Logon Scripts The Basics

9/2008

Logon scripts can be useful tools for configuring desktop environments for users. Some of the
things such scripts can be used for include mapping network drives, connecting to shared printers,
gathering system information, and so on. In fact, just about anything you can do from the
command-line can be done using a logon script.
This section assumes your desktops are running Windows 2000 or later. It describes how to write
logon scripts in VBScript and deploy with Group Policy which are very powerful and flexible. Basic
understanding of Group Policy deployment is assumed. If you havent yet learned VBScript, see the
Resources section at the end of this article for some tutorials.
Cookbook for a basic logon script
This very simple example uses a logon.vbs script that does the following for any user logging onto
any computer located in the Organizations\Butterfly Science OU.

Assumes there is a server named dept-server with two file shares, users and groups
Assumes there is a folder for each user created under the users folder and has
appropriate permissions set.
Maps the H: drive to the \\dept-server\users\username.
Maps the G: drive to the \\dept-server\groups.

Set objNet = CreateObject("WScript.Network")

strUser = objNet.UserName
strHomeDrivePath = "\\dept-server\users\" & strUser
objNet.MapNetworkDrive "H:", strHomeDrivePath
objNet.MapNetworkDrive "G:", "\\dept-server\groups"
WScript.Quit
To assign logon.vbs to the users of computers in Butterfly Science you will need to configure a Group
Policy that:

Configures the User Configuration portion of the Group Policy to launch the logon.vbs script.
Configures the Computer Configuration portion of the Group Policy to assign the User
Configuration above to computers in Butterfly Science.

Figure 1: Users of Computers in the Organization/Butterfly Science/Computers OU need a logon script

assigned to map network drives
Right-click on the Organizations/Butterfly Science/Computers OU and select Properties.
Select the Group Policy tab.
Note: If you have installed the Group Policy Management Console, this tab will bring up a link to launch
the Group Policy Management Console and use it instead of the basic Group Policy Editor. The process
has a few more steps:
o Navigate to your OU
o Right click on OU. Create and Link a GPO Here...
o Name the new GPO using your Department name as a prefix. Click OK which saves it. (Figure 2
below)
o Find the new (empty) GPO on the "Linked Group Policy Object" tab on the right side.
o Right click and select "Edit". This opens the good old GP Editor you know and love. (Figure 3
below)

Click New and create a GPO named Butterfly Science Computers GPO which will be linked to
this OU (Figure 2)

Figure 2: The Butterfly Science Computers GPO is linked to the Computers OU in

Organizations/Butterfly Science/

Click Edit to open the Butterfly Science Computers GPO and navigate to User
Configuration\Windows Settings\Scripts as in Figure 3 below.

Figure 3: User Configuration policy settings for assigning logon scripts

Right-click on Logon in the right-hand pane and select Properties (Figure 4):

Figure 4: Assigning a new logon script using the Butterfly Science GPO

Click the Show Files button which opens the default folder where logon scripts assigned using
Group Policy are stored on your domain controller (Figure 5):

Figure 5: Default folder where logon scripts assigned using Group Policy are stored on a domain
controller
Note: The figure above shows that logon scripts assigned using Group Policy are stored in a subfolder specific
to this particular Group Policy on the SYSVOL share on the UMROOT domain controllers using a Policy GUID.
This is automatic and you dont need to worry about it.

Copy and paste the logon.vbs file you created into the open Scripts\Logon folder above.
Close the folder window.
Return to the Logon Properties screen in Figure 4 previously and click the Add button to open
the Edit Script dialog box.
4

Click Browse and select the logon.vbs file from the Logon folder.
Click OK two times and the script has been assigned.

Figure 6: Assign the logon script

Figure 6a: Assign the logon script

Now you need to configure the Computer Configuration section of the GPO.

Navigate to Computer Configuration\Administrative Templates\System\Group Policy as in

Figure 7 below.

Figure 7: Policy settings for Loopback Processing

Select User Group Policy Loopback processing mode and select the Replace mode.

Figure 7a: Replace Mode for Loopback Processing

Close the Group Policy Editor.

The next time user buderfly logs onto a computer in the Butterfly Science Organizations
OU, hell see an H: and G: drive when he opens My Computer.

Figure 8: Drives mapped on client.

Notes:

The name of the logon script file does not matter as long as the extension is vbs.
Use FQDN names in scripts for servers rather than NetBIOS names for better reliability.
If you are quickly making many changes to Group Polices, there can be a slight time lag as these policies
are replicated between Domain Controllers and pushed down to computers. Allow 5 minutes or so for
replication across Active Directory. Rebooting computers or running gpupdate refreshes policies on
computers.
UMROOT does not allow deployment of logon scripts using the Logon Script attribute of the Profile tab of
the User in Active Directory for uniqname user accounts. This is due to the issues it can cause in a large
environment such as ours and is really intended for downlevel environments anyway. You can choose to
run the old batch programming language, .BAT files, but VBScript is more powerful.

Resources for Logon Scripts

You will probably want a more complex script that checks if the drives are already in use, maps
drives for users based on group membership, use Vbscript best practices including Dim, Option
Explicit, and On Error Resume statements.
There are almost no limits with what you can do with logon scripts, but you need to become an expert
at writing VBS scripts. They are more complex than the old batch files, but support all types of branching
and conditional logic. A complex logon script could map home directories based on logon name, map
shared drives based on group membership and assign printers based on whatever. These types of scripts
are available online or from your friendly Windows Admin list and are out of scope for this document.
If you want to learn how to start writing Windows Script Host WSH scripts using VBScript, or find some
useful scripts others have already developed, here are a few resources to check out:

Scripting on MSDN
7

Script Center on TechNet

VBScript Primer
WSH Primer
VBScript Users Guide
VBScript Language Reference

Under the Hood

The above cookbook for creating logon scripts uses a complex configuration employing Loopback
Processing policies. Why cant you just configure a GPO to launch logon script using just the User
Configuration settings above and apply the GPO to the Accounts OU where your users? In a simple
organization, this would work fine, but in our large organization this breaks down for several
reasons.

Many OU admins choose to leave their users in the large People OU and not move them to their
Accounts OU. If the users are in the People OU, OU Admins cannot directly apply a GPO to that
OU. See below for why you might not want to move your users to your Accounts OU.
Even if you choose to move your users into your Accounts OU, some users may be shared with
other units. You may not be able to move 100% of your users to your Accounts OU, but you still
want to apply the logon script to 100% of your users.
If your users are shared with another unit, the user will get your Logon Script applied to them
even when they logon to computers in another department, not pretty.

Why you might not want to move users to your Accounts OU

Moving users to your units Accounts OU requires additional effort on the part of the OU Admin and
may not be necessary depending on how much you need to manage the individual attributes of the
users. The details of this discussion are out of scope for this document and are covered in the AD
Orientation document. Users that are left in the People OU can be easily managed in the following 3
ways:

Users can change their own passwords using the Password Change Web Page if they know their
Kerberos password.
https://accounts.itcs.umich.edu/kpasswd-bin/kpasswd.cgi
OU Admins can create security groups in their units Organizations OU, add any users from the
People OU and then assign permissions and resources to the those groups.
User Configuration Group Policies CAN be assigned to these users using loopback policies.

Group Policy 101

All Group Policies contain both a User and Computer Configuration section.
The logon script is always configured in the User Configuration section of a Group Policy (GPO).
The User Configuration section of a GPO is always applied to users that are in the OU that the
Group Policy is linked to.
The Computer Configuration section of a GPO is always applied to the computers in the OU that
the Group Policy is linked to.
8

In the simplest environment, a single Group Policy with both User and Computer Configuration sections
can applied to an OU that contained both users and computers.
In a more complex environments, users and computers are usually in separate OUs requiring two GPOs.
The first GPO would have just the User Configuration section of the GPO configured and applied to the
OU where the users are located. The second GPO would have just the Computer Configuration section of
the GPO configured and applied to the OU where the computers are located.
In our environment, users are possibly in OUs where we cannot apply Group Policies.
Loopback Policies to the Rescue
You can configure a special GPO setting in the Computer Configuration section of the GPO that applies to
the computers in your Organizations OU that tells Active Directory to also apply the User Configuration
section of that same GPO to all the users that logon to that computer, regardless of what OU their user
object is located in. Any user logging onto one of your computers will always get your logon script. They
will also get any other user configuration you have set.