AppLocker blocking Logon scripts

I ran into an issue today on Windows Server 2012R2 where AppLocker was blocking logon & logoff scripts despite the sysvol folder being in the allowed policy. The documentation indicates that allowing the following folder should be enough:
\\domain.com\sysvol\domain.com\policies\*

This isnt the case, you actually need the NETLOGON folder too:
\\domain.com\NETLOGON\*

And in my instance I was forced to explicitly include the domain controllers also:
\\DomainController1\NETLOGON\*
\\DomainController2\NETLOGON\*

Although potentially you could try using logonserver instead to futureproof the rule:
%LOGONSERVER%\NETLOGON\*

If you’re having trouble with AppLocker blocking scripts, its all logged and viewable via event viewer:
Event Viewer > Application and Services Logs > Microsoft > Windows > AppLocker

Dont forget the * at the end of the folder – it is required, even though the rule properties misleadingly state that all files underneath a path are included.

You can leave a response, or trackback from your own site.

Leave a Reply