Help with Application Control

treyjack · 04-24-2008, 01:05 PM

So I finally started playing around with Application Control so we can start removing admin rights on user's local machines. For a "test" I decided to use Windows Disk Defragmenter and Elevate Process Rights Policy to allow a user without admin rights to run it. For the life of me I can not get it to work. I have also tested the Run Deny for Firefox and it works so I know the client computer is getting the policies. I'll give you a run down of what I have done.

-Created a user in our domain for testing purposes with only "User" rights.

-I started Disk Defrag and watched what process was started. The result being dfrgntfs.exe which is located in C:\WINDOWS\system32.

-In that location is also dfrg.msc and dfrgfat.exe.

-First I Created a collection here:

-Then created a folder here for Defrag:

-Then created filters for each shown here:

(I know .mcs isn't a executable but it was one attempt at getting this to work.)

-Next I created an Policy

I then added my "Test Pig" to that collection, updated the client's agent and tested. No luck.

I have spent 2 days on this and defrag still won't run.

NOTE: I created a filter for mmc.exe to run with admin rights for testing purposes and added it to the Defrag policy. Now when I start Defrag I get the pop-up message that mmc.exe was stated with elevated rights yet defrag still gives me the message"You must have Administrator privileges to defragment a volume." Then I created another collection for mmc.exe,created its own policy and added the filter to the policy then pointed it at the mmc.exe collection. Finally added the test computer to that collection too and tested...no go still.

I'm sure I'm missing something trivial but I'm at a loss. HELP!

treyjack · 04-24-2008, 05:37 PM

Anyone?

Nick · 04-24-2008, 07:22 PM

Treyjack,

I'm away from my office right now so I can't test it in my lab to compare for you.

Everything appears right though. Just as a thought though, have you tried using the policy without the %SystemRoot% variable?

treyjack · 04-25-2008, 09:31 AM

Quote:

Originally Posted by Nick

Treyjack,

I'm away from my office right now so I can't test it in my lab to compare for you.

Everything appears right though. Just as a thought though, have you tried using the policy without the %SystemRoot% variable?

Yep, I've tried without the variable and even with that line blank so the filter wouldn't be as specific. I've tried just about every different way I can think of.

treyjack · 04-25-2008, 03:55 PM

What is Stage 2 Processing BTW?

jessek · 06-24-2008, 12:15 PM

According to the documentation:

Make the application subject to policies applicable to its
parent application. That is, the application that spawned
the process applicable to this policy.

I wish they would follow that up with a "for example". In my setup I do not have Stage 2 Processing enabled for any of my policies, and I'm not really clear on when I might want to.

As far as the issue that you are having, are you using Inventory Filtering in conjunction with some Dynamic Filters? I'm wondering if you have another policy getting applied after your "Add Administrative Rights" policy. The best way to determine that is to enable a message for all of your policies. You already have a message pop up for the Administrative Rights policy. You can also add a message to your "Allow Whitelist Execution", "Deny Blacklist Execution", etc. If you have more than one policy getting applied then you'll see several balloon tips pop up in sequence. This is great for troubleshooting, but terrible for end-users.

I'm curious, are you running 6.0 or 6.1? Version 6.1 added some really great features, although I still need to figure some of them out.