====== Modular Logon Script ======

Robb Dunn wrote this modular VBS logon script that solves most small business needs easily.

**Script**: http://community.spiceworks.com/scripts/show/299

**Official Howto**: http://community.spiceworks.com/how_to/show/1189

**Server 2008 GPO**: https://www.petri.com/setting-up-logon-script-through-gpo-windows-server-2008

:!: There is a **5 minute delay in logon script processing**.  Starting with Windows Server 2012 R2, there is a GPO that configures this delay.  http://www.itsupportkb.com/windows-2012r2/gpo-logon-script-not-running-windows-server-2012r2

:!: If you are trying to **map a drive letter that is already mapped** to something else, you will want to **disconnect that previous mapping** so the new mapping will occur.

<note warning>For some reason, using Group Policy to run the logon script does not work on RDS servers though it does seem to work properly on regular workstations.

If you are implementing RDS, you probably want to implement the logon script the old Windows NT way specifying the script in the Profile tab of users in ADUC.</note>

===== Howto =====

  - Download and copy the logon.vbs file to the the appropriate folder on the domain controller where the script will be run.
    - **Windows NT method**
      - Create the logon script in ''C:\Windows\SYSVOL\sysvol\domain.local\scripts''
      - Paste the contents of Robb's script and name it ''logon.vbs''
    - **Group Policy method**
      - **Start -> Run -> ''gpmc.msc''**
        - Right-click the domain and choose **Create a GPO in this domain, and link it here**
        - Name it **Logon Script**
        - Right-click the logon Script policy and choose **Edit**
        - **User Configuration → Policies → Windows Settings → Scripts → Logon → Properties**
          - **Show Files**
          - **Create the file ''logon.vbs''** with Robb's script as the contents
  - Create two additional folders in the same directory called **'configs'** and **'includes'**.
  - Create a configuration file in the **'configs'** folder named **'global.conf'**.
  - Using either the Windows NT method or the Group Policy method, modify users in ADUC to call the login script specifying the config file as an argument: ''logon.vbs config:global.conf''
    - Note the exact spelling
  - Use the detailed log files generated to troubleshoot and verify script execution.

{{ :networking:windows:modular_logon_assign.png?direct&750 | }}

==== Sample global.conf ====

<file>
<order>
meta=1
drives=3
printers=2
processes=4
include=5
</order>

<meta>
description=For all users
created=02/12/12
author=Gene Cooper
</meta>

<drives>
m:\\DC1\Company
p:\\DC1\Homes$\sUser 
t:\\DC1\Test|group:testgroup
rem z:\\server\share
</drives>

<printers>
\\DC1\pdfcreator;default
rem \\server\hpprinter|group:Print Users
rem \\server\colorprinter|-group:domain users|group:Colorprint Users
rem \\server\faxprinter|ip:192.168.0.23
</printers>

<processes>
rem c:\windows\write.exe
</processes>

<include>
rem File1.inc
rem File2.inc|computerOU:OU=test,OU=domain computers
rem File3.inc|group:marketing
</include>
</file>

==== Sample admin.inc ====

Place this file in the ''includes'' folder.

Run these commands if logged in as an administrator:

<file>
<processes>
firewall.bat
</processes>
</file>

==== Sample firewall.bat ====

<file>
@ECHO OFF
::  ***************************************
::     Modify Firewall Based on OS    
::  ***************************************

SETLOCAL ENABLEEXTENSIONS ENABLEDELAYEDEXPANSION

FOR /f "tokens=1,2* delims=." %%a IN ('ver') DO (

SET WVer=%%a
SET WVer=!WVer:~-1!
SET WVer=!WVer!.%%b.%%c
SET WVer=!WVer:]=!
)

IF DEFINED ProgramFiles(x86) (
SET OSBit=x64
) ELSE (
SET OSBit=x86
)

ECHO %WVer% %OSBit%
pause
REM exit

::  ------   Variables  ------
SET WINVER=NotSupported

::  ------ OS analyze  ------
echo %OS%
pause
if %OS%==Windows_NT goto setOS
GOTO error

:setOS
VER | FIND "Windows 2000 [Version 5"  >NUL && SET WINVER=W2K
VER | FIND "Windows XP [Version 5"  >NUL && SET WINVER=WXP
VER | FIND "Windows [Version 6"  >NUL && SET WINVER=WVista
VER | FIND "Windows [Version 6.1.7600"  >NUL && SET WINVER=W7
REM ECHO %WINVER%
REM pause
IF "%WINVER%"=="" GOTO error

:perOS
:: ------   Windows XP   ------
IF %WINVER%==WXP (
    netsh firewall set service RemoteAdmin enable
    netsh firewall add portopening protocol=tcp port=135 name= TCP135
    netsh firewall add portopening protocol=udp port=135 name= UDP135
    netsh firewall set service type = fileandprint mode = enable
    netsh firewall set icmpsetting 8
    pause
    GOTO end   
)

:: ------   W7   ------
IF %WINVER%==W7 (
    netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes
    pause
    GOTO end   
)

:error
ECHO "Unsupported OS - press 'enter' to continue"
pause

:end
exit 0
</file>

===== Troubleshooting =====

==== Logon Script ====

**Start -> Run -> %temp%**

  * Look for logon_<your-conf-file>.log for login details.
  * If you don’t see the logfile here, then you know that the script did NOT run.

==== Group Policy ====

If a group policy (GPO) doesn't seem to take effect:

  - Run ''gpupdate /force'' from an administrative command prompt
    * on the Domain Controller
    * then on the affected machine
  - Reboot the affected machine
  - Test again
    * ''gpresult /r''