What OS version are they running?
When you say image. You mean they're built from an image of a different machine?
Are you going to the individual machine and setting up the policy?
If the policy looks the same as on the server then im sure they're correct also i was just going to double check them.
They are setting up one machine (install OS => Win7 Pro and common applications) and create an image of that machine. Afterwards, they are using this image to set up the other workstations.
I presume they have set up the security policies manually on that machine or let them at the default values.
Yes, I am going to the individual machine and I try to modify its predefined policy.
As I mentioned, if I set of the rules on my own workstation (which is part of the domain) everything works fine
Windows 7 Pro thats the problem.
AppLocker: Frequently Asked QuestionsTo create rules for a local computer, the computer must be running Windows 7 Ultimate or Windows 7 Enterprise. If you want to create rules for a Group Policy Object (GPO), you can use a computer that is running any edition of Windows 7 if the Remote Server Administration Tools are installed. AppLocker rules can be created on any edition of Windows Server 2008 R2. Although you can create AppLocker rules on computers running Windows 7 Professional, they will not be enforced on those computers. However, you can create the rules on a computer running Windows 7 Professional and then export the policy for implementation on a computer running an edition of Windows that does support AppLocker rule enforcement.
Applocker is only available on ultimate and enterprise.
I have found it also. I just wanted to write you :)
Thank you a lot for your support!
Is there a freeware tool which does the same as AppLocker?
You could try to setup software restrictions and add a path rule in there.
You could just try to change the permissions of the folder for anyone thats not on the domain. You can use special permissions an do deny or remove allow for traverse folder /execute file.
As far as I know, I can only block single *.exe file there.
I don't know if I can define a rule there, where I can only specifiy the mapped network drive (e.g.: K:\) and all its executables will be blocked (also those in K:\'s subfolders).
For software restrictions I'm not entirely sure. I have never used them. I did test out the permission and it worked flawless i was unable to open the exe file but i could navigate to it.
Hi!
Well, with software policies I think I can only block executables from running which are not trying to install new software. But I am not completely sure. I tried it out yesterday and I could not prevent the Windows installers from running.
I hope upgrading Win7 Pro to Win7 Enterprise/Ultimate is not a big issue if this workaround is required.
Quote