There
are two ways to assign Logon scripts. The first is done on the Profile tab of
the user properties dialog in the Active Directory Users and Computers (ADUC).
The second is done via Group Policy Objects (GPO). Here we are using the second method.
When using
GPOs you can assign MORE than one logon script per user, and you can configure
which script runs first, you can also assign LOGOFF scripts for users, and even
STARTUP and SHUTDOWN scripts for the computer itself.
Create
the logon script and give it the appropriate name (for example: logon.bat,
logon.cmd, logon.vbs, etc.) The script can use ANY name, just make sure
you know what that name is, and give it the right file extension type.
Make
sure that the script runs and performs the required action when it is
manually run (double-click on it).
Open Group Policy Management Console
from the Administrative Tools folder (or gpmc.msc from RUN).
Expand the domain tree, locate the domain name.
Right-click the domain name and select Create and Link a GPO Here or to apply the script to
ONLY a SPECIFIC SET of users, expand the domain tree, locate the OU where
the users from are located. Right-click the OU and select Create and
Link a GPO Here.
Note: Of course it might be possible that a GPO already exists
and it is linked to the object level you need. In that case you don't need to
create a new GPO, you can use the existing one.
In
the New GPO window, give the new GPO a descriptive name, such as
"Test Logon Script GPO". Click Ok.
If
you don't see it already, refresh the GPMC view and find the new GPO
you've just created under either the domain name, or the OU, depending on
your previous choice.
When
you click on the new GPO you might be prompted with a message window.
Click Ok.
Right-click
the new GPO and select Edit.
In
the Group Policy Object Editor window, expand User Configuration >
Windows Settings > Scripts.
Double-click
Logon in the right-hand pane.
In
the Logon Properties window, click Show Files.
A
window will open. The path will be a folder similar to the following:
\\domain.com\SYSVOL\ITbrainz.local\Policies\{E4A62379-8423-4654-8DB6-01FB8F58582D}\User\Scripts\Logon.
Paste the logon script you've copied in the previous part of this article.
Close the window.
Back
in the Logon Properties window, click Add.
In
the Add a Script window, click Browse and you will see the
logon script step #11. Whatever you do, DO NOT manually browse for the
file, it should be in front of your eyes. If it's not there, check the
previous steps for a mistake. Click Ok.
Back
in the Logon Properties window, see if the logon script is listed,
and if it is, click Ok.
Close
the Group Policy Object Editor window.
Close
the GPMC window.
Replicate
the DCs
Now we need to replicate the DCs in
the domain by using either Active Directory Sites and Services, Replmon,
Repadmin, or wait a few moments (depending on the number of DCs). As a simple
follow up to this article, I suggest you use Active Directory Sites and
Services.
Testing
the logon script
On one of the computers that is part of the domain,
logoff the specific user account.
Logon and test.
If the logon script doesn't work for
you, go back to the basics and see if it works at all by double-clicking on it.
See if it's placed in the right path, and see if it has replicated to the other
DCs. Also check permissions by trying to manually run the script from the right
path but while logged on as the user, and not as an administrator. If it still
doesn't work, use GPMC's Group Policy Results feature to determine of the GPO
has indeed been applied to the user.
No comments:
Post a Comment