Guy’s Scripting Ezine 132 Assigning Logon Scripts Via Group Policy

Assigning Logon Scripts Via Group Policy


This Week’s Secret

The mission of my whole website is to get you started.  In the case of the VBScript section, I also want to create a reference section for those moments, when even experienced script writers forget the syntax for a little-used command.

My Computer Performance site started back in 1999 with logon scripts, therefore with a New Year just beginning, this is a fitting time to revisit assigning logon scripts.

Guy’s way is to always build-up scripts gradually.  My advice is start as simply as possible and get a single command working.  Nothing succeeds like success once, thus when that first script performs as expected, it’s time to extend your repertoire and bolt-on other VBScript commands.  I have developed this modular approach from years of troubleshooting other people’s scripts.

A hidden benefit from short focused scripts is that they encourage you to experiment.  Change one or two commands and observe what happens.  The result will be you write tighter code and learn about VBScript.

Guy Recommends: Tools4ever’s UMRAUMRA The User Management Resource Administrator

Tired of writing scripts? The User Management Resource Administrator solution by Tools4ever offers an alternative to time-consuming manual processes.

It features 100% auto provisioning, Helpdesk Delegation, Connectors to more than 130 systems/applications, Workflow Management, Self Service and many other benefits. Click on the link for more information onUMRA.

This Week’s Mission –
Troubleshooting Assigning Logon Scripts

The purpose of this VBScript is to act as a test script so that we can investigate assigning logons scripts via group policies.  Almost any VBScript will suit this purpose, the script that I have enclosed maps a share on a server, for example (\\ server\ share) to a local drive letter, for example (g:\).

Learning progression.
Get the script working on your own XP machine.
Go the domain controller and Assign the script to a user.

Assumption: When you test your script, you have administrative rights to the domain controller.  Suggestion: Create a test user in a test OU.  Best would be to have your own test domain in its own subnet.  If you are short of resources consider getting virtual server software to test not only Logon Scripts, but also other aspects of Windows Server 2003.

For once, the actual logon script is not important, because my purpose this week is to show you how to Assign Logon scripts and to troubleshoot associated Group Policy problems.

For reference, this is what a simple logon script will look like:

‘ MapNetworkDrive.vbs
‘ VBScript to map a network drive to a UNC Path.
‘ Author Guy Thomas
‘ Version 2.4 – January 2007
‘ —————————————————————–‘
Option Explicit
Dim objNetwork
Dim strDriveLetter, strRemotePath
strDriveLetter = "J:"
strRemotePath = "\\alan\home"

‘ Purpose of script to create a network object. (objNetwork)
‘ Then to apply the MapNetworkDrive method.  Result J: drive
Set objNetwork = CreateObject("WScript.Network")

objNetwork.MapNetworkDrive strDriveLetter, strRemotePath

‘ End of Example VBScript.


  1. On Line 10 change the server name from ‘\\alan’ to your server name.
  2. Make sure that your server has a share called ‘\home’.

Instructions to MapNetworkDrive

  1. Copy and paste the script below into notepad.
  2. Check strPath, your server is unlikely to be called "\\alan, so amend to the name of your server.
  3. Save the file with .vbs extension e.g. MapNetworkDrive.vbs.
  4. Double click your script and check in your Windows Explorer for a new drive called : home on ‘alan’ (J:)

Assigning Logon Scripts Via Group Policy

The inferior alternative to Assigning Logon Scripts via Group Policy is visiting each user’s Profile property tab and typing the name of the logon script.  The bonus of Assigning Logon Scripts through the GPMC is that it re-enforces the principles of controlling the client computers via a Group Policy.

Troubleshooting Logon Scripts

Scenario 1
The script does not work on your own XP machine.  Solution pure VBScript troubleshooting, start with researching the 0800xxxx error number.  Not covered in this week’s ezine.

Scenario 2
The script works when you double click the .vbs file, but does not execute when you logon as the test user.

Each of the following troubleshooting steps is useful not only for logon scripts, but also for problems such as other Group Policies don’t work.

1) Wrong OU

The number one reason that logon scripts don’t work when you assign them to a Group Policy is  that the policy is applied to one OU, while the user accounts are stored in a different OU.  Commonest of all is where the test accounts were created in the default Users container, yet the script is assigned to the test OU which contains no users!

Solution 1: Always create a test OU with a few test users.  Naturally, apply the test Group Policies with the logon scripts to this test OU.

Solution 2: Only suitable for a test domain.  Assign your logon script to the default domain policy.

2) Block Inheritance and Group Policy Results

In MCSE exams the answer to why a Group Policy did not work is often Block Inheritance, in real life block inheritance is rarely the case.  However to check for this and similar problems make use of a feature in the GPMC called Group Policy Results.  With this you can see the settings Active Directory believes apply to a user, you then compare the summary results with what you THINK should apply to the user.  Naturally if there is a discrepancy, Active Directory is always correct and we humans always wrong.

3) Latency

In Windows Server 2003 domain controller replication has less latency than Window 2000, however, you can run remove latency from the equation by running the  command: gpupdate /force.  This Group Policy refresh is available on both the Windows 2003 server and the XP client.  Gpupdate is most useful when you are making constant changes as part of your troubleshooting.

A different sort of latency problem can be caused commands in the script itself.  If the logon script fails giving an error message such as, cannot find server, then the configuration is correct, but the script itself may benefit from a WSCript.Sleep command.

4) Logon Script in the wrong physical folder on the server

If the script works fine in isolation, but won’t work when you assign through Active Directory, I would add any old setting to the Group Policy, for example, remove the ‘Run’ command.  If that Group Policy works, but the Logon Script is still silent then I would suspect that the .VBS file is in the wrong physical folder on the server.

To Check the VBScripts Path
Research the Group Polices folder structure on the domain controller.  Navigate to the %windir%\sysvol\ folder. Strangely, there are two sysvol folders. Under the second sysvol you will see your domain name, and further down the actual group policies.  Each policy has sub menus with its templates and scripts.

5) Still Stuck – Exotic Problems

Group Policy replication problems.  If you have more than one Domain Controller, you may have created the policy on Server B, but either the Policy definition or the actual script have not replicated to Server A.  Murphy’s law dictates that your subnet is serviced by Server A. 

Solution: Try and force an active directory replication, or else Remote Desktop into Server B and see if the Logon Script runs.

I once encountered a problem caused by ‘Mr Organized’.  Mr Organized did not like the strange hex numbers {6AC1786C-016F-11D2-945F-00C04fB984F9} which label the group policy folders, so he renamed the hex numbers: Group Policy 1, 2, and 3.  Wrong.  You must not rename the group policies, just accept those strange folder names.

6) Coming Full Circle

Although I have been rude about using the Profile Tab on the User’s property sheet, this method does have a place in troubleshooting.  If this works and the Assign via Group Policy method fails, then a) That is progress  b) Re-examine how and where the Group Policies are being applied.

7) Ask for more help

‘Googleit’.  Be imaginative and think of different phrases to put in your favourite search engine.  Oscillate between narrowing your search by starting at Microsoft site, or and widening your search by starting at Google, Yahoo or MSN.

Another way for asking for help is to leave messages in suitable forums, for example:

Summary of Troubleshooting Logon Scripts

When troubleshooting logon scripts, begin by breaking-down the script into modules.  Get each module working then assemble them into a logon script.  When troubleshooting assigning logon scripts via group policy, start by checking that your policy is applied to the OU with the test users.

If you like this page then please share it with your friends


See more logon scripts examples

Logon Script Home   •EnumNetworkDrives   • Map Network Drive Group   • Free Import CSV Tool

Map Network Drive Script   • Vbscript Map Network Drive Username   • Map Multiple Network Drives

ObjNetwork.MapNetworkDrive   • Disconnect Network Drives   • Logon script group policy