Logon Script Deployment

Categories // System Administration

The Logon script process is the same in almost every situation. End users call a batch file or VBScript that runs commands on their local system.



So first lets determine what kind of scripted logon process you want to use..


As far as best practices there are only two types I would try to implement, dos batch files or VBScripts. The later being my preference.

  • Decide the scope of your needs.
    1. You need to map static drives and that's it.
    2. You need to map drives based on group membership.
    3. You need "choice 2" and to collect info on your networked PC's.
  • Understand your environment
    • What operating systems do you have to support ?(I am only focusing on windows environments here)
    • What OS versions?
    • How will remote users connect and run the logon script?

Choose your method

  • If you chose "#1" then you can get by with a dos batch file in the "netlogon" share.

NOTE: if you need to only map one drive then use ADUC (Active Directory Users and Computers). For this method go the "Single Drive Mapping Method".


If you chose #2


NOTE: if you need to support older systems like NT 4.0, Windows 95, etc, then the batch file method is your best choice. You can find an excellent article on implementing this at the Microsoft TechNet site. The link is here.

  • You can get buy with a dos batch file and the MS program "Ifmember.exe" (a resource kit utility) placed in the Netlogon share of a domain controller.
  • Although this method works it is slower and clumsier than a VBScript deployed by GPO.


If you chose #3

  • Then definitely you will want to use the VBScript and GPO method. I outline below.
  • This option is best if you don't need to support older legacy systems. It gives you great flexibility in what you can accomplish.

First you should decide what you want in your script, what do you want to provide for your customers (end users). I'll use a script I deployed as an example.

I did not want to have drives mapped and system updates applied to servers. Only to workstations. You may want to have some drives mapped on servers it's up to you. So first I determine what OS I am working with. If it's a server I exit the logon script ( I have other systems monitoring servers so I don't need to worry about Anti-virus and the like)


******** determine OS and quit if it's a server *********
Set colOperatingSystems = objWMIService.ExecQuery _
("Select * from Win32_OperatingSystem")
For Each objOperatingSystem in colOperatingSystems
Select Case objOperatingSystem.Caption
Case "Microsoft(R) Windows(R) Server 2003, Standard Edition"
Case "Microsoft(R) Windows(R) Server 2003, Enterprise Edition"
Case "Microsoft Windows 2000 Server"
End Select


Next its always good to map drives based on group membership. This way when you move people around in your company they automatically have the resources they need.


For Each strGroup in objUser.MemberOf
strGroupPath = "LDAP://" & strGroup
Set objGroup = GetObject(strGroupPath)
strGroupName = objGroup.CN
'WScript.Echo strGroupName
Select Case strGroupName
Case "YourGroup1"
objNetwork.MapNetworkDrive "H:", "\\yourServer\path\path\"_
& objNetwork.UserName
Case "YourGroup2"
objNetwork.MapNetworkDrive "H:", "\\yourServer\path\path\"_
& objNetwork.UserName
Case "Information Technology"
objNetwork.MapNetworkDrive "G:", "\\yourServer\path\path"
'Case "QAD Users"
' j=1
' Call JRE
End Select


You may want to have some drives mapped that are always the same for every user. If so you can throw in something like this;


objNetwork.MapNetworkDrive "I:", "\\yourServer\path\path"
objNetwork.MapNetworkDrive "K:", "\\yourServer\path\path"
objNetwork.MapNetworkDrive "Q:", "\\yourServer\path\path"
objNetwork.MapNetworkDrive "R:", "\\yourServer\path\path"


Next I want the system time always in sync with the domain controllers so I add this line in;

'********* set system time *********
WshShell.Run "net Time \\ds10001 /Set /yes > nul"


NOTE: You may have noticed several lines that have asterisks in front of them and some info about what the line does. Its always good to note your scripts as much as possible since you probably wont be the last person to manage the system. As well if your like me you may forget what you you were doing and why you made the change.

So now you may want to check the workstations for running programs like Anti-Virus. Or you may want to look for certain registry keys, or whatever else you have interest in knowing about the workstation. I like to make sure Anti-Virus is running. If it's not I send an email to the help desk so they can dispatch an engineer to the users desk.


'********* check for anti-virus and notify IT if missing *********
Set colProcesses = objWMIService.ExecQuery _
("Select * from Win32_Process Where Name = 'FrameworkService.exe'")
Set objComputer = CreateObject("Shell.LocalMachine")
Set objShell = CreateObject("WScript.Shell")
If colProcesses.Count = 0 Then
subject = "Anti-virus is not running on "& objComputer.MachineName
textbd = "Anti-virus is not running on "& objComputer.MachineName
Call SmtpServer
End If


I like to place some code that's easy to identify that can run outside programs. This way if another engineer comes along to manage the system they can make changes easily without bothering me ;-)


'**********Call scripts or programs outside of this script- change the line after "WshShell.Run" to the program to call *********************

'Set WshShell = WScript.CreateObject("WScript.Shell")
'WshShell.Run "DfltDelSetv3.vbs"


If you want your logon script to send emails with information in them you need to have a method to do it in place. If your users have the SMTP service running on their system (IIS installed) then you can accomplish it with a few lines of code. This is not usually the case so you need to build a little SMTP server in the script to send out email.


'********** email information ***********
'Place any routine above this sub-routine and have it "CALL" SmtpServer
'Then pass the 2 varibles, subject (subject line of the email) and textbd (message text)

Sub SmtpServer
Set objEmail = CreateObject("CDO.Message")
objEmail.From = "This email address is being protected from spambots. You need JavaScript enabled to view it."
objEmail.To = "This email address is being protected from spambots. You need JavaScript enabled to view it."
objEmail.Subject = subject
objEmail.Textbody = textbd
objEmail.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
objEmail.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserver") = _
objEmail.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
End Sub


By the way most of the code in here I borrowed from other sources such as "The Scripting Guys" at Microsoft. I find that 90% of what ever you may want to script has already been done you just need to look around a bit. It will save you tons of time and you'll learn even quicker if you look at what someone else has done to get the results you need.

Next we'll discuss implementing the script with a GPO..


You can run a logon script by creating a GPO that is based on security groups. This is best if you want some groups to run different logon scripts than others. Even if you only have one group of users that will use the logon script it's best to start out with this setup so your ready for future changes. Always think about how "scalable" it is when creating new processes for your computing infrastructure.

Open GPMC (Group Policy Management Console) If you don't have it download it and install it.

  1. Navigate to the GPO you have created for user logons. I created a GPO that I call "UserSytemControl" . I place all of the workstation and user specific polices in here. This way I don't have to many separate policies to download and run on the users system. Also it helps to have one place to look for end user policies.









  1. Highlight the polices you want to add the logon script to and left click.
  2. Choose "edit".
  3. Next navigate to User Configuration\ Windows Settings\Scripts(logon\logoff)
  4. Double click "Logon" and choose add.
  5. Now load the VB Script you created in earlier steps.











  1. Click "OK" and exit out of the GPMC.


Next you may want to run this script based on group membership. I mean that you can select the Groups, OU or user that this policy will be applied to within the GPMC console. It's located in the lower box in the "scope" tab.

That's it! Your done, now when users logon they will run the script. Thier drives will get mapped based on the groups they belong to; their system will get checked for anti-virus or any other program you wish to check for and they wont know a thing about it. It'll be like magic.

You can do a lot more than what I represented here, a lot lot more. Look around a the various settings in GPMC, especially look at the "WMI filters" you can set up there's some very interesting possibilities there.

NOTE: Please note that there are elements that I did not mention about the VB logon script that are related to script writing in practice. You should look over the script I have for download and learn from that. I didn't want to try and teach you how to write VB scripts. There are vast resources on the Internet for that . More I want to get you thinking about scalability, maintainability and getting the most for you and your customers from this process.

I hope this has helped you.


blog comments powered by Disqus

Sign Up Now