Setting up a Logon Script through GPO in Windows Server 2008There are a few benefits for using GPOs to assign scripts:

GPOs only work with Windows 2000 and above, meaning that if your users use older clients such as Windows 95/98 or Windows NT, GPOs won't work for them.

When using GPOs you can assign MORE than one logon script per user, and you can configure which script runs first.

When using GPOs you can assign more than JUST logon scripts, you can also assign LOGOFF scripts for users, and even STARTUP and SHUTDOWN scripts for the computer itself.

GPOs can be linked to OUs, Site or Domain levels, meaning that with one GPO you can assign a logon script to many users, or even to all your users, instead of having to manually adding it to all the user objects in the domain.

This is why for most scenarios, using GPOs is more useful than doing it the old fashioned way, through ADUC.

Note: Using Windows Server 2008 GPOs to assign logon scripts is mostly the same as it was in Windows 2003, but having some people asking me questions about it in Windows Server 2008 has triggered the writing of this article.

Creating the logon script

The logon script is the file that does the actual action. It could be almost any action, as noted above. So we'll start by creating that script. Unlike the "old fashioned" method of using ADUC and the Profile tab of the users' account properties, the default location for GPO-initiated logon scripts is the deep within the SYSVOL special folder, which, by default, is shared on all Domain Controllers in an Active Directory forest, and is located in the following folder:

%SystemRoot%\SYSVOL\sysvol\<domain DNS name>\Policies\{GUID}\User\Scripts\Logon

Where %SystemRoot% is usually “C:\Windows”, <domain DNS name> is the DNS name of the domain, similar to “Petri.local”, and {GUID} is a hexadecimal string representing the GUID (unique identifier) of the specific Group Policy Object in use. This folder, which is a part of the SYSVOL special folder, is replicated to all the Domain Controllers in the domain. Each GPO has its own internal User and Machine subfolders, and under them it has, if used, a Logon, Logoff, Startup and Shutdown subfolder where appropriate.

Note: The actual process of creating the script is beyond the scope of this article, there are planty of good resources with great examples on the Internet.

1. Create the logon script and give it the appropriate name (for example: logon.bat, logon.cmd, logon.vbs, etc.) The script can use ANY name, just make sure you know what that name is, and give it the right file extension type.

2. Make sure that the script runs and performs the required action when it is manually run (double-click on it).

3. Copy the logon script (CTRL+C).

If you plan to have more than ONE logon script, and if you wish to assign that/those script(s) to more than one user, you will need to create as many logon scripts as you want, and then add them in the right order in the right GPO. More on that, later.

What permissions are required for Logon scripts to run?

Logon and Logoff scripts run with the credentials of the user. It is recommended that the “Domain Users” group shall be given permission to any resources used by either of these scripts. For example, if the Logon or Logoff script writes to a log file, the group “Domain Users” should be given read/write access to the file or the folder where the log file is located. Most users have limited privileges on the local computer, so Logon and Logoff scripts will have the same limited privileges.

As a side note, Startup and Shutdown scripts run with the credentials of the computer object. It is recommended that the “Domain Computers” group shall be given permission to any resources used by the Startup or Shutdown scripts. However, it's worth knowing that Startup and Shutdown scripts have System privileges on the local computer. This gives Startup and Shutdown scripts access to the local file system and registry.

Assigning the script to the user or users

Next, we need to decide what user should have the logon script. With this procedure (and unlike the Active Directory Users and Computers method), you can link AS MANY logon script AS YOU WANT to your users, and you can do it as many times as you want. However, it will only work on computers that are Windows 2000 and above, although in most cases nowadays this is not a problem.

The title of this section is kind of misleading, because when using GPOs, you do NOT assign the GPO to a user or users, but to an Organizational Unit (OU), to an Active Directory Site, or to the entire Active Directory Domain. So, you must now decide if you want the script to apply to ALL THE DOMAIN USERS, or just to a specific set of users located within one or more OU (Organization Unit) in Active Directory Users and Computers.

If you choose to apply on all the users in the domain, you must create a Group Policy Object (or GPO) and link it to the ENTIRE domain. If you choose to apply the script ONLY to a SPECIFIC SET of users, you must place all the users in one OU (Organization Unit) in Active Directory Users and Computers, and link the GPO to that OU.

In order to assign the GPO and edit it, we'll use a tool called Group Policy Management console, or GPMC in short. This tool is not installed by default in Windows Server 2003, and neither is it installed by default in Windows Server 2008. In Windows Server 2008, GPMC is considered to be a "Feature", and you must install it before being able to use it. However, unlike in Windows Server 2003 where you must download and install the tool, in Windows Server 2008, GPMC is already a part of the OS, you simply need to add it. If the Windows Server 2008 server is also a Domain Controller, GPMC will be automatically installed as part of the DCPROMO procedure. If it's not a DC, you'll need to manually add it. See my "Adding Features to Windows Server 2008" article.

1. See if the Administrative Tools folder has a tool called Group Policy Management Console. If it does, read on. If it doesn't, read "Adding Features to Windows Server 2008" article.

2. Open Group Policy Management Console from the Administrative Tools folder (or gpmc.msc from RUN).

3. If, as described in the above paragraph, you decided to apply the script to ALL THE DOMAIN USERS, expand the domain tree, locate the domain name. Right-click the domain name and select Create and Link a GPO Here.

4. If, as described in the above paragraph, you decided to apply the script to ONLY a SPECIFIC SET of users, expand the domain tree, locate the OU where the users from are located. Right-click the OU and select Create and Link a GPO Here.

Note: Of course it might be possible that a GPO already exists and it is linked to the object level you need. In that case you don't need to create a new GPO, you can use the existing one.

5. In the New GPO window, give the new GPO a descriptive name, such as "Test Logon Script GPO". Click Ok.

6. If you don't see it already, refresh the GPMC view and find the new GPO you've just created under either the domain name, or the OU, depending on your previous choice.

7. When you click on the new GPO you might be prompted with a message window. Click Ok.

8. Right-click the new GPO and select Edit.

9. In the Group Policy Object Editor window, expand User Configuration > Windows Settings > Scripts.

10. Double-click Logon in the right-hand pane.11. In the Logon Properties window, click Show Files.

12. A window will open. The path will be a folder similar to the following: \\domain.com\SYSVOL\Petri.local\Policies\{E4A62379-8423-4654-8DB6-01FB8F58582D}\User\Scripts\Logon. Paste the logon script you've copied in the previous part of this article. Close the window.

13. Back in the Logon Properties window, click Add.

14. In the Add a Script window, click Browse and you will see the logon script step #11. Whatever you do, DO NOT manually browse for the file, it should be in front of your eyes. If it's not there, check the previous steps for a mistake. Click Ok.

15. Back in the Logon Properties window, see if the logon script is listed, and if it is, click Ok.

16. Close the Group Policy Object Editor window.17. Close the GPMC window.

Replicate the DCs

Now we need to replicate the DCs in the domain by using either Active Directory Sites and Services, Replmon, Repadmin, or wait a few moments (depending on the number of DCs). As a simple follow up to this article, I suggest you use Active Directory Sites and Services.

Testing the logon script

1. On one of the computers that is part of the domain, logoff the specific user account.2. Logon and test.

If the logon script doesn't work for you, go back to the basics and see if it works at all by double-clicking on it. See if it's placed in the right path, and see if it has replicated to the other DCs. Also check permissions by trying to manually run the script from the right path but while logged on as the user, and not as an administrator. If it still doesn't work, use GPMC's Group Policy Results feature to determine of the GPO has indeed been applied to the user.

Best Practice: How to schedule a delayed start logon script with Group Policy

22/01/2010, 11:15 am | by Alan Burchill 13,845 views

Follow @alanburchill

Logon Scripts!!! I hear you yelling at me about why I am doing a tutorial about logon scripts when Group Policy Preferences is supposed to allow me to stop using my logon scripts. Well in a utopian world there would be no logon scripts to maintain however there are still some situations that you might have to execute a program at logon. One example I recently saw on the Group Policy Forums was a person who wanted a way to delay the launching of the browser so as to not add additional delay to the users logon to what was already a slow computer. Somewhat similar to the Delay Start option for services that was introduced in Windows 7.

Prerequisites: This is a Windows Vista+ configuration as Windows XP has a more limited scheduling engine. If you really want to do this via Windows XP (sucks to be you) you could run the script with some delay/timeout third party tool in it and just have it run from the users “Startup” start menu folder…

Step 1. In a Group Policy Object (GPO) that you have targeted at all the users (or most of them) that you want the delayed start program/action to run on go to “Users Configuration” > “Preferences” > “Scheduled Task” then go “Action” > “New” > “Scheduled Task (Windows

Vista and later)”. Then type the display name of the script in the “Name” field (see image 1) and click on the “Triggers” tab.

Note: In this example we are just going to be running a command prompt so the Name is “CMD.exe”.

Image 1: Scheduled Task Properties

Step 2. On the Triggers tab click the “New” button”. Change the “Begin the task” drop down option to “At log on” and then tick “Delay task for:” and configure the delay from the pop down menu (see image 2). Then click “OK”

Note: Unfortunately this option does not seem to be user configurable so for the use of a logon script “30 seconds” and “1 minute” are the only practical options.

Image 2: New Trigger

Step 3. You should now have the trigger configured for your event that looks like the image below (see image 3). Now click on the “Actions” tab.

Image 3: Configured Trigger

Step 3. In the “Actions” tab click on the “New” button and then configure the action you want to take. Again in this example we are just going to be running a command prompt so configure the “Action” to “Start a program” (see image 4).

Note: You can also use this option to send and e-mail or even display a pop-up message to the users. Very handy if you used to use the “net send” program in Windows XP before Service Pack 2 as it was disabled due to security issues.

Image 4: New Action

Step 4. Configure the “Program/Script” to run to “C:\Windows\system32\cmd.exe” then click “OK” (see image 5).

Image 5: New Action

Step 5. Click “OK” (see image 6)

Image 6: Actions Tab

Now you are done. The task is scheduled and it will be pushed out to all your users at the new Group Policy refresh. (see image 7).

Note: If you don’t want this to apply to all your user accounts you can also use Group Policy Preferences targeting options to refine the targeting.

Image 7: Scheduled Tasks

Below is the view of the scheduled task as configured on the computer (see image 8,9 & 10).

Note: The settings tab are greyed out because it is being controlled by Group Policy.

Image 8: Scheduled Tasks General Tab

Image 9: Scheduled Tasks Triggers Tab

Image 10: Scheduled Tasks Actions Tab