A logon script is a script that runs automatically each time a user logs on to the network. This script can contain various commands or programs that process on the local station, such as mapping printers or updating the local system time. In this chapter, you will learn how to create logon scripts to easily standardize and update your environment automatically.
Tip | Although this chapter discusses tasks specifically geared toward logon scripts, you can use any of the scripts within this book in a logon script. |
The difference between a regular script and a logon script is that a logon script performs its functions when the user logs on. Logon scripts are not limited in functionality, but actually contain the same functionality as any other script. Although logon scripts can perform many different tasks, several tasks are commonly performed in logon scripts:
Synchronize the local time
Manage network printers and drives
Update drivers or settings
Access or modify the registry
Perform hardware or software inventory
Set or modify environment variables
Update antivirus files
Time synchronization is essential when planning to perform enterprise-wide tasks simultaneously , such as remote updates. Windows 2000/XP/2003 uses a service called time synchronization to update the local system time with that of a network time source. A time source is any object providing the time to another object.
Time synchronization is performed in a hierarchal format (see Figure 13.1). At the top of the hierarchy is the top-level time source that contains the accurate, universal time, such as the Atomic Clock. Primary time sources, usually a domain controller, synchronize their local time with the top-level time source. Below the primary time sources aresecondary time sources and clients. Secondary time sources are basically backup primary time sources that obtain their time from a primary time source. Secondary time sources are typically resource domain controllers that obtain their time from the master domain. Underneath the time sources are the clients that synchronize their local time with a secondary or primary time source
Environment variables are basically keyword shortcuts that the system and users use to easily access files, directories, and values. You can use these variables in your logon scripts to easily identify the operating system, computer name, domain name , and more. Generally there are two types of environment variables: user and system. User environment variables are set per user, whereas system environment variables are set to the system level and affect all users who log on to the system. These variables are called static variables and are actually stored as registry entries: HKEY_CURRENT_USER\ Environment for user variables and HKEY_LOCAL_MACHINE\ System\CurrentControlSet\Control\Session Manager\Environment for system variables. Dynamic variables, created by the SET command, are stored in memory and are applicable for the current command prompt session. Table 13.1 is a list of common environment variables.
Variable Name | Description |
---|---|
ComputerName | Specifies the name of the local system |
HomeDrive | Specifies the drive letter to map the user's home directory |
HomePath | Specifies the local path to the user's home directory |
HomeShare | Specifies the share path to the user's home directory |
OS | Specifies the operating system |
UserDomain | Specifies the name of the domain the user is currently logged on to |
UserName | Specifies the user ID of the currently logged on user |
WinDir | Specifies the directory where the operating system is installed |
Tip | To see the current environment variables from the command prompt, enter SET |
Although most antivirus products include auto-updating features, updating antivirus files through a logon script provides a backup mechanism to ensure your clients are always up to date. Norton Antivirus is an advanced antivirus utility from Symantec (http://www. symantec .com), designed for both home and corporate use. This utility's antivirus signature files can be easily updated with an executable called Intelligent Updater. This executable supports the following command-line switches:
/EXTRACT location ”Extracts files from the executable to the location specified
/Q ”Undocumented switch, specifies to install the update silently
/TEMP= path ”Specifies the temporary directory to use
McAfee VirusScan is a popular antivirus utility from NAI (http://www.nai.com), for both home and corporate use. NAI releases updates to their antivirus engine and signature files (.DAT extension) in a self-extracting executable (for example, sdat9999.exe) called SuperDAT. They also release a version of the SuperDAT without the engine update (for example, 9999xdat.exe) to reduce the size of the update file and to supply updated signature files simply. These files provide an easy way to update antivirus software because they first stop running antivirus services, update the antivirus files, and then restart the antivirus services.
The two executables just described support the following command line switches:
/E location ”Extracts files from the executable to the specified location
/F ”Forces an updating of existing files
/LOGFILE textfile ”Logs the status to a text file
/PROMPT ”Displays a prompt dialog before reboot
/REBOOT ”Reboots if necessary
/SILENT ”Runs the executable in silent mode, with no prompting
/V ”Displays information about the executable
The logon sequence is initiated on a Windows 2000/2003 machine when the user enters the secure command sequence (SCS), better known as Ctrl+Alt+Del. After the user enters the username and password, the Kerberos client encrypts the password through a one-way function (OWF) using the DES-CBC-MD5 algorithm (Data Encryption Standard Cipher Block Channel Message Digest 5). The client then converts the password to an encryption key.
The Kerberos client then sends the encryption key, username, a time stamp, and the authentication request to the Key Distribution Center (KDC), which is a service running on the authenticating server. The user name is then checked for a valid name stored in the active directory database, the password is verified , and the time stamp is checked to ensure the request is not old or falsified.
Once the user account has been validated , the KDC then sends back a Kerberos authentication response. This response is called a ticket granting number (TGT) and includes an encrypted copy of the KDC's encryption key. The client finally stores this ticket into memory and is allowed into the domain.
Replication helps to easily distribute logon scripts to all your servers based on a regular schedule. The purpose of replication is to synchronize the contents of one file location with the contents of another. Replication is a service that performs one-way transfers, ensuring that all child locations are synchronized with the parent location. This synchronization includes file additions, modifications, and deletions.
Note | The master replication server replicates files to itself, from the export to the import directory. |
Windows 2000 uses the file replication service (FRS) to perform file replication. FRS is a replication service that is used to replicate system policies and logon scripts to the System Volume directory (SYSVOL). FRS can be used to replicate files in addition to policies and logon scripts. The FRS synchronizes immediately within sites and synchronizes on a schedule between sites. File replication service is a robust replication service that works well for all types of data files.