Last Update: Sep 24, 2024 | Published: Jan 07, 2009
As written in the first part of this set of articles, there are two ways to assign Logon scripts. The first is done on the Profile tab of the user properties dialog in the Active Directory Users and Computers (ADUC). The second is done via Group Policy Objects (GPO). This article will focus on the second method. To read more about the first method please read my “Setting up a Logon Script through Active Directory Users and Computers in Windows Server 2008” article.
There are a few benefits for using GPOs to assign scripts:
This is why for most scenarios, using GPOs is more useful than doing it the old fashioned way, through ADUC.
Note: Using Windows Server 2008 GPOs to assign logon scripts is mostly the same as it was in Windows 2003, but having some people asking me questions about it in Windows Server 2008 has triggered the writing of this article.
The logon script is the file that does the actual action. It could be almost any action, as noted above. So we’ll start by creating that script. Unlike the “old fashioned” method of using ADUC and the Profile tab of the users’ account properties, the default location for GPO-initiated logon scripts is the deep within the SYSVOL special folder, which, by default, is shared on all Domain Controllers in an Active Directory forest, and is located in the following folder:
%SystemRoot%SYSVOLsysvol<domain DNS name>Policies{GUID}UserScriptsLogon
Where %SystemRoot% is usually “C:Windows”, <domain DNS name> is the DNS name of the domain, similar to “Petri.local”, and {GUID} is a hexadecimal string representing the GUID (unique identifier) of the specific Group Policy Object in use. This folder, which is a part of the SYSVOL special folder, is replicated to all the Domain Controllers in the domain. Each GPO has its own internal User and Machine subfolders, and under them it has, if used, a Logon, Logoff, Startup and Shutdown subfolder where appropriate.
Note: The actual process of creating the script is beyond the scope of this article, there are planty of good resources with great examples on the Internet.
If you plan to have more than ONE logon script, and if you wish to assign that/those script(s) to more than one user, you will need to create as many logon scripts as you want, and then add them in the right order in the right GPO. More on that, later.
Logon and Logoff scripts run with the credentials of the user. It is recommended that the “Domain Users” group shall be given permission to any resources used by either of these scripts. For example, if the Logon or Logoff script writes to a log file, the group “Domain Users” should be given read/write access to the file or the folder where the log file is located. Most users have limited privileges on the local computer, so Logon and Logoff scripts will have the same limited privileges.
As a side note, Startup and Shutdown scripts run with the credentials of the computer object. It is recommended that the “Domain Computers” group shall be given permission to any resources used by the Startup or Shutdown scripts. However, it’s worth knowing that Startup and Shutdown scripts have System privileges on the local computer. This gives Startup and Shutdown scripts access to the local file system and registry.
Next, we need to decide what user should have the logon script. With this procedure (and unlike the Active Directory Users and Computers method), you can link AS MANY logon script AS YOU WANT to your users, and you can do it as many times as you want. However, it will only work on computers that are Windows 2000 and above, although in most cases nowadays this is not a problem.
The title of this section is kind of misleading, because when using GPOs, you do NOT assign the GPO to a user or users, but to an Organizational Unit (OU), to an Active Directory Site, or to the entire Active Directory Domain. So, you must now decide if you want the script to apply to ALL THE DOMAIN USERS, or just to a specific set of users located within one or more OU (Organization Unit) in Active Directory Users and Computers.
If you choose to apply on all the users in the domain, you must create a Group Policy Object (or GPO) and link it to the ENTIRE domain. If you choose to apply the script ONLY to a SPECIFIC SET of users, you must place all the users in one OU (Organization Unit) in Active Directory Users and Computers, and link the GPO to that OU.
In order to assign the GPO and edit it, we’ll use a tool called Group Policy Management console, or GPMC in short. This tool is not installed by default in Windows Server 2003, and neither is it installed by default in Windows Server 2008. In Windows Server 2008, GPMC is considered to be a “Feature”, and you must install it before being able to use it. However, unlike in Windows Server 2003 where you must download and install the tool, in Windows Server 2008, GPMC is already a part of the OS, you simply need to add it. If the Windows Server 2008 server is also a Domain Controller, GPMC will be automatically installed as part of the DCPROMO procedure. If it’s not a DC, you’ll need to manually add it. See my “Adding Features to Windows Server 2008” article.
Note: Of course it might be possible that a GPO already exists and it is linked to the object level you need. In that case you don’t need to create a new GPO, you can use the existing one.
Now we need to replicate the DCs in the domain by using either Active Directory Sites and Services, Replmon, Repadmin, or wait a few moments (depending on the number of DCs). As a simple follow up to this article, I suggest you use Active Directory Sites and Services.
If the logon script doesn’t work for you, go back to the basics and see if it works at all by double-clicking on it. See if it’s placed in the right path, and see if it has replicated to the other DCs. Also check permissions by trying to manually run the script from the right path but while logged on as the user, and not as an administrator. If it still doesn’t work, use GPMC’s Group Policy Results feature to determine of the GPO has indeed been applied to the user.
Got a question? Post it on our Windows Server 2008 forums!