Software Restrictions Policy

[morrell]

Hi

 

I'm in need a little assistance, I'm attempting to have a software restriction policy that blocks access to a few problems for all users, easy enough. But then I would like to allow a certain group of users to have access to this if there added to the correct group.

 

I created the two gpos and assigned them to two groups and made sure the allow gpo was of Higher Order in this case I set it to one. I also enforced the allow so that it would not be over written by the lower Order GPO.

 

Problem is I've added a test user to the groups in question, Allow and Deny and I still get the deny.

 

Any idea why this would be the case?

 

Thanks in advance

 

John

[Edenost]

I realise this is an old thread, but I wanted to just add my "two cents" here for anyone in the future.

This is likely to be that the Deny policy is still applying, although the Allow policy is enforced. Generally, Deny is always the one which takes precedence in any state.

 

What you would need to do is either create two OU's (one for the Deny and one for the Allow), and assign each GPO respectively, or the better solution would be to create two groups in AD, adding the relevant users to the groups, removing "Everyone" or "Authenticated Users" from the security on the GPO and adding the relevant groups to the respective policies.