|
Active Directory : Tech-Pages
Running a Logon Script Using Group Policy Objects
By: Mark N. Goedert ACCC / LAN Group (MGoedert@uic.edu)
This page outlines basic information on how you can run a script on all of your workstations from a Group Policy Object.
Prerequisites
You must have a basic understanding of local system policies on a Windows XP workstation. Working knowledge on the use of the Active Directory Users and Computers MMC, Group Policy Management Console and knowledge on how to setup a file share with assign user rights to see and execute files on the share. Knowledge on scripting is needed, VB script is used in this specific example, you can subsitute your script language of choice.
The following procedure must be performed from a machine inside the UIC-AD with the AD Users and GPO management tools installed.
The user must also have rights ie.. "Full Delegation" to the OU in which the department resides to create and manage GPOs. This is considered full administrative access to the OU which was setup by the ACCC when the OU was requested. Users running the GPOs do not need special rights beyond what they already have.
Procedure
1 - Create your script
The first step is creating the script you would like your users to run when they logon to a workstaion. This script can be written in a scripting languate like VB script.
For example we created a script to delete the H: drive that is furnished by the ACCC. We will delete the ACCC supplied H: drive and replace it with our own H: drive.
File Name: replacehdrive.vbs
'/ File to remove ACCC H: drive.
'/ Replace H: with our own mapping.
On Error Resume Next
'/ Delete a Network Drive
Set WshNetwork = WScript.CreateObject("WScript.Network")
WshNetwork.RemoveNetworkDrive "H:", True
'/ Map a Network Drive
Set WshNetwork = WScript.CreateObject("WScript.Network")
WshNetwork.MapNetworkDrive "H:", "\\<server name>\<fileshare>"
You can cut and paste the lines above into a text file named replacehdrive.vbs on your desktop. Test the file by running it on your machine locally. It will delete your H: drive mapping and replace it with your own network drive location. There is one exception to this script working. If a user manually maps a drive using Tools | Map Network Drive this script will not remove the mapping. The API used will only remove a mapping made by a login script or the default H: setting in the user account.
2 - Create File Share to Launch Script
Once the script is created you need to make sure your users can see and exectute the script. You can accomplish this by creating a file share on one of your servers and assigning the rights to read/execute the script. Make sure you have both the share permissions set correctly as well as the file system properties set appropriately.You can assign permissions to the "Authenticated Users" group for everyone to see or you can assign a group access to the scripts. I recommed using groups to assign rights for tighter security. You can also hide your share by putting a "$" sign at the end of your share name (/script$) where you will store your departmental scripts.
Test the file share by browsing to it with a regular user account and run the script from the location by double clicking it. The script should run without a problem, if it does not work, you have a permissons problem. Resolve the permissions problem before moving to step 2.
3a - Request your GPO in AD Users and Computers
Due to Microsoft security the a Domain Admin must create a GPO in the UIC-AD domain. You can request a new GPO by sending email to LAN@uic.edu.
We ask that you follow the naming standard;
<DEPT_ABBR> GPO_Name
By placing the Dept abbreviation in the front of your GPO name, you can find all of your GPOs much easier when searching or looking at a alphabetical list.
3b - Link your GPO in AD Users and Computers
Now that your script, file share, and GPO are created open the Active Directory Users and Computers MMC.
Navigate to your department OU and "right click" on the OU where you would like to link the GPO and select "properties" from the pop-up menu.
Click on the "Group Policy" tab and launch the Group Policy Management Console (GPMC). Optionally you can use GPEdit from the command line.
In the GPMC you an naviagte through your GPOs in the left navigation screen. Find and select your GPO by right clicking on the GPO name and selecting "edit".
4 - Group Policy Settings
On the right pane of the GPMC you will see your newly created policy. "Right Click" the policy and select "Edit" to modify policy settings.
(click for larger image)
Under Computer Configuration | System | Logon double click "Run these programs at user logon" to access the properties.
Click "Enabled" to allow the script to run at logon.
Click the "Show" button to add the full network path to your script location. You will see the dialog below after you "add" your script path and click "ok". Clicking the "Add" button will prompt you for the full network path to your script including the script name, use the format; \\servername\sharename\scriptname when entering your full network path.
You may want to consider adding a few other settings to ensure that your scripts run. The following settings will increase your login time however the benefit balance is that your scripts will have increased reliability when running.
Under Computer Configuration | Administrative Templates | System | Scripts you can elect to have your logon scripts wait until previous scripts complete before running. That is, your scripts will run one at a time.
Set the "Run logon scripts synchronously" entry to "Enabled" which will force your scripts to run one after another.
(click for larger image)
You can also instruct the computer logon process to wait for the network to become available before running the scripts. This will most likely increase your login times, experimentation with this setting will be needed depending upon your network speed and quality.
Set "Always wait for the network at computer startup and logon" to "Enabled" which forces the logon process to wait for network availabiliy before running your script.
(click for larger image)
Below is an overview of the setting for the test GPO I created to run a script on logon.
(click for larger image)
During my testing I had to reboot the computer once before the GPO took effect, other than that no additional configuration will be needed to run scripts on logon. As long as the user has appropriate rights to read and execute the script on the file share you should have no problems with running the script.
Mark N. Goedert
LAN Manager - ACCC
Last Updated 05/18/2006
|
