Problem: Users cannot log on

Applies To: Windows 7, Windows Server 2008 R2

This topic describes steps to remedy the problem when users cannot log on to a computer that has had AppLocker policies applied.

Explanation

The AppLocker rules are too restrictive. The rules restrict applications and other executable files located in the Windows directory from running, which prevents crucial processes from starting properly.

Solution

If you are using Group Policy to set AppLocker policies, on the server, change the Group Policy setting that is affecting the target computer. Wait a few minutes, and then restart the client computer to allow the shell component to load properly. If you are using the Local Security Policy snap-in to set AppLocker policies, use the following procedure to fix the problem.

To create default AppLocker rules

  1. To restart the computer in Safe Mode, as the computer is starting, press and hold the F8 key or tap the F8 key continuously until the Advanced Boot Options menu is displayed.

  2. After restarting the computer in Safe Mode, click Start, type secpol.msc in the Search programs and files, and then press ENTER.

  3. In the console tree, expand Application Control Policies, and then expand AppLocker.

  4. Right-click Executable Rules, and then click Create Default Rules.

  5. Verify that the default rules for the Program Files and Windows folders are created, and then restart the computer.

Note

You may need to restart the computer two times to assure that the rules are applied properly.