Help creating GPO to disable access to specific .exe files



Any help is certainly appreciated! Thank you!

I am in need of a Powershell script that will create a local GPO on a non-domain joined Win7 desktop to limit access to 3 executables AND if possible apply that GPO at the top level to everyone but the local Administrator account.

I am wondering if someone might be able to provide some assistance or lead me in the right direction. I am NOT a skilled powershell scripter, just a guy in need of one. But I can sometimes piece things together properly.

If it helps, the files are:

C:\Program Files (x86)\Carbonite\Carbonite Backup\carbonitesetup.exe
C:\Program Files (x86)\Carbonite\Carbonite Backup\carboniteui.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe

You’re basically talking about whitelisting. The operating system wouldn’t function if you could only launch those executables. There are entire software solutions dedicated to what you asking to do like RES Software, Carbon Black, Bit9. Do you just want the users to be able to see the backup utility? You could attempt to basically make the workstation a kiosk and only show the backup icons with GPO, but you don’t need powershell for that.

Actually, I want the reverse of what you are suggesting. I want the computer to function normally, I just don’t want them to have access to the backup software UI.

This is a single computer? I don’t know that a scripted solution is still what you are looking for:

  • Option 1 - If the software has a login or security, create a Carbonite local group, add Administrator to group and update security to only allow Carbonite group
  • Option 2 - Update ACL's on the files to remove users or create a Carbonite local group, add Administrator to group and update the ACL