none
User Logon Scripts APPLOCKER with Remote Desktop Servers 2012 R2

    Question

  • We have recently implemented Remote Desktop Services however we have a few Logon Scripts that run against the domain users profiles, these are applied through Group Policy.

    We have denied access to the scripts path on NETLOGON and SYSVOL through APPLOCKER through a dedicated GPO on the session hosts and this has the desired affect . However we are seeing the block message "Execution of the Windows Script Host Failed. (This program is blocked by Group Policy etc...) the users are seeing this when they are launching remoteapp applications. This is not ideal. Is there a way to suppress this notification or an alternative way to block Logon Scripts over remote sessions removing them is not a possibility.

    The article suggested for this is http://www.sysadminlab.net/windows/disableblock-running-logon-script-in-citrixtsrds-environments

    Thanks in advance.

    Thursday, June 09, 2016 1:54 PM

Answers

  • we have fixed the issue through the WMI query on the GPO with the following

    SELECT * FROM Win32_Computer WHERE (Not Name like 'RDSSESSIONHOSTNAME%')

    Denying the script from running on our session Hosts.

    Second link helped a lot Jay.  

    • Marked as answer by Brucey1981 Friday, June 10, 2016 9:24 AM
    Friday, June 10, 2016 9:24 AM

All replies

  • Hi Brucey,

    Thanks for your post.

    To achieve your goal, you could create a VIM filter for the computer.

    The filter statements like below:

    Select * from win32_computersystem where name=”WS01”

    Or, you could enable group policy loopback mode for those computers.

    Here is an article below about group policy loopback mode for your reference.

    Windows Server: Understand “User Group Policy Loopback Processing Mode”

    http://social.technet.microsoft.com/wiki/contents/articles/2548.windows-server-understand-user-group-policy-loopback-processing-mode.aspx

    Here is a blog may be helpful to you to fix the problem.

    What you can do, should do and should not do with GPO

    http://evilgpo.blogspot.de/2012/03/how-to-save-my-screen.html

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, June 10, 2016 5:38 AM
    Moderator
  • Hello Jay thanks for the reply,

    We do have LoopBack Policy enabled, but I am failing to find where I can disable the script process to override the standard user login script with a blank or something else.

    The link you provide is something we have already done to stop our default screen saver and lock screen kicking in on the RemoteAPP Sessions.

    Thanks

    Friday, June 10, 2016 7:29 AM
  • we have fixed the issue through the WMI query on the GPO with the following

    SELECT * FROM Win32_Computer WHERE (Not Name like 'RDSSESSIONHOSTNAME%')

    Denying the script from running on our session Hosts.

    Second link helped a lot Jay.  

    • Marked as answer by Brucey1981 Friday, June 10, 2016 9:24 AM
    Friday, June 10, 2016 9:24 AM