Sunday, April 28, 2013

Limit running Powershell script under specific path with AppLocker

Say if you have a management server or a script repository server, sometimes users save/test/run their script from different path, it is different to maintain the script version, and it is hard to determine which script can be removed or kept on the server.

here is a solution,  you can save all scripts in a central directory, and keep script from running in other path with Applocker. let's say my scripts are saved in c:\work:
1. Open "local security policy" by secpol.msc

2. Open "Security Settings" -> "Application Control Policy"->"Applocker"->"Script Rules"

3. Right click "Script Rules", Click "Create New Rule..."

4. Select "Allow", and enter the user name which

5. Select "Path"

6. Enter the script file path "C:\work"

7. Click "Next" if you don't need exception

8. Enter the Name of the Rule

9. Click "Yes" to create default rule if it is the first time you use Applocker

After the rule created, if you run powershell script from other path, for instance "c:\temp", you will get error

Only running powershell script under c:\work is allowed.

Actually no only powershell script, but also other script like(.com,.bat...) can only be run from c:\work,

you can create other rules to meet your requirement.


  1. Dear Web site owner. My partner and i actually enjoy this post and the internet site all in all! Your piece of writing is really plainly composed as well as simply understandable. Your current Blog design is awesome as well! Would be awesome to know where I are able obtain it. Please maintain up the very good job. We all require far more such website owners like you on the net and much fewer spammers. Fantastic mate!

  2. great post...can this be done using powershell..?
    if so can you post it...

    many thanks

  3. Good Blog, well descrided, Thanks for sharing this information.
    Big Data and Hadoop Online Training