Assigning Scripts with Group Policy

Scripts, in one form or another, have existed for years on just about all computer platforms from mainframes down to the PC. There has always been a common need to automatically configure a user session without user or administrator intervention.

Group Policy can be used to assign scripts to run when the user logs on or off or when the computer is started or shut down. Script settings are provided in both the User and the Computer sections of the GPO.

Benefits of GPO Scripts

A script can allow you either to standardize the setup of various users or computers or to supply a custom setup for certain users. It just depends on which script is assigned. Typically, a script will be written in whatever command language is available on the platform.

Using Group Policy scripts allows the system administrator to centralize control over the application and data locations that aren't already defined by Folder Redirection. By defining drive mappings via a script instead of letting the user attempt to do it, the administrator is assured that all users will be working with an identical configuration. Because Group Policy scripts can be applied to a large number of users, the administrator can easily make changes to the configuration by just changing a script instead of having to visit each individual desktop.

Scripts can also be used for various system maintenance activities. The administrator can add routines to delete the files in temporary directories, run disk utilities in the background, and various other activities.

Group Policy scripts can be assigned to a user, a computer, a group of users, or all the users in an Organization Unit (OU), site, or domain. There can be different scripts for different departments or locations. If you are using some of the more featured batch languages for your scripts, you can have the script perform a different set of tasks, depending on what group or OU the user or computer may be assigned to.

How Group Policy Scripts Work

In Windows Server 2003, Group Policy scripts are stored in the Group Policy template stored with the GPO. This way, the script is automatically replicated among all the domain controllers. This is a big improvement from the previous versions of Windows NT, where the system administrator placed the scripts in the logon share and then had to manually configure the replication pattern for the network. This method was error prone, and the replication mechanism was infamous for replication failures, without presenting any errors.

After the script is stored in the GPO, the system administrator assigns the script to one or more users or computers. This can be accomplished by applying the script via a Group Policy. When the user logs on to the domain or the computer is started, the script will run and perform whatever tasks the system administrator has coded in it.

Note: Logon Scripts

Although assigning a logon script to a user profile is still supported in Windows Server 2003, it can be quite tedious to assign scripts to a large number of users. In addition, it can be a nightmare to manage if the logon script names change frequently. The best solution is to assign logon scripts via Group Policy. This allows all changes to be performed in one place, and when assigning scripts using a Group Policy, you have the option of also assigning a logoff script. Unfortunately, Group Policies can be used only with Windows 2000 or later clients.

In Step by Step 10.1 we're going to create a new GPO and use it to assign a logon script to an OU that we created in the exercises in Chapter 2.

To perform this exercise, you will need to do the following:

• Create a share on your server and name it Payroll. Accept the default permissions.

• Create a logon script and name it logon.bat. The contents of the script will be net use P: \\yourservername\Payroll.

Step by Step 10.1 Assigning a logon script using Group Policy 1. Open the Group Policy Management Console. Right-click the Kansas City\Users OU and select Create and Link a GPO Here from the pop-up menu, as shown in Figure 10.1. Figure 10.1. The GPMC allows you to configure most GPO settings. Select the option to Create and Link a GPO. 2. When the New GPO prompt appears, enter the name User Logon Script, and click OK. 3. The new GPO will appear in the Group Policy Objects container, as a linked object under the OU folder, as shown in Figure 10.2. Figure 10.2. Right-click the GPO to edit. 4. Right-click the new GPO and select Edit from the pop-up menu. The Group Policy Editor MMC appears. 5. Click the User Configuration icon, and then click the Windows settings folder. 6. Click the Scripts (Logon/Logoff) icon. 7. In the right pane of the console window, double click the Logon icon. 8. The Logon Properties window opens, as shown in Figure 10.3. Figure 10.3. The Logon Properties dialog box. This is where you add files to the GPT. 9. Click the Show Files button. This opens the GPT folder. Drag and drop the logon.bat file to this folder; then close it and return to the Logon Properties dialog box. 10. On Logon Properties, click Add; the Add a Script window appears, as shown in Figure 10.4. Figure 10.4. The Add a Script dialog box. You can enter the script here and any required command-line parameters. 11. In the Add a Script window, you can either type in the name of the logon script, or you can click Browse to locate it. Type in logon.bat. Click OK. 12. Click OK again to close the Properties window. 13. On your test server or workstation, log on using one of the user accounts in the Kansas City\Users OU. 14. Open a command window and run the gpupdate command. Close the command window. 15. Verify that the Payroll folder was successfully mapped to drive P.

Startup and Shutdown scripts are assigned to a computer, in contrast to the logon and logoff scripts, which are assigned to users. The startup and shutdown scripts are useful for making customizations to the computer that are not user specific.

A good example of where a Group Policy Shutdown script would be useful is on a mail or a database server where background services must be stopped before the system can shut down.

The procedure to assign Group Policy Startup and Shutdown scripts is similar to the steps covered in the Step by Step. They are assigned via the Group Policy console, under the Computer Configuration section.