SRP (Software Restriction Policies) blocking local Administrator
I implemented SRP on a Windows 7 Pro PC that I was logged into as the Local Administrator. In Enforcement I ensured that "All users
except local administrators" was selected. I then set the default Security Level to Disallow. At this point I attempted to open Windows Update from the Start menu and was blocked. I ran gpupdate, still blocked. I rebooted the PC, still blocked. I changed the
default Security Level back to Unrestricted and was no longer blocked. Why is'nt the "All users except local administrators" enforcement variable working? This is the 9th PC I've setup with SRP, all the same configuration, and all the others work fine. Also,
this PC is not part of a domain. Any ideas?
February 10th, 2011 5:26pm
Hi Stampy5000,
Thanks for the post!
Is this a 64-bit Windows 7?
If so, it has an extra Program Files directory named
C:\Program Files (x86). Click on Additional Rules and make a new Path Rule that makes that directory Unrestricted, so software installed there is allowed to run.
Meanwhile, did you remove the LNK filetype when you
make the policy? Double click the Designated File Types. Find the LNK type ,and click the
Delete button. This could allow you to use your desktop shortcuts and Quick Launch icons, which are mostly the LNK file type.
Regards,
Miya
This posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer
your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
February 14th, 2011 12:15pm
Hi Miya,
Thank you for your response. The OS is 64-bit Windows 7 Pro. I've already added the Program Files (x86) to the Additional Rules list as unrestricted. Also, I've already ensured
the restricted user is able to access their Quick Launch bar and Start Menu links by adding:
C:\Users\USER\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
&
C:\Users\USER\AppData\Roaming\Microsoft\Windows\Start Menu
But the issue in question is that the local Administrator is being affected by the SRP's when they should not. The "All users except local administrators" variable is selected but
the local Administrator (the built in account) is still restricted by the SRP's in affect.
Again, thank you for your response.
February 21st, 2011 7:28pm