AppLocker default executable allow rule for Administrators doesn't work
I've seen several posts about the AppLocker default executable allow rule for BUILTIN\Administrators not working. However I've seen no answers. People have found that using security groups such as Administrators and Domain Admins doesn't work, however adding users directly do work. I've tested it myself and found that AppLocker actually works with the default allow rule for Administrators if you disable UAC - however this is an unacceptable solution.....using Run as Administrator of course also works...so maybe that is a usable workaround for IT Support people.... Can anyone confirm and/or refer to documentation? Thanks. /Ragnar
July 9th, 2010 1:55pm

Could you refer to any examples of people with these kind of problems? Thanks! Blogging about Windows for IT pros at www.theexperienceblog.com
Free Windows Admin Tool Kit Click here and download it now
July 14th, 2010 11:38am

Sorry for late reply, was on vacation. Well you could check out this thread, two people in the thread have the same problem: http://social.technet.microsoft.com/forums/en-us/w7itprosecurity/thread/3813D4AE-C2BE-444F-AFB8-63EB077D67FD And you could try to reproduce the problem. /Ragnar
August 13th, 2010 9:55am

We are also experiencing this problem. Surely the two solutions must be compatible?! This is quite a design flaw.
Free Windows Admin Tool Kit Click here and download it now
August 17th, 2010 6:14pm

So no MVP or MS guy want to take a crack on this thread? I'll register it with MS Support then next week... Anyone, thanks! /Ragnar
August 20th, 2010 10:59am

What exactly doesn't work? Neither your post or the one you linked to offers any sort of error message that would allow someone to research this further. In your own troubleshooting, have your changed your AppLocker settings to Audit mode and checked for event log entries which list the issue your seeing as a possible block? (event log info - http://technet.microsoft.com/en-us/library/dd723693%28WS.10%29.aspx) I've not moved my AppLocker config from audit to enforce...but I have not seen such an issue.
Free Windows Admin Tool Kit Click here and download it now
August 22nd, 2010 5:12pm

OK so if you have a rule that allows an executeable to run and that is assigned to the builtin\administrators. Either the default rule or a new one created. When the user logs on that executeable will be blocked if UAC is enabled. If UAC is disabled either for admins or for everyone then it works fine. If a rule is created for just the user rather than a group then that works fine, even with UAC enabled. UAC is disabled by default for the Administrator account so it is only noticable on other accounts. This is the same in audit or enforce and it is logged as blocked with a match against the username.
August 24th, 2010 1:02pm

Hello and sorry about the late reply The problem is that administrators in the domain (e.g. domain admins or members of the local Administrators group) are denied by AppLocker unless they right-click and choose Run as Administrator - or if UAC is disabled. To reproduce the issue I'm talking about, this is what I talk about: 1) Create GPO with AppLocker Policies enabled. Configure the AppLocker to Enforce rules or Audit only. Create the default rules for Executable Rules. 3 rules will be automatically created: 1) Everyone allow for Program Files folder, 2) Everyone allow for Windows folder and 3) Administrators allow all files. 2) Gpupdate and start the Application Identity service 3) Logon as an administrator (domain account member of the local Administrators account) and try to execute a program (exe) not located in Windows or Program Files folder. If you select enforce rules you will get the deny message, if you selected audit only you'll have to check the AppLocker event log. 4) Using above account, right-click exe file and select Run as Administrator. You'll see that it works. So my problem is that this seems to work not so good...and I can't find documentation confirming it from MS. /Ragnar
Free Windows Admin Tool Kit Click here and download it now
August 24th, 2010 10:17pm

Hello and sorry about the late reply The problem is that administrators in the domain (e.g. domain admins or members of the local Administrators group) are denied by AppLocker unless they right-click and choose Run as Administrator - or if UAC is disabled. The auth/technical model used by Windows 7 explains this....it is working as designed. If AppLocker were failing you would see the typical block message saying that the system won't allow XXX app from running. The reason you are seeing the failure unless UAC is off or you are right clicking and choosing Run as administrator is because of the access token assigned to your privileged account. You will run a privileged account in a standard user context until privileged access is requested and UAC auth if on has been approved at which time your privileged account is given a token indicating it can now used the superset of rights. This is a description for UAC in Vista that further details this (7 really didn't change the operation of UAC....just how it was enacted) - http://technet.microsoft.com/en-us/library/cc709628(WS.10).aspx
August 26th, 2010 6:59am

If this is by design, have you found any MS documentation explaining this behaviour of AppLocker due to UAC? Actually the admin user do get the usual block message from AppLocker if they don't use Run as administrator. Yes I know about UAC behaviour, thats why I tried Run as administrator. It's just a bit difficult to educate local IT support and super users to choose Run as administrator. Thanks. /Ragnar
Free Windows Admin Tool Kit Click here and download it now
September 1st, 2010 11:32am

If this is by design, have you found any MS documentation explaining this behaviour of AppLocker due to UAC? Actually the admin user do get the usual block message from AppLocker if they don't use Run as administrator. Yes I know about UAC behaviour, thats why I tried Run as administrator. It's just a bit difficult to educate local IT support and super users to choose Run as administrator. Thanks. /Ragnar I've not seen anything specifically relating UAC back to applocker, and I do understand your pain as my own co-worker has the issue understanding this.
September 3rd, 2010 6:01am

Don't get the point of having to use Run As Administrator even if the rules are set for the Administrators to allow. Besides, explain me one thing on my situation: I have one Admin user, lets say its called ITAdmin, and it belongs to the Domain Admins group. I have a folder C:\ITStuff I define a rule to allow Domain Admins to run executables on C:\ITStuff. When I try to run a program.exe in that folder with ITAdmin I can't unless I choose Run As Administrator. Now, I change a bit the rule, I remove the Domain Admins group and I add the ITAdmin user. I try again to run the Program.exe on C:\ITStuff, and voilá, it works...... even without using Run As Administrator Can you explain me this??? One other thing I have, on the logon script I need to run an program/script on a specific folder which Domain Admins have rights, and I can't... Can you tell me how to "Run As Administrator" on a logon script???
Free Windows Admin Tool Kit Click here and download it now
September 15th, 2010 1:58pm

Because you have to security tokens when UAC is enabled, one token without your admin credentials and one token with your admin credentials. Everything you do while logged in is done as the security token without admin priviliges until you do something that require administrative priviliges, where after your security token with admin priviliges is used. This means that AppLocker will never see that you have admin priviliges until you choose "run as administrator" because that security token is the only one containing any information that you are part of the domain admins group. EDIT: I wrote a blog post about a related issue, have a look at http://www.theexperienceblog.com/2010/09/18/case-of-the-mysterious-issues-in-windows-7-and-windows-server-2008-r2/ Blogging about Windows for IT pros at www.theexperienceblog.com
September 18th, 2010 10:31am

Because you have two security tokens when UAC is enabled, one token without your admin credentials and one token with your admin credentials. Everything you do while logged in is done as the security token without admin priviliges until you do something that require administrative priviliges, where after your security token with admin priviliges is used. This means that AppLocker will never see that you have admin priviliges until you choose "run as administrator" because that security token is the only one containing any information that you are part of the domain admins group. EDIT: I wrote a blog post about a related issue, have a look at http://www.theexperienceblog.com/2010/09/18/case-of-the-mysterious-issues-in-windows-7-and-windows-server-2008-r2/ Blogging about Windows for IT pros at www.theexperienceblog.com
Free Windows Admin Tool Kit Click here and download it now
September 18th, 2010 10:31am

check this link may be help you http://mabdelhamid.wordpress.com/2011/10/23/how-to-configure-applocker-group-policy-to-prevent-software-from-running/Mohamed Abd Elhamid Abd Elaziz Microsoft System Administrator Abdul Samad Al Qurashi Co. My blog: http://Mabdelhamid.wordpress.com/
October 24th, 2011 5:21am

Hi any update we wait youMohamed Abd Elhamid Abd Elaziz Microsoft System Administrator My blog: http://Mabdelhamid.wordpress.com/
Free Windows Admin Tool Kit Click here and download it now
January 12th, 2012 10:55am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics