Time to write out the Logon Script?
I realize that I have to handle any suggestion that people abandon their logon scripts with extreme care. Let me begin by explaining my least contentious proposal; if you really need logon scripts, for example to map printers, then do them right, that means assigning Logon Scripts via Group Policy. It’s time for one of my Litmus Tests, which are designed to distinguish between amateur and professional administrators.
Best Practice Litmus Test: How do you apply logon scripts in Windows Server 2003?
Amateurs configure logon scripts the NT 4.0 way. They go to Active Directory Users and Computers, then they configure logon scripts individually, via the User’s property sheet, Profile tab and Logon script dialog box.
Professionals assign logon scripts via Group Policy. When you use this method, launch the GPMC (Group Policy Management Console), head for the User Configuration, Windows Setting, Scripts and select Logon. When the policy window opens, click Add and Browse for your logon script File name.
I have a tip for assigning scripts via Group Policy. Before you start the above procedure, copy (ctrl c) the logon script file – not the code, then when you reach the Browse File Name dialog box, paste the file (ctrl v). What this tip does is save you browsing in the SysVol folder and getting lost amongst those folders beginning with strange hexadecimal numbers. At the bottom of this link are screen shots of my paste logon script tip. At the bottom of this link are screen shots of my paste logon script tip.
To recap, the advantages of applying logon scripts via Group Policy compared to the Profile tab are as follows:
1) Central administration, configure just one setting for everyone in the OU. There is no need to visit every user’s property sheet, just because you changed the name of the logon script. In addition, you can deploy multiple logon scripts with Group Policies.
2) You can also assign scripts to the computer rather than user, these are called Start Up scripts. Incidentally, I have never seen a Profile tab for a computer object, thus you could not apply the old NT 4.0 method to computers.
3) You can use Group Policy to run Logoff or Shutdown scripts, however, I confess, I have yet to see anyone apply Shutdown scripts in real life.
If you want to learn more about configuring Group Policies, then I recommend TrainSignal’s video material. At TrainSignal they divide IT training into modules. They have step-by-step instructions prepared by experienced administrators to show you how to configure the Group Policy settings.
Real Life Example written by Mike G.
I’ve located the VBS files for each logon script under the NETLOGON share of the DC in a folder called "Logon Scripts". The six folders underneath represent my six regions within the company. This allows me to grant NTFS permissions on each regional folder to the local IS guys so they can modify their logon scripts (only), without having to give them permissions to the DC or the directories where the group policy lives. This keeps them in a separate folder than the Group Policies that launch them (so you don’t have to know those long strange hexadecimal numbers).
I link the group policies that launch the logon scripts to the site. (this may not be right for everyone) This is because I have 60 offices and we frequently have people shift to other offices to help out. By adding them to the local office security group, they get the proper NTFS permissions on the server and the logon script launches for the office they’re in, not their home office (which would be the case if it’s linked to an OU).
We have an Intranet page where folks can go to "Map your Office Network Drive Letters". So if they do need access to their home office drives, they go to this page and select their office. It then launches the …. login script.vbs from the folder on the DC so they can map drives as they need them. (this works great for remote users on the road or at home too).
SolarWinds’ Orion performance monitor will help you discover what’s happening on your network. This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.
What I like best is the way NPM suggests solutions to network problems. Its also has the ability to monitor the health of individual VMware virtual machines. If you are interested in troubleshooting, and creating network maps, then I recommend that you try NPM now.
Time to Write out the Logon Script
Last week I floated the suggestion that Home Drives could be replaced by folder redirection. This week my more contentious prediction is that in two computer generations – say 6 years, logon scripts will be phased out. My prediction is that all the present logon script instructions could in future be applied through bigger and better Group Policies.
My goal this week is merely to plant the seed of an idea. That idea is to actively seek alternatives to Logon Scripts. I want to emphasise that with logon scripts, the past does not equal the future. The first time I saw this entrenchment in the old technology was in the spring of 1966. Mad Mick said words to the effect of, ‘I would sooner eat sewage than ride a Japanese motor bike’. Well in the autumn of 1966, Mad Mick traded in his leaking Triumph 650 Bonneville for a brand new Japanese Honda CB 450. I remember it well because John ‘The Monst’ and I frog marched Mick to the toilet. I will leave the rest of that particular saga to your imagination.
My point is that everyone suffers from this inability to let go of the past and embrace the future, with me its mobile phones. I just stick to the basic mobile, I don’t take pictures, and wish they would make a model with bigger buttons.
I also want to make it clear that I love logon scripts. If my prediction comes true, and one day logon scripts die out, then it would be fitting that I am chief mourner. The reason being I have made a good pin money from my logon script ebooks. On that score, I still say that logon scripts are a great way of learning VBScript because you get instant action and don’t need Active Directory to run the scripts. As for VBScript, it’s easy to predict that VBScript in general and WMI scripts in particular, have a rosy future. For example, there is a WMI setting within Group Policies where you can control factors such as applying the policy to XP but not to Windows 2000 machines.
Tired of writing scripts? The User Management Resource Administrator solution by Tools4ever offers an alternative to time-consuming manual processes.
It features 100% auto provisioning, Helpdesk Delegation, Connectors to more than 130 systems/applications, Workflow Management, Self Service and many other benefits. Click on the link for more information onUMRA.
See more interesting Windows Active Directory articles