How to Temporarily Disable Software Restriction Policies in Active Directory Without Blocking GPO Inheritance


6 views

After implementing Software Restriction Policies (SRP) to combat ransomware threats like Cryptolocker, we faced an operational challenge during software deployments. The policies blocking execution from %TEMP% directories were causing installation failures since most installers heavily rely on temporary folders.

Our hierarchical Active Directory environment makes traditional solutions impractical:

  • Multi-site OU structure with inherited GPOs
  • 200+ domain-joined Windows 7 clients
  • Server 2008 R2 functional level
  • Impossible to restructure OUs due to operational impact

Common approaches we tried and why they didn't work:

# Attempted inverse policy (didn't override parent GPO)
Get-GPO -Name "SRP_Override" | Set-GPPermission -TargetName "Installers" -TargetType Group -PermissionLevel GpoApply

The RSOP results showed conflicting rules where disallow always took precedence over unrestricted.

Here's the working approach we implemented:

# Create WMI filter to detect installation mode
$filterName = "SRP_Installation_Mode"
$filterQuery = "SELECT * FROM Win32_ComputerSystem WHERE DomainRole != 1 AND Name LIKE 'INSTALL-%'"
New-GPWmiFilter -Name $filterName -Query $filterQuery

Implementation steps:

  1. Create security group for installation technicians
  2. Link SRP GPO with WMI filter excluding installation mode
  3. Prefix computer names with "INSTALL-" during maintenance

For environments without naming conventions:

# PowerShell script to toggle SRP via registry
$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers"
$originalValue = (Get-ItemProperty -Path $registryPath).DefaultLevel
Set-ItemProperty -Path $registryPath -Name "DefaultLevel" -Value 0 -Type DWord

# Create scheduled task to revert after 2 hours
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-Command "Set-ItemProperty -Path '$registryPath' -Name 'DefaultLevel' -Value $originalValue -Type DWord""
$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date).AddHours(2)
Register-ScheduledTask -TaskName "SRP_Revert" -Action $action -Trigger $trigger

Always validate your configuration:

# RSOP verification command
gpresult /h SRP_Report.html /scope computer

# Check applied WMI filters
Get-WmiObject -Namespace "root\rsop\Computer" -Class "RSOP_WMIFilter" | Where-Object {$_.id -like "*SRP*"}

When implementing Software Restriction Policies (SRPs) to combat ransomware threats like Cryptolocker, administrators often face a dilemma during software installations. The very policies designed to protect systems can prevent legitimate installers from accessing temporary directories. In our multi-site Active Directory environment with complex GPO inheritance, we need a surgical approach to temporarily disable specific SRPs without disrupting other essential policies.

Before implementing solutions, it's crucial to understand how GPOs process:

1. Local Group Policy
2. Site-level GPOs
3. Domain-level GPOs
4. OU-level GPOs (parent to child)
5. Enforced GPOs (with highest priority)
6. Loopback processing (if enabled)

Here are three effective methods to temporarily bypass specific GPOs:

1. Security Filtering with Group

Create a security group and modify the GPO's security filtering:

# PowerShell to create and manage the bypass group
New-ADGroup -Name "GPO_SRP_Bypass" -GroupScope Global -Path "OU=AdminGroups,DC=domain,DC=com"
$gpoName = "SRP_Block_Temp_Dirs"
$gpo = Get-GPO -Name $gpoName
$groupSID = (Get-ADGroup "GPO_SRP_Bypass").SID.Value
Set-GPPermission -Name $gpoName -PermissionLevel GpoApply -TargetName "GPO_SRP_Bypass" -TargetType Group -Replace
Set-GPPermission -Name $gpoName -PermissionLevel None -TargetName "Authenticated Users" -TargetType Group

2. WMI Filtering for Temporary Override

Create a WMI filter that evaluates to FALSE during maintenance windows:

# WQL query for WMI filter
SELECT * FROM Win32_ComputerSystem WHERE NOT Name LIKE '%MAINT%'

# PowerShell to apply the filter
$filter = Get-WmiFilter -Name "NormalOperationsFilter"
Set-GPO -Name "SRP_Block_Temp_Dirs" -WmiFilter $filter

3. Temporary OU with Inheritance Blocking

For targeted workstations, use this PowerShell script to create temporary OUs:

$siteOUs = Get-ADOrganizationalUnit -Filter * | Where-Object {$_.Name -like "Site*"}
foreach ($ou in $siteOUs) {
    $tempOU = New-ADOrganizationalUnit -Name "TEMP_SRP_Override" -Path $ou.DistinguishedName
    Set-ADObject -Identity $tempOU -Replace @{gpLink="[LDAP://CN={GUID},CN=Policies,CN=System,DC=domain,DC=com;0]"}
    Set-GPInheritance -Target $tempOU.DistinguishedName -IsBlocked Yes
}

Always verify your changes with these commands:

# RSOP for specific computer
gpresult /r /computer:TargetPC01

# Group Policy modeling
Invoke-GPUpdate -Computer TargetPC01 -Force
Get-GPResultantSetOfPolicy -ReportType Html -Path "C:\Reports\RSOP.html"

For frequent software deployments, consider this automated approach:

function Disable-SRPGPO {
    param(
        [string[]]$ComputerNames,
        [int]$DurationMinutes = 60
    )
    
    # Add computers to bypass group
    Add-ADGroupMember -Identity "GPO_SRP_Bypass" -Members $ComputerNames
    
    # Force GP update
    Invoke-Command -ComputerName $ComputerNames -ScriptBlock {gpupdate /force}
    
    # Schedule re-enable
    $jobScript = {
        Remove-ADGroupMember -Identity "GPO_SRP_Bypass" -Members $using:ComputerNames -Confirm:$false
    }
    Register-ScheduledJob -Name "ReenableSRP_$(Get-Date -Format yyyyMMddHHmmss)" 
        -ScriptBlock $jobScript 
        -RunOnce -At (Get-Date).AddMinutes($DurationMinutes)
}