Setting up a Logon Script through GPOs

So you need to have a logon script in your organization and you want to use GPO knowing that there are a few benefits for using GPOs to assign scripts:

  • you can assign more than one logon script per user, and you can configure      which script runs first.
  • you can assign other scripts as well: LOGOFF scripts for users, and STARTUP      and SHUTDOWN scripts for the computers.
  • you can assign a logon script to many users through GPOs, or even to all of      your users in your organization.

Set up the logon script

The default location for GPO-initiated logon scripts is the SYSVOL special folder, which, by default, is shared on all Domain Controllers in an Active Directory forest, and in my case is located in the following folder:

\\ALEXTEST.LOCAL\SysVol\ALEXTEST.LOCAL\Policies\{542FB14E-1B92-46AB-A708-75E4A8C82C2F}\User\Scripts\Logon

In order to assign the GPO and edit it, we’ll use a tool called Group Policy Management console, or GPMC. Please note that when using GPOs, you assign a GPO to an Organizational Unit (OU), to an Active Directory Site, or to the entire Active Directory Domain. So, you must decide if you want the script to apply to all of your users, or just to a specific set of users located within one or more OU (Organization Unit) in Active Directory.

  1. First  step would be to create a logon script, give it the appropriate name (in my example: LoginScript.ps1), and copy the logon script (CTRL+C).
Note:Logon and   Logoff scripts run with the credentials of the user. It is recommended that  the “Domain Users” group has permission to any resources used by either of   these scripts. For example, if the Logon or Logoff script writes to a log   file, the group “Domain Users” should be given read/write access to the   folder where the log file is located.Startup  and Shutdown scripts run with the credentials of the computer object. It is   recommended that the “Domain Computers” group has permission to any resources   used by the Startup or Shutdown scripts.

In my example, in Active Directory Users and Computers (ADUC) I have three OUs, conveniently named FirsLocation, SecondLocation and ThirdLocation. I will set up a logon script for the FirstLocation OU, and at the end show the result for the user named Smile Workbench.

  1. Open Group Policy Management Console from the Administrative Tools folder.
  2. I´ve decided to assign a GPO to the FilstLocation OU, as described in the above paragraph, and expand the domain tree in order to locate the FistLocationOU.
  3.  Right-click the OU and select Create and Link a GPO Here.

Note: In the case that a GPO already exists and it is linked to the OU you need,  you don’t need to create a new GPO, you can use the existing one.

  1. In the New GPO window, give the new GPO a descriptive name, such as “Login Script GPO”. Click Ok.
  2. Refresh  the GPMC view and find the new GPO you’ve just created under either the  domain name, or the OU, depending on your previous choice.
  3. When you click on the new GPO you might be prompted with a message window. Click Ok.

  1. Right-click  the new GPO and select Edit.

  1. In the Group Policy Management Editor window, expand User Configuration      > Windows Settings > Scripts.

  1. Double-click Logon in the right-hand pane.
  2. In the Logon Properties window, click Show Files.

  1. A  window will open. The path will be a folder similar to the following: \\ALEXTEST.LOCAL\SysVol\ALEXTEST.LOCAL\Policies\{ 542FB14E-1B92-46AB-A708-75E4A8C82C2F}\User\Scripts\Logon. Paste the logon script you’ve copied in the previous part of this article.  Close the window.
  2. Back  in the Logon Properties window, click Add.

  1. In  the Add a Script window, click Browse and you should see the logon script being pasted as described in the step # 11. Please note that  you have to use this Browse  button and do not manually browse for this script. It should be right    there in front of you. If it’s not there, go back to the previous steps # 10 and # 11 to correct a mistake. Click Ok.
  2. Close  the Group Policy Management Editor window, and select your newly created GPO. You should as shown in the picture below.

15.    Check the Settings tab and make sure that your script file and all other formation    (for example: parameters) have been configured.

  1. Close the GPMC window and test your new GPO. In my case, I use a domain      account named Smile Workbench as shown in the picture below. It shows his      home drive (mapped to the letter Q:), and since this account is a member of Deployment Managers group, it has two additional network drives (listed as Y: and Z:).

The Logon scripts run with the credentials of the user, so sometimes you do not want a logon script to run on your server. In such a case you will create a WMI filter.  To do that, just right-click the WMI Filters node in the Group Policy Management Console and click New. In the dialog that appears type the name for your WMI Filter (in my case DoNotProcess LogonScript) and a description for this filter.

The query should be any of the following:

Select * From Win32_computersystem Where domainRole = 1

Select * From Win32_computersystem Where domainRole < 2

This  is shown in the following image.

After adding this WMI query, click Save. The last thing to do is to go back to the GPO and link it to this WMI filter as shown in the image below.

The following table shows the values for DomainRole property of Win32_computersystem class.

DomainRole (Data type: uint16)
Access type: Read-only

Value
    Meaning
0 (0x0)     Standalone Workstation
1 (0x1)     Member   Workstation
2 (0x2)     Standalone Server
3 (0x3)     Member   Server
4 (0x4)     Backup   Domain Controller
5 (0x5)     Primary   Domain Controller

One thought on “Setting up a Logon Script through GPOs

Leave a Reply

Your email address will not be published. Required fields are marked *