Monday, July 16, 2007

Profile vs GPO based logon scripts

Since Windows 2000 server and Active directory, there is 2 ways of running logon scripts for users, one profile-based "à la" NT, one GPO-based.

There is some pluses and some minuses to migrate your profile-based scripts to GPO-based scripts:

Advantages of Group Policy based scripts:

  1. The script runs hidden, so there is no chance for the user to terminate it before completion

  2. When you create a new user, you only have to put it in the right OU for the logon script to run
  3. You do not only have a logon script, but also logoff, startup and shutdown scripts.

  4. One of these days, Microsoft will remove support for legacy i.e. profile-based scripts and you will be ready for that

Disavantages of Group Policy based scripts:

  1. If you want to have a script for a single or a few user(s) you have to create an OU just for them

  2. They are not available to not AD-aware clients

Where are these settings located ?

  • GPO-based scripts are in Active Directory Users and Computers aka ADUC, right-click on your domain or OU, Properties, Group Policy tab, Add a Group Policy Object or edit an existing one. Startup/shutdown scripts are under Computer Configuration, Windows Settings, Scripts and logon/logoff scripts are under User Configuration, Windows Settings, Scripts.
  • Profile-based scripts are in ADUC, right-click an user and select Properties, Profile tab and enter the script in the Logon script field. The script may be a batch file (.bat or .cmd) or an executable. It must reside in the NETLOGON share of your domain(s) controller(s).