Hello, I have found the solution in software restrictions in GPO, there you can define rules, the first rule is a path rule (just right clic on softwares restrictions...), write there *.bat and set it to disallowed. and other rules that define the exceptions, they are path rules also, write there the UNC path of all places where you made startup scripts...in the server and end it with *.bat . For instance \\LOGIN_SRV\Share\*.bat and set all this rules to unrestricted . this GPO is apllied on the domain to affect all users and computers. that's it.