We have a rather large Active Directory implementation with over 100 DCs and almost 100K clients, running all versions of Windows: XP, Vista, and now W7 (yes, we even still have a few on NT and W2K, too). We've deployed W7 clients and are leveraging AppLocker GPOs. We've just discovered that our domain Logon Script (an old-school BAT file we maintain for backwards compatibility) doesn't run on our W7 clients, because AppLocker won't allow it. The client logs report this error: "\\(ADDCname)\NETLOGON\logonscript.bat was prevented from running."
Our AppLocker GPO does include Executable and Script Rules that Allow Everyone to run files in Path\\ad.domain.name\*; however, we do not have rules that specify Path\\(ADDCname)\*. We don't specify the names of individual DCs because we have over a 100 of them, and I honestly don't want to micromanage a list of server names in my AppLocker policy. Servers come and go over time, so routinely updating the AppLocker GPO every time we add/remove a DC is simply not manageable.
Instead, I'd prefer to use the perfectly serviceable %LOGONSERVER% variable, e.g.: %LOGONSERVER%\NETLOGON\*. Good old %LOGONSERVER% has been around since the earliest days of Windows networking, and it's still valid in WS08 and W7, too.
Unfortunately, the AppLocker rule creation wizard won't let me use %LOGONSERVER%, nor many other well-known/common variables. AppLocker has its own limited set of variables, a few of which coincide with the well-known ones. But %LOGONSERVER% isn't one of them, and there doesn't seem to be an AppLocker equivalent variable (if I read the Help file correctly).
I know that another option is to convert our old BAT file to a signed VBS or PS1 file, and then add the Publisher DN string to AppLocker, instead. However, in our varied environment, we can't always be sure that Windows Scripting Host or PowerShell is installed on every client, so we have to maintain the BAT file as the lowest common denominator.
So what are my options for solving this problem, short of asking Microsoft to fix AppLocker to allow for AD DCs, %LOGONSERVER%, and/or\\(DOMAIN)\NETLOGON? Or maybe I'm thinking about this problem in the wrong way: does anyone else have a different approach/perspective?
Thanks in advance for your input. :-)