Windows – Store GPO Scripts in Netlogon or Policy Folder

active-directorygroup-policynetlogonwindows

Is it best practice to store logon scripts centrally in \\DOMAIN\Netlogon or in the policy folder they get put in by default, eg. \\DOMAIN\SysVol\DOMAIN\Policies\{DE22B6FB-315E-4C55-BF06-A7709913CD9E}\User\Scripts\Logon?

What are the implications (if any) of choosing one location over the other?

I'm inclined to just keep them all in Netlogon for ease of access /review…

Best Answer

The default location for user logon scripts is the NETLOGON share, which, by default, is replicated on all DC in your forest, and is physically located in:

%SystemRoot%\SYSVOL\sysvol\<domain DNS name>\scripts.

%SystemRoot%\SYSVOL_DFSR\sysvol\<domain DNS name>\scripts (for DFS-Based FRS since this is recommended from Server 2012R2+)

If you set a user logon script (ADUC > User > Properties > Logon > Logon-Script > hello.cmd), it is executed from NETLOGON.

"Official" best practice is:

store them along with the GPO, if you set it through GPO.
store them in NETLOGON, if you set it as a user property in AD.

Related Solutions

Windows – NETLOGON scripts not being executed

The first way you tried, specifying the script name with "%username%" in it probably won't fly. I'm fairly certain that environment variable expansion inside the "Scripts" Group Policy Client Side Extension (CSE) won't work. I don't have any documentation that says one way or the other, but I'd find it highly dubious.

The second way you're trying, calling a "logon.bat" from the CSE and, in that script, calling "%username%.bat" should work, provided you can get the path to "%username%.bat" right. I'd call it like so:

call %0\..\%username%.bat

That ought to get the "%username%.bat" file located in the same directory as the "logon.bat" script to execute.

Finally, be sure that your users don't have "Administrator" rights if you're running Windows Vista or Windows 7 on your client computers. If you are, and they do, then drives that are "mapped" during the logon script won't be visible in Explorer by default. (You can get some background on that here: Networkmapping script (VBS) Vista doesn't work, XP does)

Windows – Getting Windows 7 to run Scripts from Other Shares then NETLOGON

If you are using a startup script, you need to give the Domain Computers group permission in the share and NTFS permissions. Startup scripts run in the context of the SYSTEM account. Your tests that you've run manually will run in the context of whatever the logged on user is.

You can test this manually by running psexec -s cmd which will launch an interactive command prompt as the SYSTEM user.

Best Answer

Related Solutions

Windows – NETLOGON scripts not being executed

Windows – Getting Windows 7 to run Scripts from Other Shares then NETLOGON

Related Topic