none
Minimum allowed applications for logon scripts to run

    Question

  • We have a set of accounts we use for exam purposes which are heavily locked down with GPO to ensure the users can't access anything they shouldn't during the exam. This includes using the "Run only specified Windows applications" setting to restrict what they can run.

    It seems a side effect of this is that it also prevents the logon script from running. At least, if I disable just the "Run only..." setting within the GPO, the scripts then work.

    So, presumably, that setting is preventing the scripts from running. What executables should I add to the list to allow scripts to run?

    I'm already allowing gpscript.exe and have also tried adding cmd.exe and the name of the .bat file as well.

    Any suggestions?

    Tuesday, April 25, 2017 11:39 AM

All replies

  • > It seems a side effect of this is that it also prevents the logon script from running. At least, if I disable just the "Run only..." setting within the GPO, the scripts then work.

    What do the scripts do exactly? Maybe in fact they DO run, but fail to work properly... Logging - as always - can greatly help to track down further :)

    Tuesday, April 25, 2017 12:42 PM
  • Pretty sure they don't run, as evidenced by a straightforward

    echo %date% %time% %username% >>c:\temp\test.log

    at the top of the file. That file is created or appended to if I remove the "Run only..." part of the GPO. But not if it is present. (c:\temp exists and is writeable to everyone in our environment.)

    Likewise, a pause in the script results in a much delayed logon and a visible command prompt window still paused - but only if I remove the "Run only..." part of the GPO. With it present, logon is quick, and no command prompt remains.

    Tuesday, April 25, 2017 12:53 PM
  • > echo %date% %time% %username% >>c:\temp\test.log

    That's good news :-)

    So, I'm unsure which processes are involved in running bat files (we use vbs and ps1 only).

    I'd suggest that with your policy disabled, you grab a process explorer boot log, then examine this log for the appearance of your bat file and track down how it was invoked.

    Tuesday, April 25, 2017 1:56 PM
  • I would have expected cmd.exe to be sufficient, but I'll have a look with process monitor. If I can work out what's needed I'll update this thread.
    Tuesday, April 25, 2017 2:25 PM
  • Hi,

    Just checking in to see if the information provided was helpful. And if the replies as above are helpful, we would appreciate you to mark them as answers, please let us know if you would like further assistance.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Sunday, April 30, 2017 2:17 AM
    Moderator