How to Temporarily Disable Software Restriction Policies in Active Directory Without Blocking GPO Inheritance


13 views

After implementing Software Restriction Policies (SRP) to combat ransomware threats like Cryptolocker, we faced an operational challenge during software deployments. The policies blocking execution from %TEMP% directories were causing installation failures since most installers heavily rely on temporary folders.

Our hierarchical Active Directory environment makes traditional solutions impractical:

  • Multi-site OU structure with inherited GPOs
  • 200+ domain-joined Windows 7 clients
  • Server 2008 R2 functional level
  • Impossible to restructure OUs due to operational impact

Common approaches we tried and why they didn't work:

# Attempted inverse policy (didn't override parent GPO)
Get-GPO -Name "SRP_Override" | Set-GPPermission -TargetName "Installers" -TargetType Group -PermissionLevel GpoApply

The RSOP results showed conflicting rules where disallow always took precedence over unrestricted.

Here's the working approach we implemented:

# Create WMI filter to detect installation mode
$filterName = "SRP_Installation_Mode"
$filterQuery = "SELECT * FROM Win32_ComputerSystem WHERE DomainRole != 1 AND Name LIKE 'INSTALL-%'"
New-GPWmiFilter -Name $filterName -Query $filterQuery

Implementation steps:

  1. Create security group for installation technicians
  2. Link SRP GPO with WMI filter excluding installation mode
  3. Prefix computer names with "INSTALL-" during maintenance

For environments without naming conventions:

# PowerShell script to toggle SRP via registry
$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers"
$originalValue = (Get-ItemProperty -Path $registryPath).DefaultLevel
Set-ItemProperty -Path $registryPath -Name "DefaultLevel" -Value 0 -Type DWord

# Create scheduled task to revert after 2 hours
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-Command "Set-ItemProperty -Path '$registryPath' -Name 'DefaultLevel' -Value $originalValue -Type DWord""
$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date).AddHours(2)
Register-ScheduledTask -TaskName "SRP_Revert" -Action $action -Trigger $trigger

Always validate your configuration:

# RSOP verification command
gpresult /h SRP_Report.html /scope computer

# Check applied WMI filters
Get-WmiObject -Namespace "root\rsop\Computer" -Class "RSOP_WMIFilter" | Where-Object {$_.id -like "*SRP*"}

When implementing Software Restriction Policies (SRPs) to combat ransomware threats like Cryptolocker, administrators often face a dilemma during software installations. The very policies designed to protect systems can prevent legitimate installers from accessing temporary directories. In our multi-site Active Directory environment with complex GPO inheritance, we need a surgical approach to temporarily disable specific SRPs without disrupting other essential policies.

Before implementing solutions, it's crucial to understand how GPOs process:

1. Local Group Policy
2. Site-level GPOs
3. Domain-level GPOs
4. OU-level GPOs (parent to child)
5. Enforced GPOs (with highest priority)
6. Loopback processing (if enabled)

Here are three effective methods to temporarily bypass specific GPOs:

1. Security Filtering with Group

Create a security group and modify the GPO's security filtering:

# PowerShell to create and manage the bypass group
New-ADGroup -Name "GPO_SRP_Bypass" -GroupScope Global -Path "OU=AdminGroups,DC=domain,DC=com"
$gpoName = "SRP_Block_Temp_Dirs"
$gpo = Get-GPO -Name $gpoName
$groupSID = (Get-ADGroup "GPO_SRP_Bypass").SID.Value
Set-GPPermission -Name $gpoName -PermissionLevel GpoApply -TargetName "GPO_SRP_Bypass" -TargetType Group -Replace
Set-GPPermission -Name $gpoName -PermissionLevel None -TargetName "Authenticated Users" -TargetType Group

2. WMI Filtering for Temporary Override

Create a WMI filter that evaluates to FALSE during maintenance windows:

# WQL query for WMI filter
SELECT * FROM Win32_ComputerSystem WHERE NOT Name LIKE '%MAINT%'

# PowerShell to apply the filter
$filter = Get-WmiFilter -Name "NormalOperationsFilter"
Set-GPO -Name "SRP_Block_Temp_Dirs" -WmiFilter $filter

3. Temporary OU with Inheritance Blocking

For targeted workstations, use this PowerShell script to create temporary OUs:

$siteOUs = Get-ADOrganizationalUnit -Filter * | Where-Object {$_.Name -like "Site*"}
foreach ($ou in $siteOUs) {
    $tempOU = New-ADOrganizationalUnit -Name "TEMP_SRP_Override" -Path $ou.DistinguishedName
    Set-ADObject -Identity $tempOU -Replace @{gpLink="[LDAP://CN={GUID},CN=Policies,CN=System,DC=domain,DC=com;0]"}
    Set-GPInheritance -Target $tempOU.DistinguishedName -IsBlocked Yes
}

Always verify your changes with these commands:

# RSOP for specific computer
gpresult /r /computer:TargetPC01

# Group Policy modeling
Invoke-GPUpdate -Computer TargetPC01 -Force
Get-GPResultantSetOfPolicy -ReportType Html -Path "C:\Reports\RSOP.html"

For frequent software deployments, consider this automated approach:

function Disable-SRPGPO {
    param(
        [string[]]$ComputerNames,
        [int]$DurationMinutes = 60
    )
    
    # Add computers to bypass group
    Add-ADGroupMember -Identity "GPO_SRP_Bypass" -Members $ComputerNames
    
    # Force GP update
    Invoke-Command -ComputerName $ComputerNames -ScriptBlock {gpupdate /force}
    
    # Schedule re-enable
    $jobScript = {
        Remove-ADGroupMember -Identity "GPO_SRP_Bypass" -Members $using:ComputerNames -Confirm:$false
    }
    Register-ScheduledJob -Name "ReenableSRP_$(Get-Date -Format yyyyMMddHHmmss)" 
        -ScriptBlock $jobScript 
        -RunOnce -At (Get-Date).AddMinutes($DurationMinutes)
}