We currently want to track when and where a student logs in. I have created batch scripts to be run when they log in and when they log off. How ever, due to the GPO restricting command prompt, students are unable to run the batch script when they log on. Is there a way to add an exclusion list so only 2 batch scripts can be run and all the rest be disabled?

I have tried adding path rules to the security settings of the gpo to get the certain .bat files to run but disable all others...

-Disable *.cmd
-Enable \\server\share\*.cmd

-Disable *.bat
-Enable \\server\share\*.bat

-Disabled the command prompt restriction

but it still restricted all .bat files from being run.

Any help would be greatly appreciated