AppLocker Preventing Admin Account From Creating New Users


  1. Posts : 1
    Windows 10
       #1

    AppLocker Preventing Admin Account From Creating New Users


    Hello!

    I've got a problem. I've been tasked with creating a lightweight build of Windows 10 to run in kiosk mode here at work. I've got kiosk mode running well, where the only app the user has access to is Internet Explorer (using a custom shell). However now I'm going through and trying to lock everything down to prevent the user from downloading and installing stuff, accessing C:\, etc.

    I've enabled applocker and auto-generated all the rules. I did this for Executables, Windows Installer Files as well as Pre-Packaged Apps however I'm running into a problem. Even though I have all the rules for the pre-packaged apps set to "allow" for the administrators group, it still won't allow me to create new users (any more) when using the built-in Administrator account. When I go to 'Settings -> Users -> Create New User" the mouse wheel spins for a little bit and a window opens and closes instantly but that's all.

    I ended up going into System32 Lusrmgr and creating a new admin account that way, but even after adding this new account to the admin group and signing out/in, rebooting, etc. this new admin account can't access any of the pre-packaged apps like the default Administrator account can.

    If I am understanding AppLocker and the rules for the pre-packaged apps correctly, since I have all the rules set to "allow" for the "builtin-administrators" group, shouldn't my new admin account have full privileges? Also, why can't the default administrator account create new users from "Settings -> Users"?

    Something doesn't seem to be working right to me...or I'm doing something wrong (very possible).

    Any help you can provide would be greatly appreciated.

    Thanks!
      My Computer


  2. Posts : 2
    Windows 10
       #2

    mitchewr-

    I ran across a similar issue with OS 10 version 1607, we tried this a test user account and we blocked the apps we wanted to but once we tried to log back into the device with our Admin account not only was the app blocked but so was the Start menu for the Admin account who should still have access to it.

    We took away the rule that we created and the issue still persisted so I had to reimage the device and did the steps need on a test machine to run things through Group Policy and everything was going great on the test machine but it was on version 1511. So importing the .xml to the test machine with 1607 did not work. So basically we found out you can't apply Group Policies setup on a 1511 machine and import them to a 1607 machine.

    We know the Kiosk mode won't work for us because need more than one app on the device and need to broadcast it to a second monitor which you cannot do in Kiosk mode. I was just curious if you have had any luck with AppLocker since your post? Sorry I am not providing a solution to your post just wanted to converse since we are in very similar boats.

    Thanks.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 08:45.
Find Us




Windows 10 Forums