Having set the default rules, the third rule; the general path rule * does NOT allow Admins to execute programs outside of the WIN directory and the program files directory, the first two default rules. It simply DOES NOT WORK in Win 7 Ultimate. Can anyone explain why not?To get around this problem, I have to set specific PATH ALLOW rules for named adminsONCE again - the BUILTIN\Administrators (Default Rule) All Files rule DOES NOT work in AppLocker. WHY NOT ??I am NOT using the built in Administrator account (because Win 7 documentation states that I shouldn't) I am using another admin account created at installation.

I can report the exact same issues. The BUILTIN\Administrators rule just doesn't work. I'm wondering if this has something to do with UAC and not having your administrative token without elevation.-joe c

Check if the AppICSvc "Application Identity" service has been started. (services.msc)

Yes, this service is running. All of my AppLocker settings are working fine exepct for the default rule that "should" allow BUILTIN\Administrators to do anything.-joe c

Hello all, There has been a lot of discussion on this topic, and I think I can answer it. UAC *IS* at fault here--this is one of the basic premises of UAC--and with a basic understanding of it, you will see how it works. In a nutshell, all users run programs with standard user privileges--that is, until a program requests elevation. It is then that the admin consent or credentials are requested. With this rule in AppLocker, you'll notice it blocks EVERYONE from running the program--that is, with the exception of ADMINISTRATORS. Even though you log on as an administrator, that does not mean you will be able to run anything just by clicking on it--you'll still be running it as a standard user. You HAVE to right-click and choose Run as Administrator in order to apply your admin access token and enable the program to run (because only admins can run it, right?) The program doesn't have a chance to elevate and ask you for your token because it is denied initially unless you change how you initiate it and run it as an administrator. Let me know if this helps.