How to deploy Software Restriction Policy GPO
Software Restriction Policy using Group Policy
Software restriction policy is used to restrict the access of the newly installed programs or pre-installed windows based programs. Consider an example of call center, if an organization hires a person for the particular process and he/she is expected to use only certain set of applications and not allowed to access other programs. In that case, organization can deploy the software restriction policy. It would restrict all the softwares that user is not allowed to access.
As we already learned about Group Policies and procedure to remotely install software on client computers. Group policy is a combination of settings through which we can allow or restrict users to access software, remotely install application, restrict applications and programs, etc. Through Group Policy Management Console, we can manage existing Group Policy Objects (GPO) and create new GPO.
Let us take a scenario to understand software restriction Policy in detail. Let’s assume that some users have installed VLC media player on their desktops and we want to restrict their access on VLC media player by deploying software restriction policy. In this post, we take an example that users have installed VLC media player on computers DC05 and DC06. You can even check our post to rename computers.
Deploy Software Restriction Policies
1. Software restriction policy is a computer based settings therefore create an Organizational Unit in Active Directory Users and Computers naming “Sales” and move computers objects DC05 and DC06 in it. By default all the computer objects are created in “Computers” container.
2. Open GPMC from Domain Controller and right click on OU (Sales) and click on “Create a GPO in this domain, and Link it here “. New GPO is like an empty template, we have to edit and define the settings.
3. Enter the name of Group Policy Object. Here, we would use the name “Restrict Software” in this example and click on OK.
7. Dark arrow with the GPO confirms that it is linked with the OU. Right click on GPO and click on “Edit” to edit setting and enable the GP.
8. On Group Policy management Editor expands computer configuration, then policies, then expand windows settings, under security settings expand software restriction and right click on Additional Rules, click on “New Path Rule” to create a new rule for restricting the path of app.
9. Enter the local path of an application which we have to restrict and select the security level to Disallowed and click on apply and OK. The local path of the VLC media player on a client machine is “C:\Program Files (x86)\VideoLAN\VLC“. Usually, users install the software on default path which automatically get selected while installation. If the VLC media player is installed other then the default location, in that case, software restriction policy would not restrict the access of VLC media player. Please ensure that path of application is correct, else it would not restrict the program. In addition to that, in descriptions you can give details about this deployed GPO.
10. Here, we can see that our policy name, type and security level in additional rules. Security level define the state of an application.
11. Go to the client computer i.e. DC05 or DC06, either wait for the settings to get updated which would take anywhere between 90 mins to 120 mins or run the command gpupdate /force to refresh the Group Policy. Now try to open VLC from Start menu icon.
12. An error message pop-ups regarding the blocking of this program by the system administrator. This confirms that restrict software policy is working.
13. Now let’s try to open VLC media player using alternate way i.e. from that location where it is installed i.e. “C:\Program Files (x86)\VideoLAN\VLC“. Again we get an error message regarding the block of accessing of this program.
Note: The settings of Software restriction will be applied to the local path of each computer. If an application is installed on a location other than the location mentioned in GPO then the defined settings cannot restrict the access of an application. Therefore please ensure that the path of an application is correct.
Conclusion:
Software restriction polices can help in restricting applications for domain users. It is the simplest method to restrict any application in your environment. Please ensure that all the machines are part of domain while deploying these settings. In addition to that you need to reboot your machines as it is computer based settings and not user based. Don’t forget to mention in the comments about the restrictions that you have deployed in your organization.
There’s certainly a great deal to learn about this topic.
I like all of the points you have made.