How do you make "Run Only Allowed Windows Applications" run without issue?

By jonahzona ·
I work as a network admin at a school. We are running Windows Server 2003 R2 as a domain controller. Under the GPO for the students, we have "run only allowed windows applications" enabled, with a number of applications in the properties dialog.

Here is the issue: sometimes, even if the program is in the list, it still won't run on SOME of them machines. It is like the GPO isn't updating. I have run gpupdate /force from the command line, and that works about 50% of the time.

Is there a better way?

BTW, the student will get the error: "Access to this program has been restricted. Please contact your system administrator."

Any thoughts?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Student in the proper group?

by oldbaritone In reply to How do you make "Run Only ...

My first thought would be to check and verify that all of the students are members of the proper group (as their primary group) so the correct policy is established for them.

Collapse -

Yes, primary group is set

by jonahzona In reply to Student in the proper gro ...

Yes, thought there are a couple of subgroups, all the students are under one group with that being the only place that the GPO is determined.

The other groups are merely for security and access to network shares.

The problem is not just limited to users, but to machines as well. One student will work fine on a machine, while another won't. But that same student can go to another machine and work fine there.

Thanks for the response!

Collapse -

Hmmm.. service packs, updates, and image

by oldbaritone In reply to Yes, primary group is set

Since it's machine-dependent, then I'd look at "what's different on the machine?"

Kiddies can do the darndest things when they have a chance. We keep a standard "student machine image" that can be installed in a few minutes. We make sure the updates get installed properly in the source image (ghost) and then an early step is to push the image back onto the student computer. That way you know all the student machines are identical.

(We don't always know what they changed, but we put the machine back into service promptly.) (sigh)

Collapse -

I think I found the issue

by jonahzona In reply to Hmmm.. service packs, up ...

Well, first off, I completely disabled the previously mentioned setting in AD. I was just trying to get the students the ability to run the program. Even that didn't work.

What kept bothering me was the error message. It was saying that program had been disallowed on that computer.

The IT guy before me is the one that set up AD had the computers in a different OU with no GPO applied to it. I figured, what the heck, I will make a new OU for any student used computer under the student OU so that the student GPO would be applied to it. It has worked on the first 3 machines I have tried so far.

That is a good sign!

Collapse -

Mixed Results

by jonahzona In reply to I think I found the issue

Well, i have found that this fix has more mixed results. Some computers will run the software when rebooted, others won't.

I am ready to flip.

Could it be a problem with the domain controller not giving out the GP information during start up? Possible cached GP info? Is that even possible?

Related Discussions

Related Forums