Windows Server 2003 Logon Scripts Paul Flynn

Creating logon scripts

You can use logon scripts to assign tasks that will be performed when a user logs on to a particular computer.
The scripts can carry out operating system commands, set system environment variables, and call other scripts
or executable programs. The Windows Server 2003 family supports two scripting environments: the command
processor runs files containing batch language commands, and Windows Script Host (WSH) runs files
containing Microsoft Visual Basic Scripting Edition (VBScript) or Jscript commands. You can use a text editor to
create logon scripts. Some tasks commonly performed by logon scripts include:

• Mapping network drives.

• Installing and setting a user's default printer.

• Collecting computer system information.

• Updating virus signatures.

• Updating software.
The following example logon script contains VBScript commands that use Active Directory Service Interfaces
(ADSI) to perform three common tasks based on a user's group membership:

1. It maps the H: drive to the home directory of the user by calling the WSH Network object's
MapNetworkDrive method in combination with the WSH Network object's UserName property.
2. It uses the ADSI IADsADSystemInfo object to obtain the current user's distinguished name, which in
turn is used to connect to the corresponding user object in Active Directory. Once the connection is
established, the list of groups the user is a member of is retrieved by using the user's memberOf
attribute. The multivalued list of group names is joined into a single string by using VBScript's Join
function to make it easier to search for target group names.
3. If the current user is a member of one of the three groups defined at the top of the script, then the
script maps the user's G: drive to the group shared drive, and sets the user's default printer to be the
group printer.

To create an example logon script

1. Open Notepad.
2. Copy and paste, or type, the following:

Copy Code

Const ENGINEERING_GROUP = "cn=engineering"

Const FINANCE_GROUP = "cn=finance"
Const HUMAN_RESOURCES_GROUP = "cn=human resources"

Set wshNetwork = CreateObject("WScript.Network")

wshNetwork.MapNetworkDrive "h:",
"\\FileServer\Users\" & wshNetwork.UserName

Set ADSysInfo = CreateObject("ADSystemInfo")

Set CurrentUser = GetObject("LDAP://" &
ADSysInfo.UserName)
strGroups = LCase(Join(CurrentUser.MemberOf))

1
Windows Server 2003 Logon Scripts Paul Flynn

If InStr(strGroups, ENGINEERING_GROUP) Then

wshNetwork.MapNetworkDrive "g:",
"\\FileServer\Engineering\"
wshNetwork.AddWindowsPrinterConnection
"\\PrintServer\EngLaser"
wshNetwork.AddWindowsPrinterConnection
"\\PrintServer\Plotter"
wshNetWork.SetDefaultPrinter
"\\PrintServer\EngLaser"

ElseIf InStr(strGroups, FINANCE_GROUP) Then

wshNetwork.MapNetworkDrive "g:",
"\\FileServer\Finance\"
wshNetwork.AddWindowsPrinterConnection
"\\PrintServer\FinLaser"
wshNetWork.SetDefaultPrinter
"\\PrintServer\FinLaser"

ElseIf InStr(strGroups, HUMAN_RESOURCES_GROUP) Then

wshNetwork.MapNetworkDrive "g:",
"\\FileServer\Human Resources\"
wshNetwork.AddWindowsPrinterConnection
"\\PrintServer\HrLaser"
wshNetWork.SetDefaultPrinter
"\\PrintServer\HrLaser"

End If

3. On the File menu, click Save As.

4. In Save in, click the directory that corresponds to the domain controller's Netlogon shared folder
(usually SystemRoot\SYSVOL\Sysvol\DomainName\Scripts where DomainName is the domain's fully
qualified domain name).
5. In Save as type, click All Files.
6. In File name, type a file name, followed by .vbs, and then click Save. WSH uses the .vbs extension
to identify files that contain VBScript commands.
Notes

• To open Notepad, click Start, point to All programs, point to Accessories, and then click Notepad.

• To use the example logon script, you need to change the group names, network drive letters, and
Universal Naming Convention (UNC) paths to match your system environment.

• To run a logon script, you need to assign the script to a user or a group. For more information, see
Assign a logon script to a user or group.

2
Windows Server 2003 Logon Scripts Paul Flynn

For more information about creating and using logon scripts, see Logon Scripts, Windows Script at the
Microsoft Web site, and the Microsoft Windows Resource Kits Web site.

Information about functional differences

• Your server might function differently based on the version and edition of the operating system that is
installed, your account permissions, and your menu settings. For more information, see Viewing Help
on the Web.

Creating user and group accounts

User accounts are used to authenticate, authorize or deny access to resources for, and audit the activity of
individual users on your network. A group account is a collection of user accounts that you can use to assign a
set of permissions and rights to multiple users simultaneously. A group can also contain contacts, computers,
and other groups. You can create user accounts and group accounts in Active Directory to manage domain
users. You can also create user accounts and group accounts on a local computer to manage users specific to
that computer.

Some of the most common tasks are creating user accounts in Active Directory, creating group accounts in
Active Directory, creating user accounts on a local computer, and creating groups on a local computer. You can
also use the command line to create user and group accounts in Managing Active Directory from the command
line or on a Managing local groups from the command line. For more information about other tasks for
managing Active Directory user accounts and groups, see Manage Users, Groups, and Computers. For
information about other tasks for managing user accounts and groups on a local computer, see Local Users and
Groups How To....

To create a user account in Active Directory

1. Open Active Directory Users and Computers.

2. In the console tree, right-click the folder in which you want to add a user account.
Where?

• Active Directory Users and Computers/domain node/folder

3. Point to New, and then click User.
4. In First name, type the user's first name.
5. In Initials, type the user's initials.
6. In Last name, type the user's last name.
7. Modify Full name to add initials or reverse order of first and last names.
8. In User logon name, type the user logon name, click the UPN suffix in the drop-down list, and then
click Next.
If the user will use a different name to log on to computers running Windows 95, Windows 98, or
Windows NT, then you can change the user logon name as it appears in User logon name (pre-
Windows 2000) to the different name.
9. In Password and Confirm password, type the user's password, and then select the appropriate
password options.
Notes

• To perform this procedure, you must be a member of the Account Operators group, Domain Admins
group, or the Enterprise Admins group in Active Directory, or you must have been delegated the

3
Windows Server 2003 Logon Scripts Paul Flynn

appropriate authority. As a security best practice, consider using Run as to perform this procedure.
For more information, see Default local groups, Default groups, and Using Run as.

• To open Active Directory Users and Computers, click Start, click Control Panel, double-click
Administrative Tools, and then double-click Active Directory Users and Computers.

• To add a user, you can also click

on the toolbar.

• To add a user, you can also copy any previously created user account.

• A new user account with the same name as a previously deleted user account does not automatically
assume the permissions and group memberships of the previously deleted account because the
security ID (SID) for each account is unique. To duplicate a deleted user account, all permissions and
memberships must be manually recreated.

• When a user account is created with the new user wizard from within the details pane, you can quickly
edit the user properties by closing the wizard, clicking the new account, and then pressing ENTER. To
open the new user wizard from within the details pane, right-click in the details pane, click New, and
then click User.

• For interoperability with other directory services, you can create an InetOrgPerson user object. To
create a new inetOrgPerson, in step three, click InetOrgPerson instead of User.

• When creating a new user, the full name attribute is created in the FirstNameLastName format by
default. The full name attribute also governs the display name format is shown in the global address
list. You can change the display name format by using ADSI Edit. If you do so, this will also change
the full name format. For more information, see article Q250455, "How to Change Display Names of
Active Directory Users" in the Microsoft Knowledge Base.

To create a group account in Active Directory

1. Open Active Directory Users and Computers.

2. In the console tree, right-click the folder in which you want to add a new group.
Where?

• Active Directory Users and Computers/domain node/folder

3. Point to New, and then click Group.
4. Type the name of the new group.
By default, the name you type is also entered as the pre-Windows 2000 name of the new group.
5. In Group scope, click one of the options.
6. In Group type, click one of the options.
Notes

• To perform this procedure, you must be a member of the Account Operators group, Domain Admins
group, or the Enterprise Admins group in Active Directory, or you must have been delegated the
appropriate authority. As a security best practice, consider using Run as to perform this procedure.
For more information, see Default local groups, Default groups, and Using Run as.

• To open Active Directory Users and Computers, click Start, click Control Panel, double-click
Administrative Tools, and then double-click Active Directory Users and Computers.

• To add a group, you can also click the folder in which you want to add the group, and then click
on the toolbar.

• If the domain in which you are creating the group is set to the domain functional level of
Windows 2000 mixed, you can select only security groups with Domain local or Global scopes. For
more information, see Group scope.

4
Windows Server 2003 Logon Scripts Paul Flynn

• When a group account is created with the new group wizard from within the details pane, you can
quickly edit the group account properties by closing the wizard, clicking the new account, and then
pressing ENTER. To open the new group wizard from within the details pane, right-click in the details
pane, click New, and then click Group.

To create a user account on a local computer

1. Open Computer Management.

2. In the console tree, click Users.
Where?

• Computer Management/System Tools/Local Users and Groups/Users

3. On the Action menu, click New User.
4. Type the appropriate information in the dialog box.
5. Select or clear the check boxes for:

• User must change password at next logon

• User cannot change password

• Password never expires

• Account is disabled
6. Click Create, and then click Close.
Notes

• To perform this procedure, you must be a member of the Administrators group on the local computer,
or you must have been delegated the appropriate authority. If the computer is joined to a domain,
members of the Domain Admins group might be able to perform this procedure. As a security best
practice, consider using Run as to perform this procedure.

• To open Computer Management, click Start, click Control Panel, double-click Administrative
Tools, and then double-click Computer Management.

• A user name cannot be identical to any other user or group name on the computer being
administered. It can contain up to 20 uppercase or lowercase characters, except for the following:
"/\[]:;|=,+*?<>
A user name cannot consist solely of periods (.) or spaces.

• In Password and Confirm password, you can type a password containing up to 127 characters.
However, if the network consists of computers running Windows 95 or Windows 98, consider using
passwords no longer than 14 characters. If your password is longer, you may not be able to log on to
the network from those computers.

• You should not add a new local user to the local Administrators group unless the user will perform
only administrative tasks. For more information, see Why you should not run your computer as an
administrator.

To create a group on a local computer

1. Open Computer Management.

2. In the console tree, click Groups.
Where?

• Computer Management/System Tools/Local Users and Groups/Groups

3. On the Action menu, click New Group.
4. In Group name, type a name for the new group.

5
Windows Server 2003 Logon Scripts Paul Flynn

5. In Description, type a description of the new group.

6. To add one or more users to a new group, click Add.
7. In the Select Users, Computers, or Groups dialog box, do the following:

• To add a user or group account to this group, under Enter the object names to select,
type the name of the user account or group account that you want to add, and then click OK.

• To add a computer account to this group, click Object Types, select the Computers check
box, and then click OK. Under Enter the object names to select, type the name of the
computer account that you want to add, and then click OK.
8. In the New Group dialog box, click Create, and then click Close.
Notes

• To perform this procedure, you must be a member of the Administrators group on the local computer,
or you must have been delegated the appropriate authority. If the computer is joined to a domain,
members of the Domain Admins group might be able to perform this procedure. As a security best
practice, consider using Run as to perform this procedure.

• To open Computer Management, click Start, click Control Panel, double-click Administrative
Tools, and then double-click Computer Management.

• A local group name cannot be identical to any other group or user name on the local computer being
administered. It can contain up to 256 uppercase or lowercase characters, except for the following:
"/\[]:;|=,+*?<>
A group name cannot consist solely of periods (.) or spaces