I am trying to get a simple case working. I have a hash rule set to in a GPO for software restriction. Then I have a second GPO with scope of one security group. I have the same hash rule set to allow. I have also set the second GPO to precedence. I am still getting deny with the security group. However if I completely remove the deny rule from the first GPO and set the rule in the second to deny then I get a deny within that security group. What am I overlooking regarding precedence? -Kevin Fjelsted deny -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf Of Edward VanDewars Sent: Saturday, May 07, 2005 12:31 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Procedure for restricting program access by users in terminal server 2003 Look at Software Restriction Policies: http://support.microsoft.com/default.aspx?scid=kb;en-us;324036 SRP works at the OU level via a GPO but it will do what you want and I think it is awesome in "default deny" mode where you specify only what you want to run. Just be sure to test your rule set before deploying it. On 5/7/05, Kevin R. Fjelsted <kfjelsted@xxxxxxxxxxxxxx> wrote: > > > I am interested in documentation and other resources that will describe > procedures for restricting program access by user under windows 2003. > The scenario is that we have performed a lockdown under group policy for the > terminal server within a domain. > Now we have created security groups that various groupings of users are then > added as members. > We want to permit or deny access to installed programs based on whether a > particular user is a member of a particular security group. > Version of active directory is windows 2003 enhanced and we are running > terminal server 2003. > Please advise and post to the list for all to view. > Thanks. > -Kevin Fjelsted > ******************************************************** This Weeks Sponsor: ThinPrint GmbH Now available: The new version .print Engine 6.2 with SSL encryption and certificate management. http://www.thinprint.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm ThinWiki community - Excellent SBC Search Capabilities! http://www.thinwiki.com *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This Weeks Sponsor: ThinPrint GmbH Now available: The new version .print Engine 6.2 with SSL encryption and certificate management. http://www.thinprint.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm ThinWiki community - Excellent SBC Search Capabilities! http://www.thinwiki.com *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm