Using Software Restriction Policies to Block Scripts

When we are implementing RES Workspace Manager POC/Pilot’s on a customer’s site, one of the first things we try and do is create an new AD organisation unit (OU) where our test PC’s or XenApp/RDS servers will be placed. One of the reasons we do this is it allows us to block any existing AD group policies (GPOs) that might impact the POC e.g. startup/shutdown/logon/logoff scripts; especially as these might be the cause of slow logins that we are trying improve using Workspace Manager.

For computer related GPO’s we use “block inheritance” on the new OU. For user related GPO’s we employ the “GPO loopback > replace” technique.

These methods work very well but something I’ve come across on customers sites, they have set the login script in the AD properties for each user and not within any GPO that you are trying to block as you can see in the screen shot below. Generally this is the “old school” method of doing this but its still out there!


This causes us some headaches in our POC/Pilot especially when these users are asked to start testing the POC/Pilot and the first thing that happens is they start complaining that it takes an age to login. Why? Because the script is mapping 24 network drives and 15 printers at logon!!

Therefore, we need to stop this script from running on our POC/Pilot environment. We could do this by simply removing the line from their AD properties but what happens if they still want to use the existing environment that relies on this script to map drives and printers? We need to find another way of doing it…in steps “Microsoft Software Restriction Policies”.

Using Software Restriction Policies will allow us to block these logon scripts without affecting the users ability to use the existing environment and here is how.

Firstly we need to add the Software Restriction Policy to a GPO which will allow it to apply; the easiest way to achieve this would be to add it to the new GPO we have created in the first instance that applies the computer related settings.

Using the Group Policy Management Console (GPMC) edit the GPO and expand the “Computer Configuration/Windows Settings/Security Settings/Software Restriction Policies”


Right click on “Software Restriction Policies” and select “New Software Restriction Policies”.


At which point the you will see some additional settings available.


Right click on “Additional Rules” and select “New Path Rule”.


You now need to tell the policy what path to block scripts running from. Most lightly these scripts will located in the NETLOGON share on your domain controllers (DC); the problem now being which DC will the script run from should you have more than one DC in your environment. Easy we can use the %LOGONSERVER% environment variable that is used to store the logon DC used by the user who is logging on. The Security level should obviously be set to “Disallowed”.


That’s about it!! Now when you logon to the POC/Pilot environment you can be sure any unwanted logon/logoff scripts will be blocked from running.



  1. Balakrishna Kalappa on March 19, 2012 at 02:23

    I have the same problem and your article helped me resolve it. Thank you very much.

  2. Nathan Sperry on March 19, 2012 at 18:44

    Hi Balakrishna,

    Thanks for your positive feedback and glad it helped!

  3. John Heaton on April 27, 2012 at 08:29

    My result of setting this value, is a popup warning message stating:

    Execution of the Windows Scrip Host failed. (Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator. ) OK

    So it is clearly working, but how do I prevent the warning?

  4. Nathan Sperry on May 1, 2012 at 10:42

    Hi John,

    Thanks for taking the time to respond to my post. When a program is disallowed due to a software restriction policy, an error code is received by the launching program. If the launching program returns the system message for this error code, you will receive the error message – in my case I’ve been blocking batch files (.BAT) running from the NETLOGON share and they don’t provide any feedback its been blocked other than looking in the event log. I’m not sure you can suppress that error message but will do some further testing in my lab.

    Generally once I’ve migrated across to the UEM solution like RES Workspace Manager I remove the login scripts from the users AD Properties. Is there any possibility of calling the VBS from batch first; in which case the batch file will get blocked with no error message? The only other alternative you have to block the script would be to add it to a GPO in that way you could block that GPO applying using loopback.


  5. BalaBhaskara Rao M on December 3, 2014 at 14:36


    I want to create a .bat or .vbe script for restrict from uninstall to a particular software/application from to create .bat file for that..any one could you please helpuot me for mail Id is plse reply to this for suggestions

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.