Help creating GPO to disable access to specific .exe files

Tagged: ,

This topic contains 3 replies, has 2 voices, and was last updated by Profile photo of Rob Simmers Rob Simmers 4 days, 4 hours ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #54441
    Profile photo of Chris Whitaker
    Chris Whitaker
    Participant

    Hello,

    Hello,

    Any help is certainly appreciated! Thank you!

    I am in need of a Powershell script that will create a local GPO on a non-domain joined Win7 desktop to limit access to 3 executables AND if possible apply that GPO at the top level to everyone but the local Administrator account.

    I am wondering if someone might be able to provide some assistance or lead me in the right direction. I am NOT a skilled powershell scripter, just a guy in need of one. But I can sometimes piece things together properly.

    If it helps, the files are:

    C:\Program Files (x86)\Carbonite\Carbonite Backup\carbonitesetup.exe
    C:\Program Files (x86)\Carbonite\Carbonite Backup\carboniteui.exe
    C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe

    #54525
    Profile photo of Rob Simmers
    Rob Simmers
    Participant

    You're basically talking about whitelisting. The operating system wouldn't function if you could only launch those executables. There are entire software solutions dedicated to what you asking to do like RES Software, Carbon Black, Bit9. Do you just want the users to be able to see the backup utility? You could attempt to basically make the workstation a kiosk and only show the backup icons with GPO, but you don't need powershell for that.

    #54557
    Profile photo of Chris Whitaker
    Chris Whitaker
    Participant

    Actually, I want the reverse of what you are suggesting. I want the computer to function normally, I just don't want them to have access to the backup software UI.

    #54559
    Profile photo of Rob Simmers
    Rob Simmers
    Participant

    This is a single computer? I don't know that a scripted solution is still what you are looking for:

    • Option 1 – If the software has a login or security, create a Carbonite local group, add Administrator to group and update security to only allow Carbonite group
    • Option 2 – Update ACL's on the files to remove users or create a Carbonite local group, add Administrator to group and update the ACL
Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.