Logon/Logoff script setup as group policy not running – Server 2008

25 pts.
Tags:
Group Policy
Group Policy Objects
Scripting
Windows Server 2008
Windows Server 2008 R2
I have written two scripts to create a log of when a user log ons and off the network. I have tested the scripts by double clicking on them and they work fine and I am able to get them to run on a local machine by setting them to run at logon/logoff by using the local group policy editor. My issue is that I want the scripts to run at logon/logoff through a Domain Group Policy but no matter what I try they won't run. I've created a new GPO just for these scripts, I've tried adding them to the GPO that maps the drives for each user but nothing works. Any suggestions on what I could try? Warning - This is not a strong area for me. Thanks Mitch

Software/Hardware used:
Server 2008
ASKED: July 7, 2011  2:17 PM
UPDATED: March 31, 2012  10:08 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

For logon scripts:

The issue you are facing is that Microsoft defaults Windows XP/Vista/7 systems to their “Fast Logon” which logs users in without waiting for the network. Even reverting this feature does not ensure that you system will have the network up and an IP address when the user logs in to their computer. Microsoft has a couple of recommendations for mapped drives other than a login script.

Another issue with login scripts that map drives is that if a user is a local administrator of the system login scripts happen prior to the administrator token stripping in Windows Vista/7. This means that the user does not see and cannot access their mapped drives. Conversely, drives mapped under the stripped token cannot be seen by elevated processes. There is a reg hack to allow drives mapped to be seen elevated and non-elevated.

So to get login scripts to work on systems reliably, there are some things to do.

1. To force the computer to wait for the network use this GPO:
Computer Configuration\Administrative Templates\System\Logon\ Always wait for the network at computer startup and logon

2. Use a local stub login script to start the primary login script. This stub runs and checks that the system can connect to the network share then runs the script from the network share.

Your stub script needs to include a sleep loop to look for connectivity. I use a loop that checks every 10 seconds and wait up to 5 minutes before failing.

3. Now the fun stuff, since Windows Vista / 7 split the administrator token during login if the user is a local administrator and the login script runs before the token split this means a user will not see the mapped drive(s). To fix this you need to add a reg hack to the system.
——————–

<pre>REM --- Allow elevated and non-elevated process to see all the drive mappings.
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLinkedConnections /t REG_DWORD /d 1 /F
</pre>

———————

You can also set scripts to run synchronously as well but I have not seen any advantages to that setting for this issue.

For logoff scripts:

The scripts must be local to the system and all actions should be local to the system. You can set a copy in the login script to keep the local copy up to date and push logs from the last shutdown to the network..

Discuss This Question: 5  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Mattcassell
    How soon after modifying the GPO do you wait to check if the scripts will run? It normally takes some time for the machine to update it's group policy from the server. However you can force it to do an update by opening a command prompt and typing gpupdate /force Once you do that you should try logging off/on again with one of the domain accounts to see if it works.
    730 pointsBadges:
    report
  • MrRellim
    Hi Mattcassell, Thanks for the input. I guess I should have mentioned that I waited two days for the group policy to take effect then I tried forcing it with the gpupdate /force command.
    25 pointsBadges:
    report
  • Mattcassell
    Fair enough. Have you tried using the Microsoft RSoP tool (resultant set of policies)? It is a great tool for looking at GPO issues. Here is a link to some more info on it: http://support.microsoft.com/kb/323276
    730 pointsBadges:
    report
  • Pjb0222
    Is the script within the GPO or does it pull from a network share? Do you have the system set to wait for IP (network services) at bootup? You can try running the script locally with a wait loop for an IP address.
    3,310 pointsBadges:
    report
  • MrRellim
    Pjb0222 - The script is currently being pulled from a network share where all users have read/write access. I also did try having the script within the GPO. How do I have the system wait for IP (network services) at bootup?
    25 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following