Tech Fix Daily

1. On your Domain Controller VM, press Windows + R.

2. Type 'dsa.msc' and press Enter.

3. This will open Active Directory Users and Computers (ADUC).

Step 2: Check Where Your Servers Are

1. In the left pane of ADUC, click on 'Computers'.

2. You should see Server2, Server3, Server4, and Server5 listed there.

Step 3: Create a New Organizational Unit (OU)

1. Right-click your domain name (e.g., yourcompany.local).

2. Click New -> Organizational Unit.

3. Name it 'ServersOU'.

4. Click OK.

Step 4: Move Servers into the New OU

1. Go back to the 'Computers' container.

2. Right-click on each server (Server2 to Server5) and choose 'Move'.

3. Select the new 'ServersOU' and click OK.

Step 5: Create and Link a GPO to ServersOU

1. Open 'gpmc.msc' (Group Policy Management Console).

2. Expand your domain and find 'ServersOU'.

3. Right-click 'ServersOU' -> Create a GPO and Link it here.

4. Name it 'Restrict App Install - NonAdmins'.

5. Right-click the GPO -> Edit.

Step 6: Configure AppLocker in the GPO

1. Navigate to: Computer Configuration > Windows Settings > Security Settings > Application Control Policies >

Step-by-Step Guide: Restrict App Installation for Domain Users

AppLocker.

2. Under Executable Rules, right-click and choose 'Create Default Rules'.

3. Repeat for Windows Installer Rules and Script Rules.

Step 7: Enable the Application Identity Service via GPO

1. In the same GPO Editor, go to: Computer Configuration > Windows Settings > Security Settings > System Services.

2. Find 'Application Identity'.

3. Double-click it, check 'Define this policy setting', and set Startup Mode to 'Automatic'.

4. Click OK.

Step 8: Apply GPO and Update Servers

1. Ensure the GPO is linked to 'ServersOU'.

2. Log into Server2 to Server5 one by one.

3. Run 'gpupdate /force' and reboot.

Step 9: Test as a Non-Admin User

1. Log in to any server with a standard domain user.

2. Try to run or install an .exe or .msi file.

3. You should see: 'This app has been blocked by your system administrator'.