Logon, Logoff, Startup, and Shutdown Scripts | Group Policy, Profiles, and IntelliMirror for Windows2003, WindowsXP, and Windows 2000 (Mark Minasi Windows Administrator Library)

Logon, Logoff , Startup, and Shutdown Scripts

Users have always been able to get logon scripts. NT 4 used User Manager For Domains to assign logon scripts, and Windows 2000 and 2003 domains may use Active Directory Users And Computers to assign logon scripts. However, you can step up to the next level using Group Policy and get more than just logon scripts:

Users can get logon and logoff scripts.
Computers can get startup and/or shutdown scripts.

And, the best part is, you're not limited to old DOS-style batch files. Scripts deployed via Group Policy can use DOS-style .bat or .cmd scripts, VBScript ( .vbs files), or JavaScript ( .js files).

Although logon and startup scripts might be useful to map to network drives and automatically fire up Excel, the scripts can be equally useful when logging off or shutting down. Imagine automatically scripting the clean up of the Temp folder or the ability to kick off a full-drive sweep of your virus scanner.

To use scripts with Group Policy, users must be in the site, domain, or OU linked to a GPO that contains a logon or logoff script. As the name of the script implies, users execute the script only at logon or logoff. Computers must also be in the site, domain, or OU linked to a GPO that contains a startup or shutdown script, which they run only at startup or shutdown.

Warning

User and computer scripts delivered via Group Policy do not run "visible" to the user, which prevents users from canceling the script. To that end, scripts run silently in the background unless there is a problem. At that point, you have to wait until the script times out (5 minutes by default.) I'll show you a bit later how to expose the scripts to run visible.

In these examples, I'll use basic DOS-style . bat commands to explain the concept. Here is an example of a script that displays "Hello World" and then pauses for a key press, before removing the files from the %temp% folder. In Notepad, create the following file:

 Echo "Hello World." Pause Del /Q /S %temp% Pause

Warning

Only your Windows XP, Windows 2000, and Windows 2003 clients receive scripts from GPOs. If you have downlevel clients (such as Windows NT), they can run only old-style logon scripts. The old-style logon script is located as a "Logon Script" field in the user's Profile tab inside "Active Directory Users And Computers."

Startup and Shutdown Scripts

The Startup and Shutdown script settings are found under the Computer node in the Windows Settings ˜ Scripts branch. You can get your proposed script into the proper GPO in many ways; however, I think I have found the ideal way as follows :

Once you're in the Group Policy Object Editor, drill down to Computer Node ˜ Startup Scripts and double-click it. The Startup Properties dialog box will appear.
Click the Add button to open the Add a Script dialog box.
In the Script Name field, you can enter a filename or click Browse to open the Browse dialog box, as shown in Figure 6.12.
To create a new file, right-click in the Browse dialog box, and choose New ˜ Text Document, for example.
Enter a name for the file, for example, myscript.bat .
When asked if you want to change the file extension, click Yes, right-click the file, and choose Edit from the shortcut menu to open Notepad.
Type your script, and save the file.
Select the new file as the proposed script.

Figure 6.12: You can create .bat or .vbs files on the fly with this little trick.

Again, the computer account must be in an OU with a linked GPO that contains a script. However, don't reboot yet. By default, you won't see the script run. And, since our script contains a Pause statement, your users will wait a really long time before the script times out. To allow the script to be visible (and enable you to press any key at the pause), enable a policy setting that also affects the machine. Traverse to Computer Settings ˜ Administrative Templates ˜ System ˜ Scripts, and select either Run startup scripts visible or Run shutdown scripts visible , or select both options.

Last, it's important to understand the context in which Startup and Shutdown scripts run. Specifically, they run in the system context. If you want to connect to resources across the network, you'll need to ensure that those resources allow for computer access across the network (not just user access).

Logon and Logoff Scripts

The Logon and Logoff script settings are under the User node in the Windows Settings ˜ Scripts tree. If you're implementing new logon scripts, I suggest you follow the steps in the previous section. Again, the user must be in an OU with a linked GPO with a script. However, don't log off and log back on yet. By default, you won't see the script run. To allow the script to be visible (and enable you to press any key at the pause), you need to enable a Group Policy. Traverse to User Settings ˜ Administrative Templates ˜ System ˜ Scripts, and select either Run logon scripts visible or Run logoff scripts visible , or select both options.

Startup and shutdown scripts run in the user's context. Remember that a user is just a mere mortal and might not be able to manipulate Registry keys that you might want to run in a logon or logoff script.

Note	In the last edition, I made a mistake. I suggested that you couldn't have more than one logon script in a GPO for a user. That was just plain wrong. Sorry about that.

Script Processing Defaults (and Changing Them)

One final note about scripts before we move on. Different scripting types run either synchronously or asynchronously. Here's the deal:

Logon Scripts Run Asynchronously by Default By default, logon scripts run asynchronously. That is, all scripts at a level will basically fire off at the same time. There is no precedence order for scripts at the same level, and there is no knowing which script will finish before another. If you want to change this behavior to help "link" one script after another, you have to tell the client computer to run the scripts synchronously. If you want to change this (and many times you'll want to), set enable Computer Settings ˜ Administrative Templates ˜ System ˜ Scripts, and Enable Run logon scripts synchronously .

Bizarrely, there is also a setting that does the exact same thing located on the User Settings ˜ Administrative Templates ˜ System ˜ Scripts ˜ Run logon scripts synchronously . Again, recall that if there's a conflict between these settings, the ones that affect the computer will "win."
Startup Scripts Run Synchronously by Default By default, startup scripts run synchronously. That is, all scripts are processed from lowest to highest priority order. Then, each script is run consecutively until they're finished. This usually makes the most sense, so I tend to leave it as-is. However, if you want to change it, enable Computer Settings ˜ Administrative Templates ˜ System ˜ Scripts, and enable Run startup scripts asynchronously .
Group Policy Scripts Time Out in Five Minutes As stated, if a script just hangs there, you'll have to wait a whopping five minutes for it to time out. You can change this with the policy setting found at Computer Settings ˜ Administrative Templates ˜ System ˜ Scripts called Maximum wait time for Group Policy scripts .
Old-School Logon Scripts Run "Visible" If you use Active Directory Users and Computers to assign a user a logon script, those scripts will be visible to the user. If you want to hide old-school logon scripts from users while they run, you can change this with the policy setting found at User Settings ˜ Administrative Templates ˜ System ˜ Scripts ˜ Run legacy logon scripts visible .