You can use logon scripts to assign tasks that will be performed when a user logs on to a particular computer. These scripts can carry out operating system commands, set system environment variables, and call other scripts or executable programs. Some tasks commonly performed by logon scripts include:
- Installing and setting a user’s default printer
- Collecting computer system information
- Updating virus signatures
- Updating software
Basically, there are two ways to assign Logon scripts. The first is done on the Profile tab of the user properties dialog in the Active Directory Users and Computers (ADUC). The second is done via Group Policy Objects(GPO). This article will focus on the first method.
It’s worth noting that using the first method – via the Profile tab of the user properties – will work for any Microsoft-based operating system, and is especially useful when you have older clients such as Windows 95/98 or Windows NT. These types of operating systems do not use Group Policies. If you assign the logon script in both ways for a user, if the user logs on to a computer running Windows 2000 or above, both logon scripts will run. Therefore it’s recommended you only use one of the methods. You can read more about it on my “Setting up a Logon Script through GPO in Windows Server 2008” article.
Note: Using Windows Server 2008 Active Directory Users and Computers (ADUC) to assign logon scripts is mostly the same as it was in Windows 2003, but having some people asking me questions about it in Windows Server 2008 has triggered the writing of this article.
Creating the logon script
The logon script is the file that does the actual action. It could be almost any action, as noted above. So we’ll start by creating that script. The default location for logon scripts is the NETLOGON share, which, by default, is shared on all Domain Controllers in an Active Directory forest, and is located in the following folder:
%SystemRoot%\SYSVOL\sysvol\<domain DNS name>\scripts
Where %SystemRoot% is usually “C:\Windows” and <domain DNS name> is the DNS name of the domain, similar to “Petri.local”. This folder, which is a part of the SYSVOL special folder, is replicated to all the Domain Controllers in the domain.
Note: The actual process of creating the script is beyond the scope of this article, there are plenty of good resources with great examples on the Internet.
- Create the logon script and give it the appropriate name (for example: logon.bat, logon.cmd, logon.vbs, etc.) The script can use ANY name, just make sure you know what that name is, and give it the right file extension type.
- Make sure that the script runs and performs the required action when it is manually run (double-click on it).
- Copy the logon script (CTRL+C).
- Paste the logon script in the NETLOGON share on one of the Domain Controllers. The NETLOGON share is located in the following path: c:\Windows\Sysvol\Sysvol\Domain Name\Scripts.
Note: You can enter a UNC path in the “Logon script” field and place the file in another location. However, this location should be one that is replicated to all Domain Controllers, and unless you have such a folder available, I’d suggest you keep to the NETLOGON share.