Hello, I would like to restrict access to various programs, which install themselve in folders under %APPDATA%, for example Skype, Google Chrome or Firefox. Using AppLocker I was able to do that ... But there are also some notebook users, which are allowed to use all programs they like -when they are not connected to our domain. I thought it is possible to restrict access with AppLocker via a domain group policy and define another local policy where I define that all programs can be used -but of course the domain policies still remains. Another solution would be to use different logins: a domain login which is not allowed to use some programs and a local login, which can use them. But with this way you need two accounts and get problems with synchronizing the data (at least our users will ...). So to describe it in a short term: I want local computer users to access all programs when they are outside the company and restrict these programs when the computer is logged into the domain. Any idea? Thank you very much, Christian

For AppLocker to be working at all you need to have the service Application Identity running. You could create a scheduled task that triggers on a particular event (do not know any event id from the top of my head) so that when event X: a domain controller was not found occurs you run an action that stops that service. Or, you can create separate local standard users accounts and have a separate allow rule for local users.Blogging about Windows for IT pros at www.theexperienceblog.com

Dear Andreas, Thank you very much for that (easy) solution -didn't think about the necessary service (shame on me)! Actually this leaves two issues unsolved: As the local user have administrative rights he can disable the service itself on the domain, too. So maybe I have to work with NAP or something like that.Let's say I start the service automatically and login as the local admin. I was able to stop the service, but opening a blocked program still is prohibited! So I guess I have to restart the computer to force this change -which starts the service again ... BTW: set it startup to "manual" didn't solve that problem, as it seems that the policy is forcing the service to start. So maybe I have to try it the other way: disable the service during startup and enable & start it while login to the domain -will report this later! C.

OK, solved it (hopefully) :-) I will disable the service by default. If the user is starting the notebook in the domain enviroment a (machine) startup script will enable and start the service (AppIdSvc) -> the AppLocker will deny access to a number of programs. What I have to check is a "bulletproof" way to disable the service again, if the notebook is outside the domain -either by using a shutdown script (and disable the service again) or within the startup script, too. Anyway: I guess; i can manage it! Thank you very much for your answer! C.