Create a path rule
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
To create a path rule
Open Software Restriction Policies.
In either the console tree or the details pane, right-click Additional Rules, and then click New Path Rule.
In Path, type a path, or click Browse to find a file or folder.
In Security level, click either Disallowed or Unrestricted.
In Description, type a description for this rule, and then click OK.
- On certain folders, such as the Windows folder, setting the security level to Disallowed can adversely affect the operation of your operating system. Make sure that you do not disallow a crucial component of the operating system or one of its dependent programs.
Different administrative credentials are required to perform this procedure, depending on your environment:
If you create a path rule for your local computer: To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.
If you create a path rule for a computer that is joined to a domain: To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.
To open Software Restriction Policies, see "Open Software Restriction Policies" in Related Topics.
It may be necessary to create new software restriction policies for the Group Policy object (GPO) if you have not already done so. For information about how to create new software restriction policies, see Related Topics.
If you create a path rule for software with a security level of Disallowed, users can still run the software by copying it to another location.
The wildcard characters that are supported by the path rule are * and ?.
You can use environment variables, such as %programfiles% or %systemroot%, in the path rule.
If you want to create a path rule for software when you do not know where it is stored on a computer but you have its registry key, you can create a registry path rule. For more information about how to create a registry path rule, see Related Topics.
To prevent users from executing e-mail attachments, you can create a path rule for your e-mail program's attachment directory that prevents users from running e-mail attachments.
The only file types that are affected by path rules are those that are listed in Designated File Types in the details pane for Software Restriction Policies. There is one list of designated file types that is shared by all rules. For more information, see "Add or delete a designated file type" in Related Topics.
For software restriction policies to take effect, users must update policy settings by logging off from and logging on to their computers.
When more than one software restriction policies rule is applied to policy settings, there is a precedence of rules for handling conflicts. For more information, see "Precedence of software restriction policies" in Related Topics.
Information about functional differences
- Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.
Open Software Restriction Policies
Create new software restriction policies
Create a registry path rule
Security levels and additional rules
Software Restriction Policies
Add or delete a designated file type
Precedence of software restriction policies rules
Set, view, change, or remove permissions on files and folders