With this year's computers I built a group policy built around using AppLocker instead of managing allowed applications by keeping a list of allowed EXE files and managing applications by only allowing the ones that we wanted to run on our systems. So far I've been fairly successful in building the policy for my general users, but am running into a little trouble getting policies to work correctly when I'm trying to set up my ITS (advanced) user policy or maintenance (full rights) level policies.

My general user policy has all of my allowed applications being allowed either by the file's signature or the local folder path of where the EXE file is running from. In all I have about 50 policies so far. My ITS and maintenance policies are essentially the same in that they still have AppLocker enabled but they only contain the 3 default policies that would exist if you do a right-click and choose the automatically generate option.

According to the Zen Policy Properties, the policies are applying successfully, but my advanced rights policies are still restricted by the general security policies. FYI- general security policies are configured to apply by machine and ITS/Maintenance policies are applied to users, and the conflict resolution is set to User overrides machine. If I pull up the local GPEDIT.MSC of a machine that is supposed to have administrative rights, the AppLocker policy still shows the 50 exe files being configured, when I believe it should only be showing 3. If I run a manual gpupdate, the settings remain the same. Has anyone run into something similar to this and know how to get AppLocker policies to apply correctly using ZCM policy manager? Thanks!