I work with a lot of big customers, often with an AD forest with multiple child domains. And one thing I often run into is that centrally they have a Citrix/TS/RDS farm where they run central apps that everyone needs access to. And often, users complain of long login times in Citrix/TS/RDS and often this is caused by logon scripts in other domains. I’ve seen all sorts of strange things going on in logon scripts which cause logins to take up to half an hour. Sure, it works great on their desktop clients but when these scripts are run on the servers, you end up with weird results…
There are basically two ways someone can run a logon script, either by GPO (User Configuration -> Policies -> Windows Settings -> Scripts (Logon/Logoff) -> Logon) or on the AD user’s Profile tab.
I want to block both ways.
The easy solution many suggest is to edit the logon scripts and add some kind of “IF Servername contains XYZ, goto to end of the script” or “IF this file exist (which you place on all servers), goto end of script“. Sure, that would work… for a while… Then a few months down the road someone creates a new script and forgets this and with big companies with hundreds of admins in child domains – that will happen. And you will have different solutions depending on if they run BAT or VBS as logon scripts. And I often come to environments with hundreds of logon scripts.
Now this is a much more efficient solution… using GPO!
First, there are different solutions for Windows 2003 and 2008 R2.
Block running logon scripts on Windows 2003
On 2003, we will use Software Restriction Policy to block logon scripts. Create a GPO, go to User Configuration -> Policies -> Windows Settings -> Security Settings and right-click Software Restriction Policies and choose New.
You can leave most things default, but go into Additional Rules, right-click and choose New Path Rule… Here in Path: you add %LOGONSERVER%\NETLOGON\ and Security level set to Disallowed. This will block all files to execute from the NETLOGON directory on the server the user is getting logged on at.
Then you have to apply this GPO either to everyone or to certain DOMAIN\Domain Users which experience problems.
Block running logon scripts on Windows 2008 R2
On 2008 R2, there’s another way to do it using GPO setting AppLocker in Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Application Control Policies -> AppLocker. For this scenario, we will use a path rule to disable execution of all .BAT and .VBS from a certain path. Here you will create a in Script Rules which is applied to the following file formats:
.ps1
.bat
.cmd
.vbs
.js
One would think just creating a Deny rule would work but that would actually Deny everything else aswell. So for this scenario (maybe not the proper solution for other specific cases) this would be the easiest solution:
Right-click and choose Create New Rule… Next, choose Action: Allow and choose it to apply to Everyone.
We will use Path to Allow:
On Path, you should put a wildcard * since we will allow all scripts…
…except for thos on NETLOGON and SYSVOL shares. Here you might add other shares you know contain logon scripts:
Done!
Try executing the file manually from the NETLOGON or SYSVOL and it should fail, but it should work on other shares:
Note, for AppLocker to work, the Application Identity service must be running.
A tip if you have really large environment is not to start with enforcing the above rule but rather Audit it:
Then let it run for a while and monitor the event log. It should log each time something would have been blocked by AppLocker in the AppLocker event log. Example:
If you need more detailed information on AppLocker and how it works, I would recommend 4sysops post 4-part series.
IMPORTANT: Make sure to test test test. I’ve run into times where we have enabled this and it worked excellent. But after a few days, we started to get support calls that some apps didn’t work. Turns out that some clever admins had apps that actually executed scripts which caused also those scripts to fail. So you need to be a bit clever around this. Good luck and please comment if you have any suggestions!
Is there a way to suppress the prompt for the execution of this policy failed. This solution works a treat just our users are getting the prompt when the login or use an application through RDS
Maybe what you have found is what I also found after a while. Blocking .bat files are blocked silently but .vbs gives you the prompt, correct? I find this is probably a bug – I think they both should be silent. I haven’t found a way to block it other than to block wscript.exe which actually runs the .vbs script. This works and there is no prompt. But this might create a problem if you have other applications that need wscript.exe for some reason.
Hi,
My requirement is for all servers irrespective of terminal servers or others. I cannot include the entire SYSVOL and NETLOGON folder. Is there a way to just specify logonscript bat file in exception? Thank you.