![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 82%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 81%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECT%3C/text%3E%3C/svg%3E)
Hello Adarsh,
Thank you for posting question on Microsoft Windows Forum.
Based on your query of creating a GPO for Powershell block in computer objects and add exception to a specific security group using Software Restriction Policy and AppLocker. But not working as expected. The following points are needed to be considered for implementing the above methods.
1.Check the prerequisites for implementing AppLocker.
- Windows Enterprise or Education edition for client machines, or Windows Server.
- The Application Identity service must be running on client machines. Set it to Automatic startup via GPO if it's not already.
- A dedicated security group in Active Directory for users who should be allowed to use PowerShell (e.g., "SG-PowerShell-Admins").
2.The followings are the potential reasons for AppLocker not to work as expected.
- Missing Default Rules: If you didn't create default rules, AppLocker will block almost everything, which can break your system or make it appear that the policy isn't working for exceptions.
- Incorrect Enforcement: Ensure AppLocker is set to "Enforce rules" for Executable and Script rules.
- Application Identity Service: This service must be running for AppLocker to function.
- Incorrect Scope: The GPO might not be linked to the correct OU, or security filtering might be misconfigured.
- Not targeting Computer Configuration: AppLocker rules should generally be applied to computers, not users, when blocking executables.
3.The followings are the potential reasons for Software Restriction Policy not to work as expected.
- Missing All Paths: PowerShell exists in multiple locations and architectures (32-bit and 64-bit). You need to block all of them.
- Incorrect Exception Method: SRP doesn't have an "exception" tab within the rule itself for specific users/groups. You achieve exceptions by denying the "Apply Group Policy" permission to the exempt security group at the GPO's security filtering level. This means the GPO effectively doesn't apply to those users.
- GPO Processing Order: Ensure the GPO is linked to the correct OU and that no other GPO is overriding its settings.
- Reboot Required: SRP changes often require a reboot to take full effect.
You can refer to the following articles for instructions of implementing the above methods.
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/configure-exceptions-for-an-applocker-rule
- https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/work-with-software-restriction-policies-rules
- https://activedirectorypro.com/disable-powershell-with-group-policy/
Hope the above information is helpful!