An AD domain user has joined the administrator group, and the applocker is configured in the group policy to restrict the programs that the AD domain user can run. Does the Applocker have no effect after the domain user logs in?

yuan huang 40 Reputation points
2023-07-14T10:08:59.2733333+00:00

An AD domain user is added to the administrator group. The applocker is configured in the group policy to restrict the programs that can run on the AD domain user. The configuration is not distributed to the target host after the AD domain user logs in to the Administrator group. gpresult -H test.html does not have an "application control policy", so it does not work locally.User's image

Other rules under the GPO are also valid. This applocker rule does not take effect.

An AD domain user is added to the administrator group. The applocker is configured in the group policy to restrict the programs that can run on the AD domain user. The configuration is not distributed to the target host after the AD domain user logs in to the Administrator group. gpresult -H test.html does not have an "application control policy", so it does not work locally.User's image

Does it have something to do with domain users joining the administrators group? But I put the configuration locally and it works.

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
12,062 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,701 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,883 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 44,526 Reputation points
    2023-07-17T13:38:41.5+00:00

    Hello Yuan Huang,

    Thank you for your question and for reaching out with your question today.

    When an Active Directory (AD) domain user is added to the Administrator group, it can affect the application of Group Policy settings, including AppLocker rules. By default, members of the Administrators group have elevated privileges, which can override some restrictions imposed by Group Policy.

    Here are a few considerations to address the issue of AppLocker rules not being applied to AD domain users added to the Administrator group:

    1. Group Policy Inheritance: Ensure that the Group Policy Object (GPO) with the AppLocker configuration is being applied to the target host where the AD domain user is logging in. Check the Group Policy inheritance and make sure the GPO is linked to the correct Organizational Unit (OU) containing the target host.
    2. Group Policy Enforcement: Verify that the GPO with the AppLocker configuration is enforced and not blocked by any higher-level GPOs. GPO enforcement ensures that the settings in the GPO are applied even if there are conflicting settings in other GPOs.
    3. Security Filtering: Review the security filtering settings of the GPO containing the AppLocker configuration. Ensure that the AD domain user or the group to which the user belongs is included in the security filtering of the GPO. This ensures that the GPO is applied to the user regardless of their membership in the Administrator group.
    4. Group Policy Loopback Processing: Consider enabling Group Policy loopback processing in the GPO that contains the AppLocker configuration. This setting allows the GPO to be applied to users based on the computer they are logging into, rather than their individual user accounts.
    5. Elevated Privileges: Members of the Administrators group have elevated privileges, which can override some Group Policy settings, including AppLocker rules. Even if the GPO is being applied, the Administrator group membership can bypass the restrictions. Consider reviewing and adjusting the security configuration and privileges for the AD domain users to limit their elevated access.
    6. Local AppLocker Configuration: If the AppLocker configuration works locally on the target host, it suggests that the issue may be related to Group Policy application. Consider verifying the GPO settings, Group Policy application on the target host, and the order of GPO processing.

    Remember to test any changes in a controlled environment before applying them to production systems. If the issue persists or requires further investigation, consult with your organization's IT administrators or Microsoft support for more specific guidance based on your environment and configuration.

    I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.

    If the reply was helpful, please don’t forget to upvote or accept as answer.

    Best regards.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.