New
#1
AppLocker Preventing Admin Account From Creating New Users
Hello!
I've got a problem. I've been tasked with creating a lightweight build of Windows 10 to run in kiosk mode here at work. I've got kiosk mode running well, where the only app the user has access to is Internet Explorer (using a custom shell). However now I'm going through and trying to lock everything down to prevent the user from downloading and installing stuff, accessing C:\, etc.
I've enabled applocker and auto-generated all the rules. I did this for Executables, Windows Installer Files as well as Pre-Packaged Apps however I'm running into a problem. Even though I have all the rules for the pre-packaged apps set to "allow" for the administrators group, it still won't allow me to create new users (any more) when using the built-in Administrator account. When I go to 'Settings -> Users -> Create New User" the mouse wheel spins for a little bit and a window opens and closes instantly but that's all.
I ended up going into System32 Lusrmgr and creating a new admin account that way, but even after adding this new account to the admin group and signing out/in, rebooting, etc. this new admin account can't access any of the pre-packaged apps like the default Administrator account can.
If I am understanding AppLocker and the rules for the pre-packaged apps correctly, since I have all the rules set to "allow" for the "builtin-administrators" group, shouldn't my new admin account have full privileges? Also, why can't the default administrator account create new users from "Settings -> Users"?
Something doesn't seem to be working right to me...or I'm doing something wrong (very possible).
Any help you can provide would be greatly appreciated.
Thanks!