By dtaveras79 ·
Hi all,
I'm looking for a way where I can create a GP in AD where I can specify which applications can be run in the computer. I don't want users running applications that don't pertain to work. So for example if I want the users to just use Microsoft Word, Internet Explorer and Adobe Reader, then that's the only programs that will run in the computer.
Anyone have an idea?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Well you can define what they can't run

by LarryD4 In reply to ACTIVE DIRECTORY GROUP PO ...

Well you can define what they can't run but you cant turn everything off and define what they can run.

Its on the user side and its an add on Admin template. Any program you define in the list is blocked from being run.

The key is actually housed here
HKEY_CURRENT_USER\Software\Microsoft\Windows\ &_

Collapse -

Found this...

by dtaveras79 In reply to Well you can define what ...

Found a nice article at about restricting software on user's machines.

Collapse -


by LarryD4 In reply to Found this...

Its an Adminitrator template that you need to load in to your GP.

Collapse -

That plus

by shasca In reply to Found this...

We have the WS locked down to not allow users to install any app. You would create your image with the apps allowed, then lock it down before issuing.
We have a seperate OU that we can move PC's back and forth to to disable the GPO. Do whatever administrtion needed then move them back to the OU with the restrictions set. Works great during your initial setup. Give you a back door if you forgot something after PC's are rolled out.

Collapse -


by dtaveras79 In reply to That plus

Ok, now that I have that in place. Is there a way where I can disable REGEDIT, TASKMANAGER, GPEDIT.msc and MSCONFIG for every user except administrators?

Collapse -


by shasca In reply to NOW
Collapse -


by dtaveras79 In reply to hacks

This will disable the run from everyone that logs into the machine, even the administrator account.
I want the administrator account to have full access to the computer.

Even if we disable the run command, users will still be able to run regedit from C:\WINDOWS\pchealth\helpctr\binaries.

From C:\WINDOWS\pchealth\helpctr\binaries, I located the regedit.exe file and by right clicking-properties, I tried removing the rights from every user that logs onto the machine, but again, it also took the rights from the administrator account.

Collapse -

Just block Regedit

by LarryD4 In reply to Administrator

Umm just block regedit.exe in the admin template you added.

But their is a way to block all of those windows tools. Its another Admin template. You can block the control panel from opening, you can block an mmc window from opening, etc...

Here is a nice resource for those GP settings

Collapse -


by shasca In reply to Administrator

My systems allow me to define rights for users. I can seperately define rights for the admins. I'm missing something here in your approach.

Collapse -

Citrix resources will help

by slconsultingsvc In reply to ACTIVE DIRECTORY GROUP PO ...

Go to the Citrix site and find their articles on locking down the virtual desktop through group policy. This has everything you need and more.

Related Discussions

Related Forums