AppLocker blocking Logon scripts

I ran into an issue today on Windows Server 2012R2 where AppLocker was blocking logon & logoff scripts despite the sysvol folder being in the allowed policy. The documentation indicates that allowing the following folder should be enough:

This isnt the case, you actually need the NETLOGON folder too:

And in my instance I was forced to explicitly include the domain controllers also:

Although potentially you could try using logonserver instead to futureproof the rule:

If you’re having trouble with AppLocker blocking scripts, its all logged and viewable via event viewer:
Event Viewer > Application and Services Logs > Microsoft > Windows > AppLocker

Dont forget the * at the end of the folder – it is required, even though the rule properties misleadingly state that all files underneath a path are included.

You can leave a response, or trackback from your own site.

Leave a Reply