tried gpupdate /force
>>
>> b) Tried rebooting PC multiple times
>>
>> c) They move the User to an Admin OU, they can now open the app, once the
>> Users are moved back to the Users OU the app will continue to work.
>>
>>
>>
>>
>>
>> This happens randomly with users and apps, no pattern, has been cases
>> where it was a single person only.
>>
>>
>>
>> *Time permitting* - I will attempt to get screen shots this weekend and
>> will try to pull settings from OU using Darren's GP Compare tool.
>>
>>
>>
>> This is going to be a major issue when they start pushing out new
>> applications in the near future.
>>
>>
>>
>> I am stumped at this point and am not sure where to start... I am thinking
>> it may be a registry issue but again not sure where to start.
>>
>>
>>
>>
>>
>>
>>
>> Tim Bolton
>>
>> 148 2nd Street North
>>
>> Central City Iowa, 52214
>>
>> SMS - xxxxxxxxxxxxxxxx
>>
>>
>>
>> Microsoft Certified IT Professional
>>
>>
>>
>> Blog - Http://timbolton.net/ <http://timbolton.net/>
>>
>>
>>
>> "Applying computer technology is simply finding the right wrench to pound
>> in the correct screw." ~ Steve Riley
>>
>>
>>
>>
>>
>>
>>
>
>
| |
Tim Bolton | |
| john.vanmeter
Posts:41
| | 08/21/2010 5:15 PM |
| Bit9 may be a better solution
Best Regards ::John van Meter
Never be afraid to try something new. Remember amateurs built the Ark, Professionals built the Titanic.
Sent from my iPhone
On Aug 20, 2010, at 3:31 PM, Tim Bolton <xxxxxxxxxxxxxxxx> wrote:
> "Which editions of Windows 7 and Windows Server 2008 R2 support AppLocker rules? - AppLocker rules can be enforced on computers running Windows 7 Ultimate, Windows 7 Enterprise, or any edition of Windows Server 2008 R2 except Windows Web Server 2008 R2 and Windows Server 2008 R2 Foundation."
>
>
> I will have to look at Software Restriction Policies features unless they are able to upgrade to Ultimate...
>
>
>
> Tim Bolton
> 148 2nd Street North
> Central City Iowa, 52214
> SMS - xxxxxxxxxxxxxxxx
>
> Microsoft Certified IT Professional
>
> Blog - Http://timbolton.net/
>
> "Applying computer technology is simply finding the right wrench to pound in the correct screw." ~ Steve Riley
>
>
> On Fri, Aug 20, 2010 at 1:09 PM, Tim Bolton <xxxxxxxxxxxxxxxx> wrote:
> Agree 100%..! I was going off of what I was told and did not question it. Will really look hard at AppLocker for their WIN 7 machines. The XPs will be gone soon (couple weeks) so they should not be an issue.
>
> I would like nothing more than to have them running at optimum proficiency. Years ago this was my first network, so its like revisiting a family member. <g>
>
> Any advice or links will be greatly appreciated...
>
>
> Thanks Everyone!!
>
>
>
>
> Tim Bolton
> 148 2nd Street North
> Central City Iowa, 52214
> SMS - xxxxxxxxxxxxxxxx
>
> Microsoft Certified IT Professional
>
> Blog - Http://timbolton.net/
>
> "Applying computer technology is simply finding the right wrench to pound in the correct screw." ~ Steve Riley
>
>
> On Fri, Aug 20, 2010 at 12:59 PM, Darren Mar-Elia <xxxxxxxxxxxxxxxx> wrote:
> I would follow on from what Jerry has said and to suggest that if your goal is really to control application execution, I would run screaming from the method you’re using now J. In addition to the limitations below, it is a simple matter of renaming a given executable and you can get around any limitations in place. It really isn’t real whitelisting.
>
>
>
> Darren
>
>
>
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Cruz, Jerome L
> Sent: Friday, August 20, 2010 10:40 AM
>
>
> To: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] White List Issue
>
>
> One additional item to note:
>
>
>
> Some of these older registry settings SEVERELY limited the total character path lengths. Even though a DWORD, some had operational character limits of 260 characters—until like Win XP SP2 came around where ‘some’ of them were extended to support longer lengths..like 4,096. I don’t know whether there are any limits to the RestrictApps_RestrictAppsList registry key, but it’s something to consider if you have a LOT of application entries in your list. Maybe a recent addition put it ‘over the line’.
>
>
>
> Jerry Cruz | Group Policies Product Manager | Windows Server and Infrastructure Architecture
>
>
>
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Cruz, Jerome L
> Sent: Friday, August 20, 2010 10:32 AM
> To: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] White List Issue
>
>
>
> Okay, so let’s call that particular setting the Cromagnon’s ‘white listing’ tool. It certainly is not SRP, nor AppLocker. It also has SEVERE limitations:
>
> Limits the Windows programs that users have permission to run on the computer. If you enable this setting, users can only run programs that you add to the List of Allowed Applications.
>
> This setting only prevents users from running programs that are started by the Windows Explorer process. It does not prevent users from running programs such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt, Cmd.exe, this setting does not prevent them from starting programs in the command window that they are not permitted to start by using Windows Explorer.
>
> Note: It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. Note: To create a list of allowed applications, click Show, click Add, and then enter the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe).
>
> The data behind that setting is:
>
> Registry Key HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
>
> Value RestrictRun
>
> Enabled 1
>
> Disabled 0
>
> And the list of allowed programs is stored in:
>
> Registry Key Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
>
> Value RestrictApps_RestrictAppsList
>
> = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
>
> Things you can start to look at:
>
>
>
> 1) Validate that the GPO’s Registry.Pol file is correct:
>
>
>
> Download: \\FQDN_Domain_Name\sysvol\ FQDN_Domain_Name \Policies\{GPO’s_GUID}]\User\registry.pol
>
> At a command prompt, run RegView registry.pol
>
> (I believe that regview is in the W2K3 ResKit)
>
> Look see if the RestrictRun key is there and whether the registry.pol file is intact (nothing specific here, but I’ve seen it come out garbled or indicate that the file was corrupt, etc.).
>
>
>
> 2) Validate that the GPO is reaching all the targeted devices: Go to a device and run the GPRESULT command
>
>
>
> 3) You could hand re-build the GPO or restore from a backup.
>
>
>
> 4)
>
> Jerry Cruz | Group Policies Product Manager | Windows Server and Infrastructure Architecture
>
>
>
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Tim Bolton
> Sent: Friday, August 20, 2010 9:42 AM
> To: xxxxxxxxxxxxxxxx
> Subject: Re: [gptalk] White List Issue
>
>
>
> Thanks Jerry!
>
>
>
> I am using - via VPN and RDP - WIN 7 Ultimate to RDP into another WIN 7 Ultimate machine, then using the RSAT / GPMC on that WIN 7 machine to make backups etc.
>
>
>
> The admin person is using this machine to perform his edits as well.
>
>
>
> Yes I am talking about Software Restriction Polices and not App Locker. I will verify that App Locker is NOT being used today.
>
>
>
> They are making the setting at \user configuration\administrative templates\system …. “Run only specified Windows applications”
>
>
>
> They are telling me that the list are not showing anything, but the apps are still able to be run. Which I take as they have been tattooed into the registry..(?)
>
>
>
> I am not sure why the list are now empty...
>
>
>
> Very strange...
>
>
>
> Tim Bolton
> 148 2nd Street North
> Central City Iowa, 52214
> SMS - xxxxxxxxxxxxxxxx
>
> Microsoft Certified IT Professional
>
> Blog - Http://timbolton.net/
>
> "Applying computer technology is simply finding the right wrench to pound in the correct screw." ~ Steve Riley
>
> On Fri, Aug 20, 2010 at 11:06 AM, Cruz, Jerome L <xxxxxxxxxxxxxxxx> wrote:
>
> Tim,
>
>
>
> Straight off, make sure you are using a consistent GPMC Editor. Do not be switching between versions in Win XP, Win 7, W2K3 SP1….
>
>
>
> Also, if work was done using a Windows 7 device… I would stick with that version from now on (unless someone knows of a known Issue with Win7 GPMC and configuring SRP policies with it).
>
>
>
> Lastly, I assume that the context of “White Listing” here implies the use of SRP (Software Restriction Policies) which all of the client systems should utilize versus AppLocker based policy settings (which is unique to Windows 7/W2K8 systems alone). Oh, and I would NOT be using ‘both’ SRP and AP settings at the same time. If you ‘want’ to use both, then target a separate GPO at each set of devices (one GPO configuring SRP policy settings for the Win XP systems and one GPO configuring AppLocker settings for the Windows 7 systems).
>
>
>
> Jerry Cruz | Group Policies Product Manager | Windows Server and Infrastructure Architecture
>
>
>
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Tim Bolton
> Sent: Friday, August 20, 2010 8:31 AM
> To: xxxxxxxxxxxxxxxx
> Subject: [gptalk] White List Issue
>
>
>
> Single site, Single domain.
>
>
>
> 2 DCs - 2003 SP1
>
>
>
> 50 users - 90% WIN 7 Pro - 10% XP
>
>
>
> They had a GP with a White List created. They decided to expand it for other users so they made a copy of the original GP with the White List.
>
>
>
> Now they are having major issues -
>
>
>
> 1) In copied GP cannot view white list objects
>
>
>
> 2) As of TODAY cannot see white list objects in original GP
>
>
>
> 3) If they add an app to the white list allow, SOME users can not open the app. They receive the not allowed error.
>
> a) Tried gpupdate /force
>
> b) Tried rebooting PC multiple times
>
> c) They move the User to an Admin OU, they can now open the app, once the Users are moved back to the Users OU the app will continue to work.
>
>
>
>
>
> This happens randomly with users and apps, no pattern, has been cases where it was a single person only.
>
>
>
> Time permitting - I will attempt to get screen shots this weekend and will try to pull settings from OU using Darren's GP Compare tool.
>
>
>
> This is going to be a major issue when they start pushing out new applications in the near future.
>
>
>
> I am stumped at this point and am not sure where to start... I am thinking it may be a registry issue but again not sure where to start.
>
>
>
>
>
>
>
> Tim Bolton
>
> 148 2nd Street North
>
> Central City Iowa, 52214
>
> SMS - xxxxxxxxxxxxxxxx
>
>
>
> Microsoft Certified IT Professional
>
>
>
> Blog - Http://timbolton.net/
>
>
>
> "Applying computer technology is simply finding the right wrench to pound in the correct screw." ~ Steve Riley
>
>
>
>
>
>
>
>
>
| | | |
| jsclmedave
Posts:67
| | 08/21/2010 5:26 PM |
| Thanks for the suggestion John, however they currently have a 3rd
party application - Lumension® Application Control (formerly
sanctuary) - which they have found to be extremely difficult to
maintain especially with the SQL back-end constantly having issues.
They were hoping to use the built in processes within WIN 7.
Unfortunately due to the way this "State Agency" is forced to purchase
their equipment and software, they are caught with their backs against
a wall. The only other option other than WIN 7 Pro is to upgrade all
machines to Enterprise at a huge cost, it actually doubled the price
of each PC.
I will see what I am able to do with SRP... I may have to recommend
they re-new their license with Lumension® Application Control
(formerly sanctuary).
Tim Bolton
148 2nd Street North
Central City Iowa, 52214
SMS - xxxxxxxxxxxxxxxx
Microsoft Certified IT Professional
Blog - Http://timbolton.net/
"Applying computer technology is simply finding the right wrench to
pound in the correct screw." ~ Steve Riley
On Sat, Aug 21, 2010 at 10:40 AM, John van Meter
<xxxxxxxxxxxxxxxx> wrote:
> Bit9 may be a better solution
>
> Best Regards ::John van Meter
> Never be afraid to try something new. Remember amateurs built the Ark,
> Professionals built the Titanic.
> Sent from my iPhone
> On Aug 20, 2010, at 3:31 PM, Tim Bolton <xxxxxxxxxxxxxxxx> wrote:
>
> "Which editions of Windows 7 and Windows Server 2008 R2 support AppLocker
> rules? - AppLocker rules can be enforced on computers running Windows 7
> Ultimate, Windows 7 Enterprise, or any edition of Windows Server 2008 R2
> except Windows Web Server 2008 R2 and Windows Server 2008 R2 Foundation."
>
>
> I will have to look at Software Restriction Policies features unless they
> are able to upgrade to Ultimate...
>
>
>
> Tim Bolton
> 148 2nd Street North
> Central City Iowa, 52214
> SMS - xxxxxxxxxxxxxxxx
>
> Microsoft Certified IT Professional
>
> Blog - Http://timbolton.net/
>
> "Applying computer technology is simply finding the right wrench to pound in
> the correct screw." ~ Steve Riley
>
>
> On Fri, Aug 20, 2010 at 1:09 PM, Tim Bolton <xxxxxxxxxxxxxxxx> wrote:
>>
>> Agree 100%..! I was going off of what I was told and did not question
>> it. Will really look hard at AppLocker for their WIN 7 machines. The XPs
>> will be gone soon (couple weeks) so they should not be an issue.
>>
>> I would like nothing more than to have them running at optimum
>> proficiency. Years ago this was my first network, so its like revisiting a
>> family member. <g>
>>
>> Any advice or links will be greatly appreciated...
>>
>>
>> Thanks Everyone!!
>>
>>
>>
>> Tim Bolton
>> 148 2nd Street North
>> Central City Iowa, 52214
>> SMS - xxxxxxxxxxxxxxxx
>>
>> Microsoft Certified IT Professional
>>
>> Blog - Http://timbolton.net/
>>
>> "Applying computer technology is simply finding the right wrench to pound
>> in the correct screw." ~ Steve Riley
>>
>>
>> On Fri, Aug 20, 2010 at 12:59 PM, Darren Mar-Elia <xxxxxxxxxxxxxxxx>
>> wrote:
>>>
>>> I would follow on from what Jerry has said and to suggest that if your
>>> goal is really to control application execution, I would run screaming from
>>> the method you’re using now J. In addition to the limitations below, it is a
>>> simple matter of renaming a given executable and you can get around any
>>> limitations in place. It really isn’t real whitelisting.
>>>
>>>
>>>
>>> Darren
>>>
>>>
>>>
>>> From: xxxxxxxxxxxxxxxx
>>> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Cruz, Jerome L
>>> Sent: Friday, August 20, 2010 10:40 AM
>>>
>>> To: xxxxxxxxxxxxxxxx
>>> Subject: RE: [gptalk] White List Issue
>>>
>>>
>>>
>>> One additional item to note:
>>>
>>>
>>>
>>> Some of these older registry settings SEVERELY limited the total
>>> character path lengths. Even though a DWORD, some had operational character
>>> limits of 260 characters—until like Win XP SP2 came around where ‘some’ of
>>> them were extended to support longer lengths..like 4,096. I don’t know
>>> whether there are any limits to the RestrictApps_RestrictAppsList registry
>>> key, but it’s something to consider if you have a LOT of application entries
>>> in your list. Maybe a recent addition put it ‘over the line’.
>>>
>>>
>>>
>>> Jerry Cruz | Group Policies Product Manager | Windows Server and
>>> Infrastructure Architecture
>>>
>>>
>>>
>>> From: xxxxxxxxxxxxxxxx
>>> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Cruz, Jerome L
>>> Sent: Friday, August 20, 2010 10:32 AM
>>> To: xxxxxxxxxxxxxxxx
>>> Subject: RE: [gptalk] White List Issue
>>>
>>>
>>>
>>> Okay, so let’s call that particular setting the Cromagnon’s ‘white
>>> listing’ tool. It certainly is not SRP, nor AppLocker. It also has SEVERE
>>> limitations:
>>>
>>> Limits the Windows programs that users have permission to run on the
>>> computer. If you enable this setting, users can only run programs that you
>>> add to the List of Allowed Applications.
>>>
>>> This setting only prevents users from running programs that are started
>>> by the Windows Explorer process. It does not prevent users from running
>>> programs such as Task Manager, which are started by the system process or by
>>> other processes. Also, if users have access to the command prompt, Cmd.exe,
>>> this setting does not prevent them from starting programs in the command
>>> window that they are not permitted to start by using Windows Explorer.
>>>
>>> Note: It is a requirement for third-party applications with Windows 2000
>>> or later certification to adhere to this setting. Note: To create a list of
>>> allowed applications, click Show, click Add, and then enter the application
>>> executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe).
>>>
>>> The data behind that setting is:
>>>
>>> Registry Key
>>> HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
>>>
>>> Value RestrictRun
>>>
>>> Enabled 1
>>>
>>> Disabled 0
>>>
>>> And the list of allowed programs is stored in:
>>>
>>> Registry Key
>>> Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
>>>
>>> Value RestrictApps_RestrictAppsList
>>>
>>> = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
>>> = = = = = = = = = = =
>>>
>>> Things you can start to look at:
>>>
>>>
>>>
>>> 1) Validate that the GPO’s Registry.Pol file is correct:
>>>
>>>
>>>
>>> Download: \\FQDN_Domain_Name\sysvol\ FQDN_Domain_Name
>>> \Policies\{GPO’s_GUID}]\User\registry.pol
>>>
>>> At a command prompt, run RegView registry.pol
>>>
>>> (I believe that regview is in the W2K3 ResKit)
>>>
>>> Look see if the RestrictRun key is there and whether the registry.pol
>>> file is intact (nothing specific here, but I’ve seen it come out garbled or
>>> indicate that the file was corrupt, etc.).
>>>
>>>
>>>
>>> 2) Validate that the GPO is reaching all the targeted devices: Go to
>>> a device and run the GPRESULT command
>>>
>>>
>>>
>>> 3) You could hand re-build the GPO or restore from a backup.
>>>
>>>
>>>
>>> 4)
>>>
>>> Jerry Cruz | Group Policies Product Manager | Windows Server and
>>> Infrastructure Architecture
>>>
>>>
>>>
>>> From: xxxxxxxxxxxxxxxx
>>> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Tim Bolton
>>> Sent: Friday, August 20, 2010 9:42 AM
>>> To: xxxxxxxxxxxxxxxx
>>> Subject: Re: [gptalk] White List Issue
>>>
>>>
>>>
>>> Thanks Jerry!
>>>
>>>
>>>
>>> I am using - via VPN and RDP - WIN 7 Ultimate to RDP into another WIN 7
>>> Ultimate machine, then using the RSAT / GPMC on that WIN 7 machine to make
>>> backups etc.
>>>
>>>
>>>
>>> The admin person is using this machine to perform his edits as well.
>>>
>>>
>>>
>>> Yes I am talking about Software Restriction Polices and not App Locker.
>>> I will verify that App Locker is NOT being used today.
>>>
>>>
>>>
>>> They are making the setting at \user configuration\administrative
>>> templates\system …. “Run only specified Windows applications”
>>>
>>>
>>>
>>> They are telling me that the list are not showing anything, but the apps
>>> are still able to be run. Which I take as they have been tattooed into the
>>> registry..(?)
>>>
>>>
>>>
>>> I am not sure why the list are now empty...
>>>
>>>
>>>
>>> Very strange...
>>>
>>>
>>>
>>> Tim Bolton
>>> 148 2nd Street North
>>> Central City Iowa, 52214
>>> SMS - xxxxxxxxxxxxxxxx
>>>
>>> Microsoft Certified IT Professional
>>>
>>> Blog - Http://timbolton.net/
>>>
>>> "Applying computer technology is simply finding the right wrench to pound
>>> in the correct screw." ~ Steve Riley
>>>
>>> On Fri, Aug 20, 2010 at 11:06 AM, Cruz, Jerome L
>>> <xxxxxxxxxxxxxxxx> wrote:
>>>
>>> Tim,
>>>
>>>
>>>
>>> Straight off, make sure you are using a consistent GPMC Editor. Do not be
>>> switching between versions in Win XP, Win 7, W2K3 SP1….
>>>
>>>
>>>
>>> Also, if work was done using a Windows 7 device… I would stick with that
>>> version from now on (unless someone knows of a known Issue with Win7 GPMC
>>> and configuring SRP policies with it).
>>>
>>>
>>>
>>> Lastly, I assume that the context of “White Listing” here implies the use
>>> of SRP (Software Restriction Policies) which all of the client systems
>>> should utilize versus AppLocker based policy settings (which is unique to
>>> Windows 7/W2K8 systems alone). Oh, and I would NOT be using ‘both’ SRP and
>>> AP settings at the same time. If you ‘want’ to use both, then target a
>>> separate GPO at each set of devices (one GPO configuring SRP policy settings
>>> for the Win XP systems and one GPO configuring AppLocker settings for the
>>> Windows 7 systems).
>>>
>>>
>>>
>>> Jerry Cruz | Group Policies Product Manager | Windows Server and
>>> Infrastructure Architecture
>>>
>>>
>>>
>>> From: xxxxxxxxxxxxxxxx
>>> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Tim Bolton
>>> Sent: Friday, August 20, 2010 8:31 AM
>>> To: xxxxxxxxxxxxxxxx
>>> Subject: [gptalk] White List Issue
>>>
>>>
>>>
>>> Single site, Single domain.
>>>
>>>
>>>
>>> 2 DCs - 2003 SP1
>>>
>>>
>>>
>>> 50 users - 90% WIN 7 Pro - 10% XP
>>>
>>>
>>>
>>> They had a GP with a White List created. They decided to expand it for
>>> other users so they made a copy of the original GP with the White List.
>>>
>>>
>>>
>>> Now they are having major issues -
>>>
>>>
>>>
>>> 1) In copied GP cannot view white list objects
>>>
>>>
>>>
>>> 2) As of TODAY cannot see white list objects in original GP
>>>
>>>
>>>
>>> 3) If they add an app to the white list allow, SOME users can not open
>>> the app. They receive the not allowed error.
>>>
>>> a) Tried gpupdate /force
>>>
>>> b) Tried rebooting PC multiple times
>>>
>>> c) They move the User to an Admin OU, they can now open the app, once the
>>> Users are moved back to the Users OU the app will continue to work.
>>>
>>>
>>>
>>>
>>>
>>> This happens randomly with users and apps, no pattern, has been cases
>>> where it was a single person only.
>>>
>>>
>>>
>>> Time permitting - I will attempt to get screen shots this weekend and
>>> will try to pull settings from OU using Darren's GP Compare tool.
>>>
>>>
>>>
>>> This is going to be a major issue when they start pushing out new
>>> applications in the near future.
>>>
>>>
>>>
>>> I am stumped at this point and am not sure where to start... I am
>>> thinking it may be a registry issue but again not sure where to start.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Tim Bolton
>>>
>>> 148 2nd Street North
>>>
>>> Central City Iowa, 52214
>>>
>>> SMS - xxxxxxxxxxxxxxxx
>>>
>>>
>>>
>>> Microsoft Certified IT Professional
>>>
>>>
>>>
>>> Blog - Http://timbolton.net/
>>>
>>>
>>>
>>> "Applying computer technology is simply finding the right wrench to pound
>>> in the correct screw." ~ Steve Riley
>>>
>>>
>>>
>>>
>>>
>>>
>
>
| |
Tim Bolton | |
| mpietrzak
Posts:28
| | 08/21/2010 5:56 PM |
| Bit9 is the biggest waste of time software that ever was. Not only that, their sales guys, even their regional sales guys, like to lie about it's functionality.
The application control that's built into the Sophos endpoint protection is MUCH easier to manage and operate.
Michael
-----Original Message-----
From: xxxxxxxxxxxxxxxx on behalf of John van Meter
Sent: Sat 8/21/2010 8:40 AM
To: xxxxxxxxxxxxxxxx
Cc: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] White List Issue
Bit9 may be a better solution
Best Regards ::John van Meter
Never be afraid to try something new. Remember amateurs built the Ark, Professionals built the Titanic.
Sent from my iPhone
On Aug 20, 2010, at 3:31 PM, Tim Bolton <xxxxxxxxxxxxxxxx> wrote:
> "Which editions of Windows 7 and Windows Server 2008 R2 support AppLocker rules? - AppLocker rules can be enforced on computers running Windows 7 Ultimate, Windows 7 Enterprise, or any edition of Windows Server 2008 R2 except Windows Web Server 2008 R2 and Windows Server 2008 R2 Foundation."
>
>
> I will have to look at Software Restriction Policies features unless they are able to upgrade to Ultimate...
>
>
>
> Tim Bolton
> 148 2nd Street North
> Central City Iowa, 52214
> SMS - xxxxxxxxxxxxxxxx
>
> Microsoft Certified IT Professional
>
> Blog - Http://timbolton.net/
>
> "Applying computer technology is simply finding the right wrench to pound in the correct screw." ~ Steve Riley
>
>
> On Fri, Aug 20, 2010 at 1:09 PM, Tim Bolton <xxxxxxxxxxxxxxxx> wrote:
> Agree 100%..! I was going off of what I was told and did not question it. Will really look hard at AppLocker for their WIN 7 machines. The XPs will be gone soon (couple weeks) so they should not be an issue.
>
> I would like nothing more than to have them running at optimum proficiency. Years ago this was my first network, so its like revisiting a family member. <g>
>
> Any advice or links will be greatly appreciated...
>
>
> Thanks Everyone!!
>
>
>
>
> Tim Bolton
> 148 2nd Street North
> Central City Iowa, 52214
> SMS - xxxxxxxxxxxxxxxx
>
> Microsoft Certified IT Professional
>
> Blog - Http://timbolton.net/
>
> "Applying computer technology is simply finding the right wrench to pound in the correct screw." ~ Steve Riley
>
>
> On Fri, Aug 20, 2010 at 12:59 PM, Darren Mar-Elia <xxxxxxxxxxxxxxxx> wrote:
> I would follow on from what Jerry has said and to suggest that if your goal is really to control application execution, I would run screaming from the method you're using now J. In addition to the limitations below, it is a simple matter of renaming a given executable and you can get around any limitations in place. It really isn't real whitelisting.
>
>
>
> Darren
>
>
>
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Cruz, Jerome L
> Sent: Friday, August 20, 2010 10:40 AM
>
>
> To: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] White List Issue
>
>
> One additional item to note:
>
>
>
> Some of these older registry settings SEVERELY limited the total character path lengths. Even though a DWORD, some had operational character limits of 260 characters-until like Win XP SP2 came around where 'some' of them were extended to support longer lengths..like 4,096. I don't know whether there are any limits to the RestrictApps_RestrictAppsList registry key, but it's something to consider if you have a LOT of application entries in your list. Maybe a recent addition put it 'over the line'.
>
>
>
> Jerry Cruz | Group Policies Product Manager | Windows Server and Infrastructure Architecture
>
>
>
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Cruz, Jerome L
> Sent: Friday, August 20, 2010 10:32 AM
> To: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] White List Issue
>
>
>
> Okay, so let's call that particular setting the Cromagnon's 'white listing' tool. It certainly is not SRP, nor AppLocker. It also has SEVERE limitations:
>
> Limits the Windows programs that users have permission to run on the computer. If you enable this setting, users can only run programs that you add to the List of Allowed Applications.
>
> This setting only prevents users from running programs that are started by the Windows Explorer process. It does not prevent users from running programs such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt, Cmd.exe, this setting does not prevent them from starting programs in the command window that they are not permitted to start by using Windows Explorer.
>
> Note: It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. Note: To create a list of allowed applications, click Show, click Add, and then enter the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe).
>
> The data behind that setting is:
>
> Registry Key HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
>
> Value RestrictRun
>
> Enabled 1
>
> Disabled 0
>
> And the list of allowed programs is stored in:
>
> Registry Key Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
>
> Value RestrictApps_RestrictAppsList
>
> = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
>
> Things you can start to look at:
>
>
>
> 1) Validate that the GPO's Registry.Pol file is correct:
>
>
>
> Download: \\FQDN_Domain_Name\sysvol\ FQDN_Domain_Name \Policies\{GPO's_GUID}]\User\registry.pol
>
> At a command prompt, run RegView registry.pol
>
> (I believe that regview is in the W2K3 ResKit)
>
> Look see if the RestrictRun key is there and whether the registry.pol file is intact (nothing specific here, but I've seen it come out garbled or indicate that the file was corrupt, etc.).
>
>
>
> 2) Validate that the GPO is reaching all the targeted devices: Go to a device and run the GPRESULT command
>
>
>
> 3) You could hand re-build the GPO or restore from a backup.
>
>
>
> 4)
>
> Jerry Cruz | Group Policies Product Manager | Windows Server and Infrastructure Architecture
>
>
>
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Tim Bolton
> Sent: Friday, August 20, 2010 9:42 AM
> To: xxxxxxxxxxxxxxxx
> Subject: Re: [gptalk] White List Issue
>
>
>
> Thanks Jerry!
>
>
>
> I am using - via VPN and RDP - WIN 7 Ultimate to RDP into another WIN 7 Ultimate machine, then using the RSAT / GPMC on that WIN 7 machine to make backups etc.
>
>
>
> The admin person is using this machine to perform his edits as well.
>
>
>
> Yes I am talking about Software Restriction Polices and not App Locker. I will verify that App Locker is NOT being used today.
>
>
>
> They are making the setting at \user configuration\administrative templates\system .. "Run only specified Windows applications"
>
>
>
> They are telling me that the list are not showing anything, but the apps are still able to be run. Which I take as they have been tattooed into the registry..(?)
>
>
>
> I am not sure why the list are now empty...
>
>
>
> Very strange...
>
>
>
> Tim Bolton
> 148 2nd Street North
> Central City Iowa, 52214
> SMS - xxxxxxxxxxxxxxxx
>
> Microsoft Certified IT Professional
>
> Blog - Http://timbolton.net/
>
> "Applying computer technology is simply finding the right wrench to pound in the correct screw." ~ Steve Riley
>
> On Fri, Aug 20, 2010 at 11:06 AM, Cruz, Jerome L <xxxxxxxxxxxxxxxx> wrote:
>
> Tim,
>
>
>
> Straight off, make sure you are using a consistent GPMC Editor. Do not be switching between versions in Win XP, Win 7, W2K3 SP1..
>
>
>
> Also, if work was done using a Windows 7 device. I would stick with that version from now on (unless someone knows of a known Issue with Win7 GPMC and configuring SRP policies with it).
>
>
>
> Lastly, I assume that the context of "White Listing" here implies the use of SRP (Software Restriction Policies) which all of the client systems should utilize versus AppLocker based policy settings (which is unique to Windows 7/W2K8 systems alone). Oh, and I would NOT be using 'both' SRP and AP settings at the same time. If you 'want' to use both, then target a separate GPO at each set of devices (one GPO configuring SRP policy settings for the Win XP systems and one GPO configuring AppLocker settings for the Windows 7 systems).
>
>
>
> Jerry Cruz | Group Policies Product Manager | Windows Server and Infrastructure Architecture
>
>
>
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Tim Bolton
> Sent: Friday, August 20, 2010 8:31 AM
> To: xxxxxxxxxxxxxxxx
> Subject: [gptalk] White List Issue
>
>
>
> Single site, Single domain.
>
>
>
> 2 DCs - 2003 SP1
>
>
>
> 50 users - 90% WIN 7 Pro - 10% XP
>
>
>
> They had a GP with a White List created. They decided to expand it for other users so they made a copy of the original GP with the White List.
>
>
>
> Now they are having major issues -
>
>
>
> 1) In copied GP cannot view white list objects
>
>
>
> 2) As of TODAY cannot see white list objects in original GP
>
>
>
> 3) If they add an app to the white list allow, SOME users can not open the app. They receive the not allowed error.
>
> a) Tried gpupdate /force
>
> b) Tried rebooting PC multiple times
>
> c) They move the User to an Admin OU, they can now open the app, once the Users are moved back to the Users OU the app will continue to work.
>
>
>
>
>
> This happens randomly with users and apps, no pattern, has been cases where it was a single person only.
>
>
>
> Time permitting - I will attempt to get screen shots this weekend and will try to pull settings from OU using Darren's GP Compare tool.
>
>
>
> This is going to be a major issue when they start pushing out new applications in the near future.
>
>
>
> I am stumped at this point and am not sure where to start... I am thinking it may be a registry issue but again not sure where to start.
>
>
>
>
>
>
>
> Tim Bolton
>
> 148 2nd Street North
>
> Central City Iowa, 52214
>
> SMS - xxxxxxxxxxxxxxxx
>
>
>
> Microsoft Certified IT Professional
>
>
>
> Blog - Http://timbolton.net/
>
>
>
> "Applying computer technology is simply finding the right wrench to pound in the correct screw." ~ Steve Riley
>
>
>
>
>
>
>
>
>
| | | |
| john.vanmeter
Posts:41
| | 08/21/2010 8:13 PM |
| Thanks Michael, I'll have to chech it out and get back to you
Best Regards ::John van Meter
Never be afraid to try something new. Remember amateurs built the Ark, Professionals built the Titanic.
Sent from my iPhone
On Aug 21, 2010, at 12:22 PM, "Michael Pietrzak" <xxxxxxxxxxxxxxxx> wrote:
> Bit9 is the biggest waste of time software that ever was. Not only that, their sales guys, even their regional sales guys, like to lie about it's functionality.
>
> The application control that's built into the Sophos endpoint protection is MUCH easier to manage and operate.
>
> Michael
>
>
> -----Original Message-----
> From: xxxxxxxxxxxxxxxx on behalf of John van Meter
> Sent: Sat 8/21/2010 8:40 AM
> To: xxxxxxxxxxxxxxxx
> Cc: xxxxxxxxxxxxxxxx
> Subject: Re: [gptalk] White List Issue
>
> Bit9 may be a better solution
>
> Best Regards ::John van Meter
> Never be afraid to try something new. Remember amateurs built the Ark, Professionals built the Titanic.
>
> Sent from my iPhone
>
> On Aug 20, 2010, at 3:31 PM, Tim Bolton <xxxxxxxxxxxxxxxx> wrote:
>
>> "Which editions of Windows 7 and Windows Server 2008 R2 support AppLocker rules? - AppLocker rules can be enforced on computers running Windows 7 Ultimate, Windows 7 Enterprise, or any edition of Windows Server 2008 R2 except Windows Web Server 2008 R2 and Windows Server 2008 R2 Foundation."
>>
>>
>> I will have to look at Software Restriction Policies features unless they are able to upgrade to Ultimate...
>>
>>
>>
>> Tim Bolton
>> 148 2nd Street North
>> Central City Iowa, 52214
>> SMS - xxxxxxxxxxxxxxxx
>>
>> Microsoft Certified IT Professional
>>
>> Blog - Http://timbolton.net/
>>
>> "Applying computer technology is simply finding the right wrench to pound in the correct screw." ~ Steve Riley
>>
>>
>> On Fri, Aug 20, 2010 at 1:09 PM, Tim Bolton <xxxxxxxxxxxxxxxx> wrote:
>> Agree 100%..! I was going off of what I was told and did not question it. Will really look hard at AppLocker for their WIN 7 machines. The XPs will be gone soon (couple weeks) so they should not be an issue.
>>
>> I would like nothing more than to have them running at optimum proficiency. Years ago this was my first network, so its like revisiting a family member. <g>
>>
>> Any advice or links will be greatly appreciated...
>>
>>
>> Thanks Everyone!!
>>
>>
>>
>>
>> Tim Bolton
>> 148 2nd Street North
>> Central City Iowa, 52214
>> SMS - xxxxxxxxxxxxxxxx
>>
>> Microsoft Certified IT Professional
>>
>> Blog - Http://timbolton.net/
>>
>> "Applying computer technology is simply finding the right wrench to pound in the correct screw." ~ Steve Riley
>>
>>
>> On Fri, Aug 20, 2010 at 12:59 PM, Darren Mar-Elia <xxxxxxxxxxxxxxxx> wrote:
>> I would follow on from what Jerry has said and to suggest that if your goal is really to control application execution, I would run screaming from the method you're using now J. In addition to the limitations below, it is a simple matter of renaming a given executable and you can get around any limitations in place. It really isn't real whitelisting.
>>
>>
>>
>> Darren
>>
>>
>>
>> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Cruz, Jerome L
>> Sent: Friday, August 20, 2010 10:40 AM
>>
>>
>> To: xxxxxxxxxxxxxxxx
>> Subject: RE: [gptalk] White List Issue
>>
>>
>> One additional item to note:
>>
>>
>>
>> Some of these older registry settings SEVERELY limited the total character path lengths. Even though a DWORD, some had operational character limits of 260 characters-until like Win XP SP2 came around where 'some' of them were extended to support longer lengths..like 4,096. I don't know whether there are any limits to the RestrictApps_RestrictAppsList registry key, but it's something to consider if you have a LOT of application entries in your list. Maybe a recent addition put it 'over the line'.
>>
>>
>>
>> Jerry Cruz | Group Policies Product Manager | Windows Server and Infrastructure Architecture
>>
>>
>>
>> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Cruz, Jerome L
>> Sent: Friday, August 20, 2010 10:32 AM
>> To: xxxxxxxxxxxxxxxx
>> Subject: RE: [gptalk] White List Issue
>>
>>
>>
>> Okay, so let's call that particular setting the Cromagnon's 'white listing' tool. It certainly is not SRP, nor AppLocker. It also has SEVERE limitations:
>>
>> Limits the Windows programs that users have permission to run on the computer. If you enable this setting, users can only run programs that you add to the List of Allowed Applications.
>>
>> This setting only prevents users from running programs that are started by the Windows Explorer process. It does not prevent users from running programs such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt, Cmd.exe, this setting does not prevent them from starting programs in the command window that they are not permitted to start by using Windows Explorer.
>>
>> Note: It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. Note: To create a list of allowed applications, click Show, click Add, and then enter the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe).
>>
>> The data behind that setting is:
>>
>> Registry Key HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
>>
>> Value RestrictRun
>>
>> Enabled 1
>>
>> Disabled 0
>>
>> And the list of allowed programs is stored in:
>>
>> Registry Key Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
>>
>> Value RestrictApps_RestrictAppsList
>>
>> = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
>>
>> Things you can start to look at:
>>
>>
>>
>> 1) Validate that the GPO's Registry.Pol file is correct:
>>
>>
>>
>> Download: \\FQDN_Domain_Name\sysvol\ FQDN_Domain_Name \Policies\{GPO's_GUID}]\User\registry.pol
>>
>> At a command prompt, run RegView registry.pol
>>
>> (I believe that regview is in the W2K3 ResKit)
>>
>> Look see if the RestrictRun key is there and whether the registry.pol file is intact (nothing specific here, but I've seen it come out garbled or indicate that the file was corrupt, etc.).
>>
>>
>>
>> 2) Validate that the GPO is reaching all the targeted devices: Go to a device and run the GPRESULT command
>>
>>
>>
>> 3) You could hand re-build the GPO or restore from a backup.
>>
>>
>>
>> 4)
>>
>> Jerry Cruz | Group Policies Product Manager | Windows Server and Infrastructure Architecture
>>
>>
>>
>> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Tim Bolton
>> Sent: Friday, August 20, 2010 9:42 AM
>> To: xxxxxxxxxxxxxxxx
>> Subject: Re: [gptalk] White List Issue
>>
>>
>>
>> Thanks Jerry!
>>
>>
>>
>> I am using - via VPN and RDP - WIN 7 Ultimate to RDP into another WIN 7 Ultimate machine, then using the RSAT / GPMC on that WIN 7 machine to make backups etc.
>>
>>
>>
>> The admin person is using this machine to perform his edits as well.
>>
>>
>>
>> Yes I am talking about Software Restriction Polices and not App Locker. I will verify that App Locker is NOT being used today.
>>
>>
>>
>> They are making the setting at \user configuration\administrative templates\system .. "Run only specified Windows applications"
>>
>>
>>
>> They are telling me that the list are not showing anything, but the apps are still able to be run. Which I take as they have been tattooed into the registry..(?)
>>
>>
>>
>> I am not sure why the list are now empty...
>>
>>
>>
>> Very strange...
>>
>>
>>
>> Tim Bolton
>> 148 2nd Street North
>> Central City Iowa, 52214
>> SMS - xxxxxxxxxxxxxxxx
>>
>> Microsoft Certified IT Professional
>>
>> Blog - Http://timbolton.net/
>>
>> "Applying computer technology is simply finding the right wrench to pound in the correct screw." ~ Steve Riley
>>
>> On Fri, Aug 20, 2010 at 11:06 AM, Cruz, Jerome L <xxxxxxxxxxxxxxxx> wrote:
>>
>> Tim,
>>
>>
>>
>> Straight off, make sure you are using a consistent GPMC Editor. Do not be switching between versions in Win XP, Win 7, W2K3 SP1..
>>
>>
>>
>> Also, if work was done using a Windows 7 device. I would stick with that version from now on (unless someone knows of a known Issue with Win7 GPMC and configuring SRP policies with it).
>>
>>
>>
>> Lastly, I assume that the context of "White Listing" here implies the use of SRP (Software Restriction Policies) which all of the client systems should utilize versus AppLocker based policy settings (which is unique to Windows 7/W2K8 systems alone). Oh, and I would NOT be using 'both' SRP and AP settings at the same time. If you 'want' to use both, then target a separate GPO at each set of devices (one GPO configuring SRP policy settings for the Win XP systems and one GPO configuring AppLocker settings for the Windows 7 systems).
>>
>>
>>
>> Jerry Cruz | Group Policies Product Manager | Windows Server and Infrastructure Architecture
>>
>>
>>
>> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Tim Bolton
>> Sent: Friday, August 20, 2010 8:31 AM
>> To: xxxxxxxxxxxxxxxx
>> Subject: [gptalk] White List Issue
>>
>>
>>
>> Single site, Single domain.
>>
>>
>>
>> 2 DCs - 2003 SP1
>>
>>
>>
>> 50 users - 90% WIN 7 Pro - 10% XP
>>
>>
>>
>> They had a GP with a White List created. They decided to expand it for other users so they made a copy of the original GP with the White List.
>>
>>
>>
>> Now they are having major issues -
>>
>>
>>
>> 1) In copied GP cannot view white list objects
>>
>>
>>
>> 2) As of TODAY cannot see white list objects in original GP
>>
>>
>>
>> 3) If they add an app to the white list allow, SOME users can not open the app. They receive the not allowed error.
>>
>> a) Tried gpupdate /force
>>
>> b) Tried rebooting PC multiple times
>>
>> c) They move the User to an Admin OU, they can now open the app, once the Users are moved back to the Users OU the app will continue to work.
>>
>>
>>
>>
>>
>> This happens randomly with users and apps, no pattern, has been cases where it was a single person only.
>>
>>
>>
>> Time permitting - I will attempt to get screen shots this weekend and will try to pull settings from OU using Darren's GP Compare tool.
>>
>>
>>
>> This is going to be a major issue when they start pushing out new applications in the near future.
>>
>>
>>
>> I am stumped at this point and am not sure where to start... I am thinking it may be a registry issue but again not sure where to start.
>>
>>
>>
>>
>>
>>
>>
>> Tim Bolton
>>
>> 148 2nd Street North
>>
>> Central City Iowa, 52214
>>
>> SMS - xxxxxxxxxxxxxxxx
>>
>>
>>
>> Microsoft Certified IT Professional
>>
>>
>>
>> Blog - Http://timbolton.net/
>>
>>
>>
>> "Applying computer technology is simply finding the right wrench to pound in the correct screw." ~ Steve Riley
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
> <winmail.dat>
| | | |
| jsclmedave
Posts:67
| | 08/26/2010 3:52 AM |
| FINALLY!!
I "think" I got most of the Best Practice SRP settings in place within a New
OU and test GP. I was combining copies of the other GPs they are using when
I noticed that someone had tried to set AppLocker rules and someone had
turned on SRP in about 8 different locations...
I also had to apply this HotFix
http://support.microsoft.com/kb/981750/en-us
I am now adding know paths to in-house apps and making sure other apps (Anti
Virus etc) are set correctly.
Once it all works on a test PC with the test logon, I will have a real user
log onto the test PC. I will then try a couple of users on their work PCs.
If all is well I will them push out to the rest of the users.
If anyone has any suggestions or gotchas for SRP I would really appreciate
it.
Thanks in Advance!
It's always an adventure walking into an unknown network. : )
Tim Bolton
148 2nd Street North
Central City Iowa, 52214
SMS - xxxxxxxxxxxxxxxx
Microsoft Certified IT Professional
Blog - Http://timbolton.net/
"Applying computer technology is simply finding the right wrench to pound in
the correct screw." ~ Steve Riley
On Sat, Aug 21, 2010 at 1:48 PM, John van Meter
<xxxxxxxxxxxxxxxx>wrote:
> I've tried applocker on 45k workstations and it just seamed cluggy. Just my
> two shiny centavos
>
> Best Regards ::John van Meter
> Never be afraid to try something new. Remember amateurs built the Ark,
> Professionals built the Titanic.
>
> Sent from my iPhone
>
> On Aug 21, 2010, at 11:56 AM, Tim Bolton <xxxxxxxxxxxxxxxx> wrote:
>
> > Thanks for the suggestion John, however they currently have a 3rd
> > party application - Lumension® Application Control (formerly
> > sanctuary) - which they have found to be extremely difficult to
> > maintain especially with the SQL back-end constantly having issues.
> >
> > They were hoping to use the built in processes within WIN 7.
> >
> > Unfortunately due to the way this "State Agency" is forced to purchase
> > their equipment and software, they are caught with their backs against
> > a wall. The only other option other than WIN 7 Pro is to upgrade all
> > machines to Enterprise at a huge cost, it actually doubled the price
> > of each PC.
> >
> > I will see what I am able to do with SRP... I may have to recommend
> > they re-new their license with Lumension® Application Control
> > (formerly sanctuary).
> >
> >
> >
> > Tim Bolton
> > 148 2nd Street North
> > Central City Iowa, 52214
> > SMS - xxxxxxxxxxxxxxxx
> >
> > Microsoft Certified IT Professional
> >
> > Blog - Http://timbolton.net/
> >
> > "Applying computer technology is simply finding the right wrench to
> > pound in the correct screw." ~ Steve Riley
> >
> >
> >
> > On Sat, Aug 21, 2010 at 10:40 AM, John van Meter
> > <xxxxxxxxxxxxxxxx> wrote:
> >> Bit9 may be a better solution
> >>
> >> Best Regards ::John van Meter
> >> Never be afraid to try something new. Remember amateurs built the Ark,
> >> Professionals built the Titanic.
> >> Sent from my iPhone
> >> On Aug 20, 2010, at 3:31 PM, Tim Bolton <xxxxxxxxxxxxxxxx> wrote:
> >>
> >> "Which editions of Windows 7 and Windows Server 2008 R2 support
> AppLocker
> >> rules? - AppLocker rules can be enforced on computers running Windows 7
> >> Ultimate, Windows 7 Enterprise, or any edition of Windows Server 2008 R2
> >> except Windows Web Server 2008 R2 and Windows Server 2008 R2
> Foundation."
> >>
> >>
> >> I will have to look at Software Restriction Policies features unless
> they
> >> are able to upgrade to Ultimate...
> >>
> >>
> >>
> >> Tim Bolton
> >> 148 2nd Street North
> >> Central City Iowa, 52214
> >> SMS - xxxxxxxxxxxxxxxx
> >>
> >> Microsoft Certified IT Professional
> >>
> >> Blog - Http://timbolton.net/
> >>
> >> "Applying computer technology is simply finding the right wrench to
> pound in
> >> the correct screw." ~ Steve Riley
> >>
> >>
> >> On Fri, Aug 20, 2010 at 1:09 PM, Tim Bolton <xxxxxxxxxxxxxxxx>
> wrote:
> >>>
> >>> Agree 100%..! I was going off of what I was told and did not question
> >>> it. Will really look hard at AppLocker for their WIN 7 machines. The
> XPs
> >>> will be gone soon (couple weeks) so they should not be an issue.
> >>>
> >>> I would like nothing more than to have them running at optimum
> >>> proficiency. Years ago this was my first network, so its like
> revisiting a
> >>> family member. <g>
> >>>
> >>> Any advice or links will be greatly appreciated...
> >>>
> >>>
> >>> Thanks Everyone!!
> >>>
> >>>
> >>>
> >>> Tim Bolton
> >>> 148 2nd Street North
> >>> Central City Iowa, 52214
> >>> SMS - xxxxxxxxxxxxxxxx
> >>>
> >>> Microsoft Certified IT Professional
> >>>
> >>> Blog - Http://timbolton.net/
> >>>
> >>> "Applying computer technology is simply finding the right wrench to
> pound
> >>> in the correct screw." ~ Steve Riley
> >>>
> >>>
> >>> On Fri, Aug 20, 2010 at 12:59 PM, Darren Mar-Elia <
> xxxxxxxxxxxxxxxx>
> >>> wrote:
> >>>>
> >>>> I would follow on from what Jerry has said and to suggest that if your
> >>>> goal is really to control application execution, I would run screaming
> from
> >>>> the method you’re using now J. In addition to the limitations below,
> it is a
> >>>> simple matter of renaming a given executable and you can get around
> any
> >>>> limitations in place. It really isn’t real whitelisting.
> >>>>
> >>>>
> >>>>
> >>>> Darren
> >>>>
> >>>>
> >>>>
> >>>> From: xxxxxxxxxxxxxxxx
> >>>> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Cruz, Jerome L
> >>>> Sent: Friday, August 20, 2010 10:40 AM
> >>>>
> >>>> To: xxxxxxxxxxxxxxxx
> >>>> Subject: RE: [gptalk] White List Issue
> >>>>
> >>>>
> >>>>
> >>>> One additional item to note:
> >>>>
> >>>>
> >>>>
> >>>> Some of these older registry settings SEVERELY limited the total
> >>>> character path lengths. Even though a DWORD, some had operational
> character
> >>>> limits of 260 characters—until like Win XP SP2 came around where
> ‘some’ of
> >>>> them were extended to support longer lengths..like 4,096. I don’t know
> >>>> whether there are any limits to the RestrictApps_RestrictAppsList
> registry
> >>>> key, but it’s something to consider if you have a LOT of application
> entries
> >>>> in your list. Maybe a recent addition put it ‘over the line’.
> >>>>
> >>>>
> >>>>
> >>>> Jerry Cruz | Group Policies Product Manager | Windows Server and
> >>>> Infrastructure Architecture
> >>>>
> >>>>
> >>>>
> >>>> From: xxxxxxxxxxxxxxxx
> >>>> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Cruz, Jerome L
> >>>> Sent: Friday, August 20, 2010 10:32 AM
> >>>> To: xxxxxxxxxxxxxxxx
> >>>> Subject: RE: [gptalk] White List Issue
> >>>>
> >>>>
> >>>>
> >>>> Okay, so let’s call that particular setting the Cromagnon’s ‘white
> >>>> listing’ tool. It certainly is not SRP, nor AppLocker. It also has
> SEVERE
> >>>> limitations:
> >>>>
> >>>> Limits the Windows programs that users have permission to run on the
> >>>> computer. If you enable this setting, users can only run programs that
> you
> >>>> add to the List of Allowed Applications.
> >>>>
> >>>> This setting only prevents users from running programs that are
> started
> >>>> by the Windows Explorer process. It does not prevent users from
> running
> >>>> programs such as Task Manager, which are started by the system process
> or by
> >>>> other processes. Also, if users have access to the command prompt,
> Cmd.exe,
> >>>> this setting does not prevent them from starting programs in the
> command
> >>>> window that they are not permitted to start by using Windows Explorer.
> >>>>
> >>>> Note: It is a requirement for third-party applications with Windows
> 2000
> >>>> or later certification to adhere to this setting. Note: To create a
> list of
> >>>> allowed applications, click Show, click Add, and then enter the
> application
> >>>> executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe).
> >>>>
> >>>> The data behind that setting is:
> >>>>
> >>>> Registry Key
> >>>> HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
> >>>>
> >>>> Value RestrictRun
> >>>>
> >>>> Enabled 1
> >>>>
> >>>> Disabled 0
> >>>>
> >>>> And the list of allowed programs is stored in:
> >>>>
> >>>> Registry Key
> >>>>
> Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
> >>>>
> >>>> Value RestrictApps_RestrictAppsList
> >>>>
> >>>> = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
> = =
> >>>> = = = = = = = = = = =
> >>>>
> >>>> Things you can start to look at:
> >>>>
> >>>>
> >>>>
> >>>> 1) Validate that the GPO’s Registry.Pol file is correct:
> >>>>
> >>>>
> >>>>
> >>>> Download: \\FQDN_Domain_Name\sysvol\ FQDN_Domain_Name
> >>>> \Policies\{GPO’s_GUID}]\User\registry.pol
> >>>>
> >>>> At a command prompt, run RegView registry.pol
> >>>>
> >>>> (I believe that regview is in the W2K3 ResKit)
> >>>>
> >>>> Look see if the RestrictRun key is there and whether the registry.pol
> >>>> file is intact (nothing specific here, but I’ve seen it come out
> garbled or
> >>>> indicate that the file was corrupt, etc.).
> >>>>
> >>>>
> >>>>
> >>>> 2) Validate that the GPO is reaching all the targeted devices: Go
> to
> >>>> a device and run the GPRESULT command
> >>>>
> >>>>
> >>>>
> >>>> 3) You could hand re-build the GPO or restore from a backup.
> >>>>
> >>>>
> >>>>
> >>>> 4)
> >>>>
> >>>> Jerry Cruz | Group Policies Product Manager | Windows Server and
> >>>> Infrastructure Architecture
> >>>>
> >>>>
> >>>>
> >>>> From: xxxxxxxxxxxxxxxx
> >>>> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Tim Bolton
> >>>> Sent: Friday, August 20, 2010 9:42 AM
> >>>> To: xxxxxxxxxxxxxxxx
> >>>> Subject: Re: [gptalk] White List Issue
> >>>>
> >>>>
> >>>>
> >>>> Thanks Jerry!
> >>>>
> >>>>
> >>>>
> >>>> I am using - via VPN and RDP - WIN 7 Ultimate to RDP into another WIN
> 7
> >>>> Ultimate machine, then using the RSAT / GPMC on that WIN 7 machine to
> make
> >>>> backups etc.
> >>>>
> >>>>
> >>>>
> >>>> The admin person is using this machine to perform his edits as well.
> >>>>
> >>>>
> >>>>
> >>>> Yes I am talking about Software Restriction Polices and not App
> Locker.
> >>>> I will verify that App Locker is NOT being used today.
> >>>>
> >>>>
> >>>>
> >>>> They are making the setting at \user configuration\administrative
> >>>> templates\system …. “Run only specified Windows applications”
> >>>>
> >>>>
> >>>>
> >>>> They are telling me that the list are not showing anything, but the
> apps
> >>>> are still able to be run. Which I take as they have been tattooed
> into the
> >>>> registry..(?)
> >>>>
> >>>>
> >>>>
> >>>> I am not sure why the list are now empty...
> >>>>
> >>>>
> >>>>
> >>>> Very strange...
> >>>>
> >>>>
> >>>>
> >>>> Tim Bolton
> >>>> 148 2nd Street North
> >>>> Central City Iowa, 52214
> >>>> SMS - xxxxxxxxxxxxxxxx
> >>>>
> >>>> Microsoft Certified IT Professional
> >>>>
> >>>> Blog - Http://timbolton.net/
> >>>>
> >>>> "Applying computer technology is simply finding the right wrench to
> pound
> >>>> in the correct screw." ~ Steve Riley
> >>>>
> >>>> On Fri, Aug 20, 2010 at 11:06 AM, Cruz, Jerome L
> >>>> <xxxxxxxxxxxxxxxx> wrote:
> >>>>
> >>>> Tim,
> >>>>
> >>>>
> >>>>
> >>>> Straight off, make sure you are using a consistent GPMC Editor. Do not
> be
> >>>> switching between versions in Win XP, Win 7, W2K3 SP1….
> >>>>
> >>>>
> >>>>
> >>>> Also, if work was done using a Windows 7 device… I would stick with
> that
> >>>> version from now on (unless someone knows of a known Issue with Win7
> GPMC
> >>>> and configuring SRP policies with it).
> >>>>
> >>>>
> >>>>
> >>>> Lastly, I assume that the context of “White Listing” here implies the
> use
> >>>> of SRP (Software Restriction Policies) which all of the client systems
> >>>> should utilize versus AppLocker based policy settings (which is unique
> to
> >>>> Windows 7/W2K8 systems alone). Oh, and I would NOT be using ‘both’ SRP
> and
> >>>> AP settings at the same time. If you ‘want’ to use both, then target a
> >>>> separate GPO at each set of devices (one GPO configuring SRP policy
> settings
> >>>> for the Win XP systems and one GPO configuring AppLocker settings for
> the
> >>>> Windows 7 systems).
> >>>>
> >>>>
> >>>>
> >>>> Jerry Cruz | Group Policies Product Manager | Windows Server and
> >>>> Infrastructure Architecture
> >>>>
> >>>>
> >>>>
> >>>> From: xxxxxxxxxxxxxxxx
> >>>> [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Tim Bolton
> >>>> Sent: Friday, August 20, 2010 8:31 AM
> >>>> To: xxxxxxxxxxxxxxxx
> >>>> Subject: [gptalk] White List Issue
> >>>>
> >>>>
> >>>>
> >>>> Single site, Single domain.
> >>>>
> >>>>
> >>>>
> >>>> 2 DCs - 2003 SP1
> >>>>
> >>>>
> >>>>
> >>>> 50 users - 90% WIN 7 Pro - 10% XP
> >>>>
> >>>>
> >>>>
> >>>> They had a GP with a White List created. They decided to expand it for
> >>>> other users so they made a copy of the original GP with the White
> List.
> >>>>
> >>>>
> >>>>
> >>>> Now they are having major issues -
> >>>>
> >>>>
> >>>>
> >>>> 1) In copied GP cannot view white list objects
> >>>>
> >>>>
> >>>>
> >>>> 2) As of TODAY cannot see white list objects in original GP
> >>>>
> >>>>
> >>>>
> >>>> 3) If they add an app to the white list allow, SOME users can not open
> >>>> the app. They receive the not allowed error.
> >>>>
> >>>> a) Tried gpupdate /force
> >>>>
> >>>> b) Tried rebooting PC multiple times
> >>>>
> >>>> c) They move the User to an Admin OU, they can now open the app, once
> the
> >>>> Users are moved back to the Users OU the app will continue to work.
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> This happens randomly with users and apps, no pattern, has been cases
> >>>> where it was a single person only.
> >>>>
> >>>>
> >>>>
> >>>> Time permitting - I will attempt to get screen shots this weekend and
> >>>> will try to pull settings from OU using Darren's GP Compare tool.
> >>>>
> >>>>
> >>>>
> >>>> This is going to be a major issue when they start pushing out new
> >>>> applications in the near future.
> >>>>
> >>>>
> >>>>
> >>>> I am stumped at this point and am not sure where to start... I am
> >>>> thinking it may be a registry issue but again not sure where to start.
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> Tim Bolton
> >>>>
> >>>> 148 2nd Street North
> >>>>
> >>>> Central City Iowa, 52214
> >>>>
> >>>> SMS - xxxxxxxxxxxxxxxx
> >>>>
> >>>>
> >>>>
> >>>> Microsoft Certified IT Professional
> >>>>
> >>>>
> >>>>
> >>>> Blog - Http://timbolton.net/
> >>>>
> >>>>
> >>>>
> >>>> "Applying computer technology is simply finding the right wrench to
> pound
> >>>> in the correct screw." ~ Steve Riley
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>
> >>
>
| |
Tim Bolton | |
|
|