I ran into an issue today on Windows Server 2012R2 where AppLocker was blocking logon & logoff scripts despite the sysvol folder being in the allowed policy. The documentation indicates that allowing the following folder should be enough:
\\domain.com\sysvol\domain.com\policies\*
This isnt the case, you actually need the NETLOGON folder too:
\\domain.com\NETLOGON\*
And in my instance I was forced to explicitly include the domain controllers also:
\\DomainController1\NETLOGON\*
\\DomainController2\NETLOGON\*
Although potentially you could try using logonserver instead to futureproof the rule:
%LOGONSERVER%\NETLOGON\*
If you’re having trouble with AppLocker blocking scripts, its all logged and viewable via event viewer:
Event Viewer > Application and Services Logs > Microsoft > Windows > AppLocker
Dont forget the * at the end of the folder – it is required, even though the rule properties misleadingly state that all files underneath a path are included.