Creating and Assigning Logon Scripts – Windows Server 2008

By Joe Piggee, MCSE

The whole idea of Logon scripts has changed a bit since the NT 4.0 days. I have received quite a few questions from people concerning this, and will, in the simplest manner, explain the tasks of:

·         Creating a Logon script

·         Assigning a logon script

o   Active Directory, Users and Computers (ADUC)

o   Group Policy (GPO)

First a little background:

The logon script is the file that does the actual action. It could be almost any action, as noted above. So we'll start by creating that script. Unlike the "old fashioned" method of using ADUC and the Profile tab of the users' account properties, the default location for GPO-initiated logon scripts is the deep within the SYSVOL special folder, which, by default, is shared on all Domain Controllers in an Active Directory forest, and is located in the following folder:

%SystemRoot%\SYSVOL\sysvol\<domain DNS name>\Policies\{GUID}\User\Scripts\Logon

Where %SystemRoot% is usually “C:\Windows”, <domain DNS name> is the DNS name of the domain, similar to “Yourdomain.local”, and {GUID} is a hexadecimal string representing the GUID (unique identifier) of the specific Group Policy Object in use. This folder, which is a part of the SYSVOL special folder, is replicated to all the Domain Controllers in the domain. Each GPO has its own internal User and Machine subfolders, and under them it has, if used, a Logon, Logoff, Startup and Shutdown subfolder where appropriate. Logon scripts are scripts files such as, logon.bat, logon.vbs, logon.cmd. They can be named whatever you like, but should have a commonly descriptive name. When using GPO’s you’ll eventually find out they depending on your schema, you may actually accomplish many user and computer settings without writing a single line of code. I would also recommend setting up your resources in Active Directory for the sake of Administration ease.Since, that goes beyond the scope of this; we’ll go more in depth at another time.

Let’s Roll-up Our Sleeves. The steps involved include:

1.      Create the Script

2.      Test the Script

3.      Place the script in the appropriate location.(The Netlogon Share)

4.      Assign the script to a user, group, or Organizational Unit

Setting up a Logon Script through Active Directory Users and Computers in Windows

The following sample code will map a network drive to a shared folder on my test server. Feel free to copy and use. All you’d need to do is change the UNC path to match your environment. **  Also, note that using this method, you may assign the logon script to only ONE user at a time.**

Step 1.               Create the Script.

a.       Open Notepad, or any text editor and save in on your desktop as logon.vbs

b.      Edit the last line to match your environment, and save

Step 2.               Test it by double clicking, and review your drive mappings.

Step 3.               Now copy the file to your netlogon share.

Step 4.               Open ADUC\ Active Directory, Users and Computers. Click Start->Run-> Type dsa.msc .Press enter

Step 5.               Navigate to the user you want to assign the script to, as I have done:                                            Click Right-> Select Properties

Step 6.               Select the profile tab, and type the name of the logon script inside the  logon script textbox.                                                                     

Step 7.               Click Ok. Replicate your Domain Controllers if necessary.

Step 8.               Log-off and reboot the user’s computer and logon. That’s it!!

Setting up a Logon Script through GPO in Windows Server 2008

This is the recommended Method of assigning logon scripts.

Step 1.               Create the Script.

a.       Open Notepad, or any text editor and save in on your desktop as logon.vbs

b.      Edit the last line to match your environment, and save

Step 2.               Test it by double clicking, and review your drive mappings.

Step 3.               Now copy the file to your netlogon share.

Step 4.               Open the Group Policy Management Console, Select Start-> Run-> gpmc.msc.

Step 5.               Navigate to the container where your user\users are, that you’ll want to assign the script to.                

Step 6.               Right Click the Container and Select “Create a New GPO in this Domain, and Link it Here”  . Give it a descriptive name. Click Ok          

Step 7.               Now right click the GPO, and select edit.

Step 8.               Now, navigate to User Configuration->Policies->Windows Settings->Scripts

Step 9.               Double Click “Logon”, and Click “Add”.

Step 10.            As long as you saved the script in the correct location, all you need to do type the name of the script. Or to be sure, click Browse, and type the unc. In my case \\joleycompserver\netlogon.                                                 Type the UNC inside the address bar

Step 11.            Select the script we created, and click open

Step 12.            You’ll see the script listed in the Add Script Window. Click Ok

Step 13.            Click Ok on the Next Window.

Step 14.            Group Policy Object Editor window.

Step 15.            Close the GPMC window