I'm trying to make dynamic app blocking rules with AppLocker. The setup is that I have predefined AppLocker rules (for example, Allow windows user group 'Chrome' access 'chrome.exe' (not actual group name or actual path)) and then assigned users to groups at login with the help of a Windows service.
That worked fine at first, but after a while it stopped (AppLocker itself worked, but user groups specific rules didn't apply--in other words, everything was blocked). I tested all policies combined via PowerShell commandlets, and according to them the user that belongs to the user group Chrome should be allowed to access chrome.exe, but in reality I'd get an app blocked prompt.
Then I tried creating user specific rule to allow chrome.exe, which worked fine and as soon as I removed it (group rule still exists), I'd get blocked again. Or even just changing existing user group policy to point to specific user made it work and then changing back to point to user group not work again.
Funny part - after a few VM restarts it worked again, and then next day when I wanted to demo it to a colleague, I got the same issue again, which again was solved by multiple VM restarts.
An obvious possible issue could be 'does the user really belong to the group?' and the answer is yes: each time when the policy wouldn't work, I'd go into lusrmgr and verify that.
For additional context - the VM is hosted on Azure, running Windows 10 multi-session 21H1, AppLocker is setup on local machine level (no domain wide policies or anything like that atm).
