GPO – Restrict Domain Users to install only from specific paths

1. Prepare a list of all credible folders and sub-folders for worker needs under C:\
2. Create new group policy object: ‘Install only from specific paths’ -> Edit
3. Go to User Configuration -> Policies -> Windows Settings -> Security Settings -> Add ‘New Software Restriction Policies’:

4. Follow the settings below:










5. Examples for Paths:
Example 1 (Environment variable):

Example 2 (Folder Location):

Example 3 (Network Location):

6. Examples for complete basic list:

7. Save the GPO and link it to the relevant users OU.
8. Connect to domain computer with a user in that OU and run gpupdate /force

9. Deny Path Test: Try to download setup file (ex. npp.7.5.9.Installer.exe) and run it from Downloads folder. ensure you get a blocking message:

10. Allow Path Test: Now, Copy this .exe file to credible location like: C:\Platform1 and try to run, ensure you are able to to get admin request and then continue to installation window:

11. If everything worked correctly. You’re done.

In any case you will need to add new path, you just edit GPO to add another path, then run “gpupdate /force” in users computers and it works immediately (no restart needed).

Enjoy 🙂