Applying software restriction policies

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Applying software restriction policies

Software restriction policies use rules to identify and control how software runs. You can identify a software program by its hash, certificate, or path or by the Internet zone where it resides. After the software is identified, you can decide whether or not to allow it to run. For more information, see Security levels and additional rules.

Software restriction policies can apply to computers or users, depending on whether you choose to modify settings in Computer Configuration or in User Configuration. For more information, see Open Software Restriction Policies

You apply software restriction policies through Group Policy. You apply the policy settings to a Group Policy object (GPO), which is linked to your local computer, site, domain, or organizational unit. If more than one policy setting applies, the policy settings are in the following order of precedence, from lowest to highest:

  • Local computer policy

  • Site policy

  • Domain policy

  • Organizational-unit policy

For example, for a workstation that is joined to a domain, the domain policy settings override the local security policy settings for the workstation's software restriction policies wherever there is a conflict. Likewise, if the same workstation is a member of an organizational unit, the policy settings that are applied from the organizational unit policy override both the domain policy settings and the local policy settings wherever there is a conflict. If the workstation is a member of more than one organizational unit, the organizational unit that immediately contains the workstation has the highest precedence. For more information, see Group Policy (pre-GPMC).

To check the precedence of policy when more than one GPO is applied, you can use Resultant Set of Policy (RSoP). For more information, see Resultant Set of Policy.

Each policy setting is refreshed when you restart the computer. When you modify the policy settings, they are refreshed every 90 minutes on a workstation or server and every 5 minutes on a domain controller. The policy settings are also refreshed every 16 hours, whether or not there are any changes. You can refresh policy settings by running the command-line utility gpupdate and then logging off from and logging on to your computer. For more information, see Gpupdate.