Using Software Restriction Policies to Block Scripts

When we are implementing RES Workspace Manager POC/Pilot’s on a customer’s site, one of the first things we try and do is create an new AD organisation unit (OU) where our test PC’s or XenApp/RDS servers will be placed. One of the reasons we do this is it allows us to block any existing AD group policies (GPOs) that might impact the POC e.g. startup/shutdown/logon/logoff scripts; especially as these might be the cause of slow logins that we are trying improve using Workspace Manager.

For computer related GPO’s we use “block inheritance” on the new OU. For user related GPO’s we employ the “GPO loopback > replace” technique.

These methods work very well but something I’ve come across on customers sites, they have set the login script in the AD properties for each user and not within any GPO that you are trying to block as you can see in the screen shot below. Generally this is the “old school” method of doing this but its still out there!

image

This causes us some headaches in our POC/Pilot especially when these users are asked to start testing the POC/Pilot and the first thing that happens is they start complaining that it takes an age to login. Why? Because the script is mapping 24 network drives and 15 printers at logon!!

Therefore, we need to stop this script from running on our POC/Pilot environment. We could do this by simply removing the line from their AD properties but what happens if they still want to use the existing environment that relies on this script to map drives and printers? We need to find another way of doing it…in steps “Microsoft Software Restriction Policies”.

Using Software Restriction Policies will allow us to block these logon scripts without affecting the users ability to use the existing environment and here is how.

Firstly we need to add the Software Restriction Policy to a GPO which will allow it to apply; the easiest way to achieve this would be to add it to the new GPO we have created in the first instance that applies the computer related settings.

Using the Group Policy Management Console (GPMC) edit the GPO and expand the “Computer Configuration/Windows Settings/Security Settings/Software Restriction Policies”

image

Right click on “Software Restriction Policies” and select “New Software Restriction Policies”.

image

At which point the you will see some additional settings available.

image

Right click on “Additional Rules” and select “New Path Rule”.

image

You now need to tell the policy what path to block scripts running from. Most lightly these scripts will located in the NETLOGON share on your domain controllers (DC); the problem now being which DC will the script run from should you have more than one DC in your environment. Easy we can use the %LOGONSERVER% environment variable that is used to store the logon DC used by the user who is logging on. The Security level should obviously be set to “Disallowed”.

image

That’s about it!! Now when you logon to the POC/Pilot environment you can be sure any unwanted logon/logoff scripts will be blocked from running.

Nathan

5 Comments

  1. Balakrishna Kalappa Author March 19, 2012 (2:23 am)

    I have the same problem and your article helped me resolve it. Thank you very much.

  2. Nathan Sperry Author March 19, 2012 (6:44 pm)

    Hi Balakrishna,

    Thanks for your positive feedback and glad it helped!

  3. John Heaton Author April 27, 2012 (8:29 am)

    My result of setting this value, is a popup warning message stating:

    Execution of the Windows Scrip Host failed. (Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator. ) OK

    So it is clearly working, but how do I prevent the warning?

  4. Nathan Sperry Author May 1, 2012 (10:42 am)

    Hi John,

    Thanks for taking the time to respond to my post. When a program is disallowed due to a software restriction policy, an error code is received by the launching program. If the launching program returns the system message for this error code, you will receive the error message – in my case I’ve been blocking batch files (.BAT) running from the NETLOGON share and they don’t provide any feedback its been blocked other than looking in the event log. I’m not sure you can suppress that error message but will do some further testing in my lab.

    Generally once I’ve migrated across to the UEM solution like RES Workspace Manager I remove the login scripts from the users AD Properties. Is there any possibility of calling the VBS from batch first; in which case the batch file will get blocked with no error message? The only other alternative you have to block the script would be to add it to a GPO in that way you could block that GPO applying using loopback.

    Nathan

  5. BalaBhaskara Rao M Author December 3, 2014 (2:36 pm)

    Hi,

    I want to create a .bat or .vbe script for restrict from uninstall to a particular software/application from system..how to create .bat file for that..any one could you please helpuot me for this..my mail Id is bhaskar.infosec@gmail.com plse reply to this for suggestions

Leave a Reply

Archives

Categories