Are AppLocker rules actually better than Software Restriction Policies?
Ihave tried AppLocker / Application Control Policies as an alternative to using Software Restriction Policies, and it is somewhat easier to administer and mantain but seems to be almost identical in what you can do in regards toi what I try to do.My need is to be able to let users run most programs installed into %ProgramFiles%, but to restrict running some applications to members of specfic groups. One group per app and maybe something like 50-60 different restricted apps and maybe 150-250 unrestricted apps.So this is what I have to do to make it work:1. Modify the default rule for which allows Everyone to run "All programs in the Program Files folder", and add an exception for all the 50 to 60 apps that I need to restrict.2. Create one rule for each restricted application with Allow run for the application group (Apl_AppName) for the application executable or folder path.This works but what really would have made this feature fly, would be to have the possibility to specify that a rule applies to all who are NOT members of a specific group.If that was possibly I could change the strategy to this:1. Create one rule for each restricted application withDeny run for all NOT member of the application group (Apl_AppName).Actually the last strategy can be used with software restriction policies where I could create one Deny policy per restricted application, and grant Authenticated users Apply Policy and add an Deny Apply Policy ACE (Access Control Entry) for the application group. That way, thepolicy would deny run of the application toall users, except the members of application group.The negative about using software restriction policies, is that I need to create one GPO per restricted application.The way that AppLocker rules are implemented, means that I get can use only one GPO, but must define both an Allow rule and an Exception for each restricted application. The exceptions is also not visible in the primary GUI of AppLocker, of course, so missing some overview.So, please Microsoft, implement the ability bind a rule to users NOT member of a specific group!Without that possibility, AppLocker rules are actually in this respect less usable than SRP.
June 5th, 2009 3:09pm

Not sure I understand - denies are implicit as well as explicit. So if I allow 'somegroup' access to an app, anyone not a member of that group are implicitly denied. So in your 1 and 2 steps above, wy not just skip step 1 - it's unnecessary. Don't create the default everyone. You can still use one GPO for this too, as each rule would be discrete for a group, with no exceptions needed.I may not be understanding you though, feel free to explain further.Ned Pyle [MSFT] - MS Enterprise Platforms Support - Beta Team
Free Windows Admin Tool Kit Click here and download it now
June 6th, 2009 9:04pm

I need the default rule to avoid having to manage rules for every f the 150 to 250 unrestricted apps. As I wrote, we may possibly have 50-60 restricted apps and about 150-250 unrestricted apps, where the list of unrestricted apps is increasing faster than the list of restricted apps..With your suggestion I would have to manage all the unrestricted apps as well as the restricted ones.
June 7th, 2009 11:00pm

250 unrestricted apps? That sure is a lot. Why even bother with restrictions at that point... :-/Sounds like you're going to be awfully busy with exceptions then. The way it works isn't going to be changing. I'll pass your feedback along to the Dev team for future development, or if they have some suggested workarounds.Ned Pyle [MSFT] - MS Enterprise Platforms Support - Beta Team
Free Windows Admin Tool Kit Click here and download it now
June 9th, 2009 5:31am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics