I am trying to pull a complete list of Logon Script (Script path) available in Active Directory as a part of my project. I was able to pull a list of Script paths that are currently in use, by pulling "All AD users" report with an additional attribute named "Script path" using AD Manager Plus. However, I want a complete list of Logon Scripts where I can check both used and obsolete ones. Any help would be appreciated.
How to pull the complete list of Logon Script (or Script Path) present in your Active Directory
active-directory
Related Topic
- Active Directory logon script not updating
- Logon script in Active Directory
- Script to pull a list of user mailboxes with the Active Directory account disabled
- Can you create multiple separate Active Directory GPO Logon Scripts
- Active Directory Domain Services – What It Is and How It Works
- Active Directory: How does the computer logon process and the user logon process differ
Best Answer
It's highly likely that all those logon script paths are pointing to the Netlogon share. So you can go there and search for other script files that have not been identified so far.
HOWEVER, please be aware that logon scripts are only one type of script that may be in use in GPOs. If you want to review potentially obsolete scripts, you should create reports for ALL the GPOs and review each one for linked scripts.
For scripts that are not used in any GPO, but are present in NETLOGON, you should still be very cautious about removing them. They may be used by some process or individuals outside Group Policy. Many environments use Netlogon to store random scripts for all kinds of purposes, because they are replicated to all DCs.
So to be very sure any non-GPO scripts are not in use, you would want to enable the Track Object Access policy on the domain controllers, and create a file system audit policy on each script to track "Traverse Folder/Execute File" by Everyone. Then monitor for a long interval - months, not days - and create a usage report.
Then, if you find any that are apparently not used, you should go through the appropriate change control process to ensure potentially-affected parties in the organisation are notified of the pending deletions, and that you have the appropriate sign-off to proceed.
The files should initially be archived so they can be easily restored at short notice (leaving them in situ, renamed to e.g. "script.vbs.bak" will do). Then after a reasonable interval with no reported issues (for me, at least a month), they can be backed up (to a separate file server, to tape, etc) and then deleted.
For any scripts that are not linked to a GPO, but which you find are in use, there should be a suitable place where their purpose is documented. Preferably in a comment in the script itself. Also, where applicable, in formal documentation, such as the Active Directory design/as-built document. At the very least, the "responsible party" for the script should be identified in the script comments.
Sorry for the very long response, but these are all things that should be considered carefully if you're not certain of potential impacts to any system or process by deleting an "unused" script.