Using Logon Scripts in Pure and Mixed Active Directory Environments

Using Logon Scripts in Pure and Mixed Active Directory Environments http://www.windowsnetworking.com/articles_tutorials/Logon-Scripts-Pu...
Admin KnowledgeBase
Articles & Tutorials
Authors
Blogs
Free Tools
Hardware
Message Boards
Newsletters
RSS
Software
White Papers
Site Search
Advanced Search
This article looks at the differences in implementing logon scripts in pure and mixed
Active Directory environments, including how to use Group Policy to assign scripts
and how to run Windows Script Host (WSH) scripts from batch files.
1 of 15 3/20/2011 07:48
Published: Dec 09, 2004

Updated: Jul 29, 2005
Section: Articles & Tutorials :: Common for all OSes
Author: Mitch Tulloch
Printable Version
Adjust font size:
Rating: 4.2/5 - 428 Votes
1
2
3
4
5
Logon scripts can be useful tools for configuring desktop environments for users. Some of the things such scripts
can be used for include mapping network drives, connecting to shared printers, gathering system information,
synchronizing system clocks, and so on. In fact, just about anything you can do from the command-line can be
done using a logon script.
Logon scripts have been around for a while and most administrators of Windows-based networks have had
occasion to use them. On Windows NT domain-based networks things were simple: if a user needed to have his
environment configured using a logon script, the administrator would first write a logon script using the batch
programming language, which has been around since the days of MS-DOS. Once written, this script was saved
using a .bat extension to make it executable, but to make it work for a particular user the script needed to be
found in the NETLOGON share of the domain controller to which the user’s account was authenticated. In
Windows NT this NETLOGON share corresponded to the %systemroot%\system32\repl\import\scripts folder,
and by placing the script in this folder on the PDC it was automatically replicated to all BDC’s in the domain.
Once this was done, the administrator only had to add the name of the script to the Logon Script Name field on
the User Environment Profile dialog box using User Manager for Domains.
Then Windows 2000 came along, with its support for assigning logon scripts using Group Policy and its built-in
support for Windows Script Host (WSH) as an alternative for traditional batch scripts. While WSH lets you
create much more powerful logon scripts and Group Policy lets you manage logon scripts more easily, a problem
2 of 15 3/20/2011 07:48
arises when your networking environment has a mix of desktops that include legacy platforms like Windows
95/98 and Windows NT 4.0 Workstation. The rest of this article provides some suggestions for managing logon
scripts in both a mixed (Windows 2000/XP/2003 and legacy Windows 95/98/NT) environment and a pure
Windows 2000 (or later) environment.
By “mixed environment” I mean a mixture of Windows clients that support Group Policy (Windows 2000/XP
/2003) and those that don’t (Windows 95/98/NT). Managing logon scripts in environments that include
Linux/UNIX or Mac desktops is beyond the scope of this discussion. For simplicity, we’ll focus here on Active
Directory environments that have domain controllers running Windows 2000 Server and/or Windows Server
2003 and a mix of current and legacy Windows desktops.
Let’s say you want to use a logon script in a mixed environment to configure users’ desktop environments by
mapping a drive letter to a network share. A simple batch file logon script that does this might be this:
@echo off
net use x: \\filesrv\budgets
To use this script, type it into Notepad and save it as logon.bat or something similar. Then put the script into the
NETLOGON share on a domain controller, which if your domain controllers are running Windows 2000/2003
can be found at %systemroot%\sysvol\sysvol\<domain_DNS_name>\scripts as shown in Figure 1:
Figure 1: Location of NETLOGON share on Windows 2000/2003 domain controllers
Once this script is placed in the NETLOGON share it will automatically replicate to all domain controllers in the
mynewforest.com domain.
The next step is to assign the logon script to the user accounts of users who need to have the script run on their
desktop machines. To get the script to run on Bob Smith’s machine, for example, use Active Directory Users and
Computers to open the Properties sheet for the User object representing Bob Smith and select the Profiles tab.
Then simply type the name of the script in the Logon Script field as shown in Figure 2 below. Note that if you
store your logon script in a different share than NETLOGON, you should type the full UNC path instead to the
script in the Logon Script field below but make sure the script replicates to all your domain controllers.
3 of 15 3/20/2011 07:48
Figure 2: Assigning a logon script to user Bob Smith
If you want to leverage the power of Windows Script Host in a mixed environment, you can do so two ways:
Download and install the appropriate Directory Services Client (DSClient) for Windows 95/98 or
Windows NT. DSClient allows these legacy Windows platforms to participate in an Active Directory
environment and they include support for WSH and VBScript. To obtain DSClient for the appropriate
platform, see article 288358 in the Microsoft Knowledge Base.
Download and install Windows Script Host for Windows 95/98/NT. Doing this lets you run VBScript
scripts on these platforms, but it doesn’t give you ADSI functionality so this limits the usefulness of WSH
for scripting purposes. You can obtain WSH for Windows 95/98/NT from the Microsoft Download Center.
Either way, once your legacy Windows desktops support WSH you can write your logon scripts in the more
powerful VBScript language instead of the limited batch programming language. Unfortunately, in a mixed
environment you can’t directly assign a .vbs script to a user account on the Profile tab as shown in Figure 2
above as this won’t work on legacy Windows clients. The workaround to this problem is to do the following:
1. Write your logon script using VBScript and save it with a .vbs extension, for example logon.vbs.
2. Store your logon.vbs file in the NETLOGON share on your domain controller.
3. Use the batch programming language to write a traditional logon script that calls your logon.vbs script and
save it with a .bat extension, for example logon.bat.
4. Store your logon.bat file also in the NETLOGON share on your domain controller.
5. Assign logon.bat on the Profile tab of each user account as described previously above in Figure 2.
A simple logon.bat script that calls a logon.vbs script would be the following:
@echo off
4 of 15 3/20/2011 07:48
wscript %0\..\logon.vbs
And a simple logon.vbs script that maps the x: drive to the \\filesrv\budgets share would be:
Dim wshNetwork
Set wshNetwork = CreateObject("Wscript.Network")
wshNetwork.MapNetworkDrive "x:", "\\filesrv\budgets"
WSCript.Quit
Now when Bob logs on to his machine, logon.bat executes and calls logon.vbs which maps x: drive to the
budgets share as desired. And this will work on both your legacy Windows 95/98/NT desktops and your newer
Windows 2000/XP desktops.
If all your desktops are running Windows 2000 or later, then the first thing you should do is forget the Profile tab
as far as logon scripts are concerned. In fact, forget the Profile tab entirely as the fields on this tab are provided
only for downlevel (Windows NT or earlier) environments. Instead, use Group Policy to assign your logon
scripts, which is a far more powerful and flexible approach than what the Profile tab provides. Furthermore,
forget the batch programming language and use VBScript to write your logon scripts as this lets you create far
more powerful scripts than batch scripts. If you haven’t yet learned VBScript, see the Resources section at the
end of this article for some tutorials.
Let’s use our logon.vbs script above that maps a drive and assign it to all our company employees in Winnipeg.
The beauty of Active Directory is that you can create organizational units (OUs) for different locations or
departments in your company and then create Group Policy Objects (GPOs) and link them to each OU. In Figure
3 you can see that we have three OUs in our mynewforest.com domain: Toronto, Vancouver, and Winnipeg:
Figure 3: Users in the Winnipeg OU need a logon script assigned to map a network drive
To assign logon.vbs to the users in Winnipeg, right-click on the Winnipeg OU and select Properties. Then select
the Group Policy tab, where you can see we’ve already created a new GPO named WinnipegGPO and linked it
to this OU (Figure 4):
5 of 15 3/20/2011 07:48
Figure 4: The WinnipegGPO is linked to the Winnipeg OU
Click Edit to open the WinnipegGPO and navigate to User Configuration\Windows Settings\Scripts as in Figure
5 below:
Figure 5: Policy settings for assigning logon and logoff scripts
Now right-click on Logon in the right-hand pane and select Properties (Figure 6):
6 of 15 3/20/2011 07:48
Figure 6: Assigning a new logon script using the WinnipegGPO
Click the Show Files button to open the default folder where logon scripts assigned using Group Policy are stored
on your domain controller (Figure 7):
Figure 7: Default folder where logon scripts assigned using Group Policy are stored on a domain
controller
Note from this figure that logon scripts assigned using Group Policy are stored in a subfolder of the SYSVOL
share on your domain controllers. This subfolder of SYSVOL is named \sysvol\<domain_DNS_name>
\<policy_GUID>\user\scripts\logon and the contents of this folder (being in SYSVOL) are automatically
replicated to all domain controllers in the domain.
Now, using Windows Explorer, find the logon.vbs script we created earlier and press CTRL+C to copy it to the
clipboard. Then return to the folder in Figure 7 above and press CTRL+V to copy logon.vbs into the folder
where it needs to be. Close the folder window and return to the Logon Properties screen in Figure 6 previously
and click the Add button to open the Edit Script dialog box, and in the Script Name field type logon.vbs, the
name of the script you want to assign (Figure 8):
7 of 15 3/20/2011 07:48
Figure 8: Assign the logon script
Click OK twice and the script has been assigned. Now once Group Policy refreshes on Bob’s machine, the next
time he logs on to his machine he’ll see X: drive when he opens My Computer or Windows Explorer.
a dve r tis e me nt
If you want to learn how to start writing WSH scripts using VBScript, or find some useful scripts others have
already developed, here are a few resources to check out:
Scripting on MSDN
Script Center on TechNet
VBScript Primer
WSH Primer
VBScript User’s Guide
VBScript Language Reference
8 of 15 3/20/2011 07:48
Mitch Tulloch is a widely recognized expert on Windows administration, networking, and security.
He has been repeatedly awarded Most Valuable Professional (MVP) status by Microsoft for his outstanding
contributions in supporting users who deploy and use Microsoft platforms, products and solutions. Mitch has
written or contributed to two dozen books and is lead author of the bestselling Windows 7 Resource Kit from
Microsoft Press.
Mitch is based in Winnipeg, Canada, and you can find more information about his books at his website
www.mtit.com You can also keep up with Mitch’s writing and speaking activities by friending him on Facebook
and/or following him on Twitter.
Click here for Mitch Tulloch's section.
Get all articles delivered directly to your mailbox as and when they are released on WindowsNetworking.com!
Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the
Monthly Article Update. Sign up to the WindowsNetworking.com Monthly Newsletter, written by Dr. Tom
Shinder, containing news, the hottest tips, Networking links of the month and much more. Subscribe today and
don't miss a thing!
Real-Time Article Update (click for sample)

Monthly Article Update (click for sample)
Monthly Newsletter (click for sample)
Customizing the Default User Profile in Windows 7 (Part 6)

Windows Admin Tips Update
Windows NT4 Domain Logon Script

Give XP ability to search Active Directory
Managing Windows Networks Using Scripts - Part 10: Remote Scripting Tricks
Managing Windows Networks Using Scripts - Part 11: More Scripting Tricks
Using Netsh (Part 1)
9 of 15 3/20/2011 07:48
ManageEngine OpManager - The Complete Network Monitoring Software

Monitor WAN infrastructure, LAN, Servers, Switches, Routers, Services, Apps, CPU, Memory, AD, URL,
Logs, Printers. Satisfies your entire Network infrastructure Management needs.
ManageEngine ServiceDesk Plus - The Out-of-the-box ITIL Ready HelpDesk Software
Get an out-of-the-box, flexible helpdesk with integrated asset management and ITIL features, used by more
than 10000 IT managers in 23 different languages
Internet monitoring, Web security and Internet Access Control - All in one!
Boost employee productivity by monitoring, controlling and reporting on employee internet access. Protect
users and company network against malware infection through web browsing and downloads, as well as
phishing scams.
Download Spiceworks IT Management & Help Desk – Now with iPhone App – All Free!
Download Spiceworks IT management software to make your IT day easier! In addition to network monitoring,
help desk functionality, a built-in TFTP server, & IT community access, Spiceworks now offers an iPhone app
to manage IT from anywhere. And it’s still 100% free!
Get a free Windows SIP Server / IP PBX
IP Telefonanlage, VOIP Telefooncentrale, Centralino Telefonico IP, PABX-IP, Centralita Telefonica VOIP,
Centrala Telefoniczna, Telefonni system, IP telefonvaxel, Central Telefonica IP, VOIP Telefonsentral, IP
telefonanlaeg, IP Puhelinvaihde, Telefon Sistemi, IP PBX (Russian), IP PBX (Greek), IP PBX (Japanese), IP
PBX (Korean), IP PBX (Simplified Chinese), IP PBX (Traditional Chinese), IP PBX (Arabic)
Receive Real-Time & Monthly WindowsNetworking.com article updates in your mailbox. Enter your email
below!
Click for Real-Time sample & Monthly sample
Discuss your network issues with thousands of other network administrators. Click here to join!
Community Area
Log in | Register
10 of 15 3/20/2011 07:48
Featured Freeware!
11 of 15 3/20/2011 07:48
SolarWinds WMI Monitor monitors any Windows application or server, giving you amazing insight into real-time
performance.
Get your free copy today!
Admin KnowledgeBase
Cloud Computing
Common for all OSes
Dial up Networking, ICS, RAS, ADSL
General Networking
Network Protocols
Network Troubleshooting
Product Reviews
VoIP
Windows 7
Windows 2000
Windows 2003
Windows 95/98/ME
Windows NT 4
Windows Server 2008
Windows Vista
Windows XP
Wireless Networking
Authors
Deb Shinder
Eric Geier
Brien M. Posey
David Davis
Mitch Tulloch
Robert J. Shimonski
Russell Hitchcock
Blogs
12 of 15 3/20/2011 07:48
Free Tools
Hardware
Anti-Spam Hardware
Anti-Virus Hardware
Firewalls & VPN
Mail Archiving
Servers
Storage
Message Boards
Newsletter Signup
RSS Feed
Services
SharePoint Hosting
Software
Active Directory Management
Administration tools / Ping & trace utils
Backup software
Data recovery software
Database server software
DNS servers
Email archiving
Free Tools
Help desk software
IP Address Management
IP PBX Servers
Misc. network administrator tools
Network Configuration Management
Network inventory software
Network Mapping
Network monitoring / management
Network Traffic Monitoring
Patch Management
Remote control software
SharePoint Tools
Software distribution and metering
Storage and quota software
Terminal Servers
Thin Client Servers
Web content management servers
White Papers
IP PBX, SIP & VoIP FAQ Sponsored by 3CX
Featured Products
3CX VOIP Phone System
13 of 15 3/20/2011 07:48
Download Free edition
Web Monitoring & Security Download FREE trial!
Readers' Choice
Which is your preferred Anti Spam Hardware solution?
Abaca Email Protection Gateway

Barracuda Spam Firewall
ePrism Email Filter
MailFoundry 4100
modusGate
PineApp Mail-SeCure
SpamTitan ISO
Other
TechGenix Sites
ISAserver.org
The No.1 Forefront TMG / UAG and ISA Server resource site.
MSExchange.org
The leading Microsoft Exchange Server 2010 / 2007 / 2003 resource site.
WindowSecurity.com
Network Security & Information Security resource for IT administrators.
VirtualizationAdmin.com
The essential Virtualization resource site for administrators.
Admin KnowledgeBase
Authors
Blogs
Free Tools
Hardware
Links
Message Boards
Newsletters
14 of 15 3/20/2011 07:48
RSS
Software
White Papers
About Us : Email us : Product Submission Form : Advertising Information

WindowsNetworking.com is in no way affiliated with Microsoft Corp. *Links are sponsored by advertisers.
Copyright © 2011 TechGenix Ltd. All rights reserved. Please read our Privacy Policy and Terms &
Conditions.
15 of 15 3/20/2011 07:48

Using Logon Scripts in Pure and Mixed Active Directory Environments

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Using Logon Scripts in Pure and Mixed Active Directory Environments

Hochgeladen von

Copyright:

Verfügbare Formate

Using Logon Scripts in Pure and Mixed Active Directory Environments http://www.windowsnetworking.com/articles_tutorials/Logon-Scripts-Pu...

Published: Dec 09, 2004

Figure 1: Location of NETLOGON share on Windows 2000/2003 domain controllers

Figure 2: Assigning a logon script to user Bob Smith

Figure 4: The WinnipegGPO is linked to the Winnipeg OU

Figure 5: Policy settings for assigning logon and logoff scripts

Figure 6: Assigning a new logon script using the WinnipegGPO

Figure 8: Assign the logon script

Click here for Mitch Tulloch's section.

Real-Time Article Update (click for sample)

Customizing the Default User Profile in Windows 7 (Part 6)

Windows NT4 Domain Logon Script

ManageEngine OpManager - The Complete Network Monitoring Software

Get your free copy today!

3CX VOIP Phone System

Download Free edition

Web Monitoring & Security Download FREE trial!

Which is your preferred Anti Spam Hardware solution?

Abaca Email Protection Gateway

About Us : Email us : Product Submission Form : Advertising Information

Das könnte Ihnen auch gefallen