I'm trying to enforce application restrictions using AppLocker through Group Policy. Currently, my domain users are unable to run any .exe files that aren't installed in the programs folder. For example, when they try to download and run something like zoom.exe, they're blocked. I've set it up so that admins can install apps from any folder. However, even when I log in as an admin and try to install apps from the user's download folder, they don't show up when the user logs back in. I also have issues trying to run the exe as admin from the user account, as it can't find the admin path. My main goal is to prevent staff from running exe files to install applications without my admin approval. Any advice would be greatly appreciated!
3 Answers
It sounds like you need to whitelist specific applications that you approve. Instead of logging in as an admin to manually install every app, set up your AppLocker rules to allow certain applications. This way, users can install approved software themselves without needing admin access. For more guidance on AppLocker, check out the official documentation.
Right, and managing denial rules can be unmanageable in the long run. Better to keep it straightforward!
Finding the balance between giving users access to necessary software and stopping them from messing up the system is tricky! AppLocker is a good start, but you might also want to consider additional restrictions or monitoring to ensure they can only access software that's safe and approved.
You might be running into issues because Zoom installs per-user, meaning it’s stored in the admin profile, which the regular user cannot access. Adding the Zoom certificate to your AppLocker allow list should let users install it themselves. This approach can be used for any other approved applications as well—there’s no need to log in as an admin for every install.
Got it! So even with AppLocker, if I install apps like Zoom from an admin account, users still won’t see them? It’s a bit confusing, especially since some programs ask for the admin password while others don’t.
Makes sense! In a small network, it can get tricky, especially if some users have special software needs. You should definitely create exceptions for those specific users or groups.