Deny Specific Application in Active Directory GPO


Sometimes you need to deny specific application in Active Directory GPO.  There is a way, using file’s hash, to block it from entire Active Directory domain.  That way, all logged-on users won’t be able to run that specific files.  One of the reason you would like to block specific application would be some of your employes playing games like FreeCell or PinBall instead of working, or another reason would be malicious user that want to scan your network for vulnerabilities.

So, how to to that task?


Log into your domain controller server and do the following tasks :

  1. From Control Panel, select Administratives Tools and then “Group Policy Management”.
  2. Right-click + Edit on “Default Domain Policy”.
  3. Select following directory :
    • User configuration -> Policies -> Windows Settings -> Security Settings -> Software Restriction Policies -> Additional Rules
  4. Right-click + New Hash Rule
  5. From within the new opened window, click on “browse” button and select application file you want to deny.
  6. Select :   Security Level = Disallowed.
  7. Apply.

Wait for next GPO update, or you can update manually from each workstation by input the following command : gpupdate /force


Spread the love...Share on FacebookShare on Google+Pin on PinterestShare on RedditTweet about this on TwitterEmail this to someone