Restrict Applications on Domain Machines using AppLocker GPO on Windows Server 2012 R2 DC

• So here is a case where we want to restrict domain users from running specific applications on Windows 7/8/8.1 domain machines
• I show this with a Windows Server 2012 R2 domain controller
• This can be done using the AppLocker Group Policy
• Back in the Windows Server 2003, Windows XP days, similar goals were achieved using the Software Restriction Group Policy
• As the world moved towards apps and mobile environment, I believe the name AppLocker came into existence. Anyways, let's get down to business:

Note that this is a Computer policy and not a User policy which is why we have to attach it to the "Computers" OU, by that I mean the OU that contains the computer/s on which you want the restriction to be applied.

1. Open Server Manager > Tools > Group Policy Management
2. Go to the OU containing your computer objects
3. Right click on the OU > "Create a GPO in the domain, and link it here" 
4. Name the GPO, once done, right click > edit
5. Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker

7. Expand AppLocker; you'll see four rule categories
8. As we want to restrict applications, we right click on Executable Rules > Create new rule, as I already had few rules created, you see them on the right side in the picture below, while creating your first rule, you won't see anything there. 

9. Next > Allow/Deny an application, based on what you want to do, I keep the User/Group to Everyone, you can change it according to your needs.

10.  Here you'll see 3 conditions against which the application to be restricted is checked. 
1. Publisher: The application will be matched with it's digital signature, which contains information of the company that made this application. You can use this option if you want to restrict one specific application. For example, below I have used this option to restrict WordPad. 
2. Path: If you observe the image which shows the rules I've created before, the "Condition" column there says "Path". I used this condition there because I wanted to restrict the user from accessing all Windows 8.1 apps, which are located in folder "%Program Files%\WindowsApps". Instead of creating a rule for every app, I just create one rule with the Path condition.
3. File hash: The description says, use this rule for applications that are not signed, frankly speaking, I haven't used this so wouldn't comment anything more about this condition.
11. Once you browse the application, you can move the slider to chose the property that defines your rule. I chose the file name, and click > Create.
12. If this is the first rule you are creating, there will be a pop up asking you to create default rules, simply click > Yes and proceed.
13. After creating the rules, you have to go to AppLocker properties and enforce the Executable rules. For doing that, right click on AppLocker > Properties > Check Executable rules to Configured > OK
14. Once you do that, you'll see the newly created rule in the "Executable Rules"
    
15. Wait, we are not done, we need to activate the "Application Identity Service" enable AppLocker on the computers, to do that, go to  Security Settings > System Services > Application Identity.
16. Right click > Properties > Check, Define this policy > set to Automatic > OK
    
    
    
    
17. Now we are done
18. You can go to the client computer, open command prompt, type  gpupdate /force and reboot the machine later. 
19. Try opening the restricted app and it will be blocked :)