Hi all,
We use a Software Restrictions GPO to block users running an application on our network. We do have some users though who are allowed to run this application so we add them to an AD group which has deny permissions on the Software Restrictions GPO, hence the GPO does not apply, hence they can run the application.
All is good apart from when someone disconnected to the network (i.e. working from home) decides they need to run the application. Although their account is added to the AD group, because they are disconnected nothing updates on their machine and they still cannot run the application.
We advise that they need to visit the office, connect to the network so that AD Group Membership and Policy can update but some users object especially when they might not be planning to visit the office for some time.
Is there anyway we can work around this without too much of a compromise?