RE: Software Restriction GPO Problem
From: Frank G (FrankG_at_discussions.microsoft.com)
Date: 09/02/05
- Next message: dw85745: "Re: Remote / Terminal Services"
- Previous message: Dave Morschhauser: "Re: Deny access to certain IP address"
- Next in thread: Frank G: "RE: Software Restriction GPO Problem"
- Maybe reply: Frank G: "RE: Software Restriction GPO Problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 2 Sep 2005 09:58:01 -0700
Hi Jeff,
I'm having the same problem. Environnement : Windows Server 2003 Domain SP1
/ Windows XP SP2 with most recent security patches.
I apply the software restriction policies in restricted mode on a specific
user account wich I want to limit to specific applications. SRP are NOT
configured on the local system neither through Computer GPOs.
Using the default 4 rules when using the "Disallowed" template, the user can
run any application located in the Windows Path (system32\calc.exe) from the
Run Box, but not from the shortcut in the Start Menu. I did the same thing
as you so I removed the "LNK" file extension from the "Designated File Types"
in the GPO. NO CHANGE on the user station.
Here is the interesting part now !
After doing some testing, I realized that although Software Restriction
Policies are not configured for the computer object (either locally or
through GPO), the locally stored value for the Designated File Types is
ALWAYS USED.
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\ExecutableTypes contains the effective value.
HKCU\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\ExecutableTypes (wich value comes from the GPO) has no effect.
So a way arround your problem may be to change the value in HKLM through a
computer startup script. I tried deleting the value, but strangely Windows
somehow remembers its data !
I cannot use this solution in my environnement as I don't have any control
on the computer part (only user). NED HELP on this one !!!
It looks like the following patch would solve the problem, but it does not
seem available for Windows XP. Has anybody tested it ?
http://support.microsoft.com/default.aspx?scid=kb;en-us;873419
Thank you.
-- Frank G MCSE NT4/2000/2003 "Jeff Field" wrote: > > > "Wong Tuck Wah" wrote: > Hello, > I need to remove the extensions because I want them to be able to execute > LNK and URL files no matter what, at least local ones. But the point is > removing them doesn't seem to work like it should. > > Any ideas? > > -Jeff > > > > > > Hi Jeff, > > > > i have no idea why you need to remove the 2 file extensions from the list. > > > > The Designated File Types dialog box lists the file types to which the > > software restriction policy applies. The designated file types are file types > > that are considered executable. > > > > The rules in a software restriction policy only apply to the file types > > listed in the Designated File Types dialog box. If your environment uses a > > file type that you want to be able to set rules on (be it allow or deny), add > > it to the list, otherwise the rule will not apply. > > > > HTH. > > > > > >
- Next message: dw85745: "Re: Remote / Terminal Services"
- Previous message: Dave Morschhauser: "Re: Deny access to certain IP address"
- Next in thread: Frank G: "RE: Software Restriction GPO Problem"
- Maybe reply: Frank G: "RE: Software Restriction GPO Problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
