SRP (Software Restriction Policies) blocking local Administrator
I implemented SRP on a Windows 7 Pro PC that I was logged into as the Local Administrator. In Enforcement I ensured that "All users except local administrators" was selected. I then set the default Security Level to Disallow. At this point I attempted to open Windows Update from the Start menu and was blocked. I ran gpupdate, still blocked. I rebooted the PC, still blocked. I changed the default Security Level back to Unrestricted and was no longer blocked. Why is'nt the "All users except local administrators" enforcement variable working? This is the 9th PC I've setup with SRP, all the same configuration, and all the others work fine. Also, this PC is not part of a domain. Any ideas?
February 10th, 2011 11:29pm

Hi Stampy5000, Thanks for the post! Is this a 64-bit Windows 7? If so, it has an extra Program Files directory named C:\Program Files (x86). Click on Additional Rules and make a new Path Rule that makes that directory Unrestricted, so software installed there is allowed to run. Meanwhile, did you remove the LNK filetype when you make the policy? Double click the Designated File Types. Find the LNK type ,and click the Delete button. This could allow you to use your desktop shortcuts and Quick Launch icons, which are mostly the LNK file type. Regards, Miya This posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
February 14th, 2011 10:13am

Hi Miya, Thank you for your response. The OS is 64-bit Windows 7 Pro. I've already added the Program Files (x86) to the Additional Rules list as unrestricted. Also, I've already ensured the restricted user is able to access their Quick Launch bar and Start Menu links by adding: C:\Users\USER\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch & C:\Users\USER\AppData\Roaming\Microsoft\Windows\Start Menu But the issue in question is that the local Administrator is being affected by the SRP's when they should not. The "All users except local administrators" variable is selected but the local Administrator (the built in account) is still restricted by the SRP's in affect. Again, thank you for your response.
February 21st, 2011 5:33pm

Can you recommend software, that allows to set restrictions for all users except local administrators? The main features I need is "Run only allowed windows applications" and/or "Dont run specified windows applications". Did you try to use Applocker in Win 7 ultimate? Does it works?
Free Windows Admin Tool Kit Click here and download it now
March 3rd, 2012 7:28am

I try to use Applocker, and it works great !!! Amazing tool, just select user, folder with application or only .exe file and make it Allow or Disallow. If in folder (Programm Files, for example) are several applications, you can make exceptions.
March 3rd, 2012 8:08am

I'm having exactly the same problem now. I've done all steps like written here http://www.mechbgon.com/srp/ and can't find any solutions. Did you solve this problem?
Free Windows Admin Tool Kit Click here and download it now
March 3rd, 2012 4:58pm

Never found a solution. Eventually just disabled the SRP's. We'll be purchasing a SteadyState alternative as, unfortunatley, that seems like the best way to go.
March 3rd, 2012 5:05pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics