Creating & Configure GPO in Windows Server 2012 to Restrict Access to App:

For this demo objective, I’m going to restrict access to control panel, and restrict few apps such as Notepad.exe and Calc.exe my Marketing & Production users. Let’s get started.

1 – As usual on the domain server, create a new GPO, in my case my new GPO will be Comsys Infra Standard

1

2 – Next, right click Comsys Infra Standard GPO and click Edit…

2

3 – Next, on the Group Policy Management Editor, expand User Configuration, Policies, and Administrative Templates, and then click System, next double click Don’t run specified Windows applications, click Enabled and click Show…

3

4 – In the Show Contents box, in the Value list, type notepad.exe, Calc.exe and Paint.exe and then click OK…

4

5

5 – Next, click Control Panel, on the right pane, double click Prohibit access to Control Panel and PC Settings, then click Enabled and click OK

6

6 – Next, lets Link the Comsys Infra Standard GPO to our domain, right click Comsys.local and click Link an Existing GPO…

7

7 – On the Select GPO box, under Group Policy Object, click Comsys Infra Standard and then click OK to proceed…

8

8 – Next, you can open CMD and type gpupdate /boot /force…

9

9 – Next, log in to your Windows client PC, in my case my Windows 8 Client and I log in as my domain user (either your Marketing @ Production users…

10

10 – once you successfully log on, try open notepad and Control Panel and you will be presented with Restrictions warning box…

12

11 – Next, back to your Domain Server and open Control Panel (remember that my Domain Server is longed in as Domain Administrator)…

13

12 – once you click Control Panel, you will be presented with Restrictions warning box, but I’m a Domain Administrator, why I had this Restriction??

14

13 – Not to worry with this error, what you need to do to solve this small issue just a simple step where as in the Group Policy Management, click Comsys Infra Standard GPO, on the right pane, under Security Filtering, click Authenticated Users and then click Remove…

15

14 – On the Group Policy Management box, click OK to confirm remove the Authenticated Users group…

16

15 – Next, still in the Security Filtering, please add Marketing and Production group so that only this 2 groups will effected with this GPO…

17