Ivanti AC – How to Disable an exe via Computer AD Group Membership (PowerShell Scripted Rule)

The Script below can be used within Ivanti Application Control to check if the local machine is a member of a specific group.  This can be used a scripted rule to prohibit or allow access to certain binaries on a per machine basis.  The example below searches for a group called disable_wordpad.  It can be run per user or per computer, per user will mean a slight overhead on processing but allows the rule to be more flexible if the AD membership changes between logons.

#——————————————————————————

# https://www.stadiacg.co.uk/ – 02-10-2015 # Script to get the SID of the Current Logged on User and save to environment variable

#——————————————————————————

$MyGroup = “disable_wordpad”
$OutPut = ([adsisearcher]”(&(objectCategory=computer)(cn=$env:COMPUTERNAME))”).FindOne().Properties.memberof -replace ‘^CN=([^,]+).+$’,’$1′
IF ($OutPut -eq $MyGroup) { exit 0 } ELSE { exit 1 }

#——————————————————————————

Enjoy

CT

 

December 18, 2024
Stadia has recently graduated from the AWS Accelerated Development Program 
November 14, 2024
Proud Sponsors of Chelmsford City FC
Share by: