Hi, I seached the forum without getting an appropriate answer.
I'm using Windows 7 / Windows Server 2008 R2 and I created a policy for Applocker to restrict the usage of cmd.exe to a certain user group. Therefore I crated two Executable Rules:
1. Allow / Everyone / All files in folder "Windows" / Path / Exception: %system32%\cmd.exe
2. Allow / CMD-Users / %System32%\cmd.exe
So far, so good - "CMD-Users" may execute cmd.exe, all the other user may not. Just like expected.
On the other hand I created the following Script Rules:
1. Allow / Everyone / (Default Rule) / All scripts in folder "Program Files"
2. Allow / Everyone / (Default Rule) / All scripts in folder "Windows"
The result is, that only members of the "CMD-Users" group may start scripts from "Program Files" or "Windows". Users, who are not in the "CMD-Users" group are not allowed to run any scripts from those folders.
How can I configure that Users who are not in the "CMD-Users" group may not start cmd.exe but are allowed to run scripts (especially cmd- and bat-scripts)? Or does the executable rule overwrite the script rule?
Thanks in advance,
Thomas
Kind regards, Thomas