Location of Software Restriction Policies

[Guest]

Can anyone tell me where in the registry Group Policy Software Restriction
Policies are stored?

I'm having a problem where admin users are getting SRS policies even though
no policies applied to them have these in them. The only thing I can think of
is that they are in the Default User profile which was created to provide a
common profile for all users.

 

[Steven L Umbach]

What you suspect would not be the problem. If SRP is applied to local
administrators in a non domain computer then you need to configure
enforcement to exclude local administrators in Local Security Policy
[secpol.msc] - Software Restriction Policies. If it is a domain computer
then that needs to be checked in the Group Policy applying to the computer
or user for the same. Running rsop.msc on a domain computer will be helpful
in determining the GPO applying settings.

Steve

 

[Guest]

I've run RSOP and the correct policies are listed (i.e no SRP at all and any
restrictive polices for other uses are 'reversed')

Why I suspect the registry is because as soon as I copy across the
NTUSER.dat from a working PC, then the failing PC works OK. We use the
Default User NTUSER.DAT files to create a standard printer etc for all PCs in
one particular room.

Its almost as if the previous user leaves behind their SRP settings, and as
there is no GPO way of forcing no SRP then they are being applied to the
admin user, who otherwise gets the full admin policy as normal.

What you suspect would not be the problem. If SRP is applied to local
administrators in a non domain computer then you need to configure
enforcement to exclude local administrators in Local Security Policy
[secpol.msc] - Software Restriction Policies. If it is a domain computer
then that needs to be checked in the Group Policy applying to the computer
or user for the same. Running rsop.msc on a domain computer will be helpful
in determining the GPO applying settings.

Steve

Can anyone tell me where in the registry Group Policy Software Restriction
Policies are stored?

I'm having a problem where admin users are getting SRS policies even
though
no policies applied to them have these in them. The only thing I can think
of
is that they are in the Default User profile which was created to provide
a
common profile for all users.

 

[Steven L Umbach]

For machine level SRP the settings are under the
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer key if that
helps. So you may want to check under user registry for something similar.

Steve

I've run RSOP and the correct policies are listed (i.e no SRP at all and
any
restrictive polices for other uses are 'reversed')

Why I suspect the registry is because as soon as I copy across the
NTUSER.dat from a working PC, then the failing PC works OK. We use the
Default User NTUSER.DAT files to create a standard printer etc for all PCs
in
one particular room.

Its almost as if the previous user leaves behind their SRP settings, and
as
there is no GPO way of forcing no SRP then they are being applied to the
admin user, who otherwise gets the full admin policy as normal.

What you suspect would not be the problem. If SRP is applied to local
administrators in a non domain computer then you need to configure
enforcement to exclude local administrators in Local Security Policy
[secpol.msc] - Software Restriction Policies. If it is a domain computer
then that needs to be checked in the Group Policy applying to the
computer
or user for the same. Running rsop.msc on a domain computer will be
helpful
in determining the GPO applying settings.

Steve

Can anyone tell me where in the registry Group Policy Software
Restriction
Policies are stored?

I'm having a problem where admin users are getting SRS policies even
though
no policies applied to them have these in them. The only thing I can
think
of
is that they are in the Default User profile which was created to
provide
a
common profile for all users.

 

[Guest]

Thank you, that was it exactly!

The SRP settings were in the LOCAL_MACHINE hive of the default user profile,
hence the Admin user was picking them up on first login.

Removed them from default user profile and it works OK now, as users with
SRP get the policy on login.

Thanks for your help.

For machine level SRP the settings are under the
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer key if that
helps. So you may want to check under user registry for something similar.

Steve

I've run RSOP and the correct policies are listed (i.e no SRP at all and
any
restrictive polices for other uses are 'reversed')

Why I suspect the registry is because as soon as I copy across the
NTUSER.dat from a working PC, then the failing PC works OK. We use the
Default User NTUSER.DAT files to create a standard printer etc for all PCs
in
one particular room.

Its almost as if the previous user leaves behind their SRP settings, and
as
there is no GPO way of forcing no SRP then they are being applied to the
admin user, who otherwise gets the full admin policy as normal.

What you suspect would not be the problem. If SRP is applied to local
administrators in a non domain computer then you need to configure
enforcement to exclude local administrators in Local Security Policy
[secpol.msc] - Software Restriction Policies. If it is a domain computer
then that needs to be checked in the Group Policy applying to the
computer
or user for the same. Running rsop.msc on a domain computer will be
helpful
in determining the GPO applying settings.

Steve


Can anyone tell me where in the registry Group Policy Software
Restriction
Policies are stored?

I'm having a problem where admin users are getting SRS policies even
though
no policies applied to them have these in them. The only thing I can
think
of
is that they are in the Default User profile which was created to
provide
a
common profile for all users.

 

[Steven L Umbach]

Cool. Glad you got it sorted out and thanks for reporting back what worked.

Steve

Thank you, that was it exactly!

The SRP settings were in the LOCAL_MACHINE hive of the default user
profile,
hence the Admin user was picking them up on first login.

Removed them from default user profile and it works OK now, as users with
SRP get the policy on login.

Thanks for your help.

For machine level SRP the settings are under the
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer key if that
helps. So you may want to check under user registry for something
similar.

Steve

I've run RSOP and the correct policies are listed (i.e no SRP at all
and
any
restrictive polices for other uses are 'reversed')

Why I suspect the registry is because as soon as I copy across the
NTUSER.dat from a working PC, then the failing PC works OK. We use the
Default User NTUSER.DAT files to create a standard printer etc for all
PCs
in
one particular room.

Its almost as if the previous user leaves behind their SRP settings,
and
as
there is no GPO way of forcing no SRP then they are being applied to
the
admin user, who otherwise gets the full admin policy as normal.


:

What you suspect would not be the problem. If SRP is applied to local
administrators in a non domain computer then you need to configure
enforcement to exclude local administrators in Local Security Policy
[secpol.msc] - Software Restriction Policies. If it is a domain
computer
then that needs to be checked in the Group Policy applying to the
computer
or user for the same. Running rsop.msc on a domain computer will be
helpful
in determining the GPO applying settings.

Steve


Can anyone tell me where in the registry Group Policy Software
Restriction
Policies are stored?

I'm having a problem where admin users are getting SRS policies even
though
no policies applied to them have these in them. The only thing I can
think
of
is that they are in the Default User profile which was created to
provide
a
common profile for all users.