Wednesday, December 01, 2004

Disabling Applications with Active Directory

I often search for "how tos" like this on Google and often I can't find the information I need. I had to spend a while trying to find this hidden setting today, and thought I'd help others by posting a brief tutorial. Hopefully someone will find this post helpful in the future.

How does one disable application programs for a specific group of users via Active Directory? The following directions assume you're running a Windows 2000 Server.
  1. Log into your server. Click on Start, Programs, Administrative Tools, Active Directory Users and Computers.

  2. Navigate to the group for which you want to edit the policy. Right-click on the group's folder/directory icon, and select Properties. Click on the Group Policy tab.

  3. If you wish to edit a current policy, click on the policy's name under Group Policy Object Links and then click on the Edit button. If you want to create a new set of policies, click on the New button, name your new Group Policy Object, and then click on Edit. A new Group Policy window will appear on the screen.

  4. Under User Configuration, expand Administrative Templates and then click on System (you don't need to expand it; just click on the name). Double-click on "Don't run specified Windows applications." (Note that there is also a "Run only allowed Windows applications" policy. If you want to specify only a few specific programs that the user group can run, you may wish to use this instead.)

  5. Make sure Enabled is selected. Click on the Show... button. Add the file name of any program you want to block (for example, telnet.exe). Apply all changes and exit the program.
Magically delicious!


Sam said...

You are the top link in google at the time of writing when you search for

disable application gpo

Very helpful article.

Many thanks for your help. You've saved me a fair amount of searching.


Sam Magee

Anonymous said...

Nice post to implement policy setting thanks for your post