Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » networking » windows » logon_script_modular
Trace: logon_script_modular
networking:windows:logon_script_modular

This is an old revision of the document!

Table of Contents

Modular Logon Script

Robb Dunn wrote this modular VBS logon script that solves most small business needs easily.

Script: http://community.spiceworks.com/scripts/show/299

Howto: http://community.spiceworks.com/how_to/show/1189

Server 2008 GPO: https://www.petri.com/setting-up-logon-script-through-gpo-windows-server-2008

:!: There is a 5 minute delay in logon script processing. Starting with Windows Server 2012 R2, there is a GPO that configures this delay. http://www.itsupportkb.com/windows-2012r2/gpo-logon-script-not-running-windows-server-2012r2

For some reason, using Group Policy to run the logon script does not work on RDS servers though it does seem to work properly on regular workstations.

If you are implementing RDS, you probably want to implement the logon script the old Windows NT way specifying the script in the Profile tab of users in ADUC.

Howto

  1. Download and copy the logon.vbs file to the the appropriate folder on the domain controller where the script will be run.
    1. Windows NT method
      1. Create the logon script in C:\Windows\SYSVOL\sysvol\domain.local\scripts
      2. Paste the contents of Robb's script and name it logon.vbs
    2. Group Policy method
      1. Start → Run → gpmc.msc
        1. Right-click the domain and choose Create a GPO in this domain, and link it here
        2. Name it Logon Script
        3. Right-click the logon Script policy and choose Edit
        4. User Configuration → Policies → Windows Settings → Scripts → Logon → Properties
          1. Show Files
          2. Create the file logon.vbs with Robb's script as the contents
  2. Create two additional folders in the same directory called 'configs' and 'includes'.
  3. Create a configuration file in the 'configs' folder named 'global.conf'.
  4. Using either the Windows NT method or the Group Policy method, modify users in ADUC to call the login script specifying the config file as an argument: logon.vbs config:global.conf
    1. Note the exact spelling
  5. Use the detailed log files generated to troubleshoot and verify script execution.

Sample global.conf

<order>
meta=1
drives=3
printers=2
processes=4
include=5
</order>

<meta>
description=For all users
created=02/12/12
author=Gene Cooper
</meta>

<drives>
m:\\DC1\Company
p:\\DC1\Homes$\sUser 
t:\\DC1\Test|group:testgroup
rem z:\\server\share
</drives>

<printers>
\\DC1\pdfcreator;default
rem \\server\hpprinter|group:Print Users
rem \\server\colorprinter|-group:domain users|group:Colorprint Users
rem \\server\faxprinter|ip:192.168.0.23
</printers>

<processes>
rem c:\windows\write.exe
</processes>

<include>
rem File1.inc
rem File2.inc|computerOU:OU=test,OU=domain computers
rem File3.inc|group:marketing
</include>

Sample admin.inc

Place this file in the includes folder.

Run these commands if logged in as an administrator: 

<processes>
firewall.bat
</processes>

Sample firewall.bat

@ECHO OFF
::  ***************************************
::     Modify Firewall Based on OS    
::  ***************************************

SETLOCAL ENABLEEXTENSIONS ENABLEDELAYEDEXPANSION

FOR /f "tokens=1,2* delims=." %%a IN ('ver') DO (

SET WVer=%%a
SET WVer=!WVer:~-1!
SET WVer=!WVer!.%%b.%%c
SET WVer=!WVer:]=!
)

IF DEFINED ProgramFiles(x86) (
SET OSBit=x64
) ELSE (
SET OSBit=x86
)

ECHO %WVer% %OSBit%
pause
REM exit

::  ------   Variables  ------
SET WINVER=NotSupported

::  ------ OS analyze  ------
echo %OS%
pause
if %OS%==Windows_NT goto setOS
GOTO error

:setOS
VER | FIND "Windows 2000 [Version 5"  >NUL && SET WINVER=W2K
VER | FIND "Windows XP [Version 5"  >NUL && SET WINVER=WXP
VER | FIND "Windows [Version 6"  >NUL && SET WINVER=WVista
VER | FIND "Windows [Version 6.1.7600"  >NUL && SET WINVER=W7
REM ECHO %WINVER%
REM pause
IF "%WINVER%"=="" GOTO error

:perOS
:: ------   Windows XP   ------
IF %WINVER%==WXP (
    netsh firewall set service RemoteAdmin enable
    netsh firewall add portopening protocol=tcp port=135 name= TCP135
    netsh firewall add portopening protocol=udp port=135 name= UDP135
    netsh firewall set service type = fileandprint mode = enable
    netsh firewall set icmpsetting 8
    pause
    GOTO end   
)

:: ------   W7   ------
IF %WINVER%==W7 (
    netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes
    pause
    GOTO end   
)

:error
ECHO "Unsupported OS - press 'enter' to continue"
pause

:end
exit 0

Troubleshooting

Logon Script

Start → Run → %temp%

  • Look for logon_<your-conf-file>.log for login details.
  • If you don’t see the logfile here, then you know that the script did NOT run.

Group Policy

If a group policy (GPO) doesn't seem to take effect:

  1. Run gpupdate /force from an administrative command prompt
    • on the Domain Controller
    • then on the affected machine
  2. Reboot the affected machine
  3. Test again
    • gpresult /r
networking/windows/logon_script_modular.1536874693.txt.gz · Last modified: 2018/09/13 15:38 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki