new-applockerpolicy for single exe

Saksham Garg 1 Reputation point


I am trying to create a new Applocker policy for particular executables using Powershell commands. I want to create a Path rule for a particular group. I am following this link: Using this link, I am trying to create a Powershell script to create a Deny AppLocker rule for attrib.exe file for all users in "Domain Users".

$Policy = Get-ChildItem C:\Windows\System32\attrib.exe | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Path -User "Domain Users" -Optimize -RuleNamePrefix "Block attrib1"
foreach($RuleCollection in $Policy.RuleCollections)
foreach($Rule in $RuleCollection)
$Rule.Action = 'Deny'
$GPO_ID = (Get-GPO -Name "SampleGPO").Id
Set-AppLockerPolicy -PolicyObject $Policy -Ldap "LDAP://cn={$GPO_ID},cn=policies,cn=system,DC=addc,DC=altairone,DC=com"

But when I see the path in the properties of this rule, I see the rule is being created for all the files under %SYSTEM32% as shown in the picture.


Can someone guide to create rule just for single file?

A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,845 questions
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,400 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,994 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Ian Xue (Shanghai Wicresoft Co., Ltd.) 31,166 Reputation points Microsoft Vendor


    You can specify the path by setting the PathConditions property like this


    Best Regards,
    Ian Xue


    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.