Monday, July 16, 2007

Profile vs GPO based logon scripts

Since Windows 2000 server and Active directory, there is 2 ways of running logon scripts for users, one profile-based "à la" NT, one GPO-based.

There is some pluses and some minuses to migrate your profile-based scripts to GPO-based scripts:

Advantages of Group Policy based scripts:

  1. The script runs hidden, so there is no chance for the user to terminate it before completion

  2. When you create a new user, you only have to put it in the right OU for the logon script to run
  3. You do not only have a logon script, but also logoff, startup and shutdown scripts.

  4. One of these days, Microsoft will remove support for legacy i.e. profile-based scripts and you will be ready for that

Disavantages of Group Policy based scripts:

  1. If you want to have a script for a single or a few user(s) you have to create an OU just for them

  2. They are not available to not AD-aware clients

Where are these settings located ?

  • GPO-based scripts are in Active Directory Users and Computers aka ADUC, right-click on your domain or OU, Properties, Group Policy tab, Add a Group Policy Object or edit an existing one. Startup/shutdown scripts are under Computer Configuration, Windows Settings, Scripts and logon/logoff scripts are under User Configuration, Windows Settings, Scripts.
  • Profile-based scripts are in ADUC, right-click an user and select Properties, Profile tab and enter the script in the Logon script field. The script may be a batch file (.bat or .cmd) or an executable. It must reside in the NETLOGON share of your domain(s) controller(s).

2 comments:

Anonymous said...

You are incorrect about the GPO disadvantage of needing an OU to assign to users. GPOs can be filtered by domain group for more granularity.

If you are still running Windows NT 4.0 or 9x, you have bigger problems than these clients not running GPOs!

McThePro said...
This comment has been removed by the author.