U-M Windows Forest
How-To Documents
Get Help

AD Logon Scripts – The Basics

September 2008

Logon scripts can be useful tools for configuring desktop environments for users. Some of the things such scripts can be used for include mapping network drives, connecting to shared printers, gathering system information, and so on. In fact, just about anything you can do from the command line can be done using a logon script.

This section assumes your desktops are running Windows 2000 or later. It describes how to write logon scripts in VBScript and deploy with Group Policy, which are very powerful and flexible. Basic understanding of Group Policy deployment is assumed. If you haven't yet learned VBScript, see the Resources section for some tutorials.

Cookbook for a Basic Logon Script

This very simple example uses a logon.vbs script that does the following for any user logging onto any computer located in the Organizations\Butterfly Science OU. This script:


Set objNet = CreateObject("WScript.Network")
strUser = objNet.UserName
strHomeDrivePath = "\\dept-server\users\" & strUser
objNet.MapNetworkDrive "H:", strHomeDrivePath
objNet.MapNetworkDrive "G:", "\\dept-server\groups"

To assign logon.vbs to the users of computers in Butterfly Science you will need to configure a Group Policy that:

Figure 1: Users of computers in the Organization/Butterfly Science/Computers OU need a logon script assigned to map network drives

  1. Right-click on the Organizations/Butterfly Science/Computers OU and select Properties.

  2. Select the Group Policy tab.

    Note: If you have installed the Group Policy Management Console, this tab will bring up a link to launch the Group Policy Management Console and use it instead of the basic Group Policy Editor. The process has a few more steps:

    1. Navigate to your OU
    2. Right-click on OU. Create and Link a GPO Here...
    3. Name the new GPO using your Department name as a prefix. Click OK, which saves it (see Figure 2).
    4. Find the new (empty) GPO on the Linked Group Policy Object tab on the right side.
    5. Right-click and select Edit. This opens the good old GP Editor you know and love (see Figure 3).
  3. Click New and create a GPO named "Butterfly Science Computers GPO" which will be linked to this OU (see Figure 2).

    Figure 2: The "Butterfly Science Computers GPO" is linked to the Computers OU in Organizations/Butterfly Science/

  4. Click Edit to open the "Butterfly Science Computers GPO" and navigate to User Configuration\Windows Settings\Scripts as in Figure 3 below.

    Figure 3: User Configuration policy settings for assigning logon scripts

  5. Right-click on Logon in the right-hand pane and select Properties (Figure 4):

    Figure 4: Assigning a new logon script using the "Butterfly Science GPO"

  6. Click the Show Files button, which opens the default folder where logon scripts assigned using Group Policy are stored on your domain controller (see Figure 5):

    ZOOM [+]

    Figure 5: Default folder where logon scripts assigned using Group Policy are stored on a domain controller

    (Note: The figure above shows that logon scripts assigned using Group Policy are stored in a subfolder specific to this particular Group Policy on the SYSVOL share on the UMROOT domain controllers using a Policy GUID. This is automatic and you don't need to worry about it.)

  7. Copy and paste the logon.vbs file you created into the open Scripts\Logon folder above. Close the folder window.

  8. Return to the Logon Properties screen (seen in Figure 4 previously) and click the Add button to open the Edit Script dialog box.

  9. Click Browse and select the logon.vbs file from the Logon folder.

  10. Click OK two times and the script has been assigned.

    Figure 6: Assign the logon script

    Figure 6a: Assign the logon script

Now you need to configure the Computer Configuration section of the GPO:

  1. Navigate to Computer Configuration\Administrative Templates\System\Group Policy as in Figure 7 below.

    Figure 7: Policy settings for Loopback Processing

  2. Select "User Group Policy Loopback processing mode" and select the Replace mode.

    Figure 7a: Replace Mode for Loopback Processing

  3. Close the Group Policy Editor.

  4. The next time user "buderfly" logs onto a computer in the Butterfly Science Organizations OU, s/he'll see an H: and G: drive when s/he opens My Computer.

    ZOOM [+]

    Figure 8: Drives mapped on client


Resources for Logon Scripts

You will probably want a more complex script that checks if the drives are already in use, maps drives for users based on group membership, use Vbscript best practices including Dim, Option Explicit, and On Error Resume statements.

There are almost no limits to what you can do with logon scripts, but you need to become an expert at writing VBS scripts. They are more complex than the old batch files, but support all types of branching and conditional logic. A complex logon script could map home directories based on logon name, map shared drives based on group membership and assign printers based on whatever. These types of scripts are available online or from your friendly Windows Admin list and are out of scope for this document.

If you want to learn how to start writing Windows Script Host WSH scripts using VBScript, or find some useful scripts others have already developed, here are a few resources to check out:

Under the Hood

The above cookbook for creating logon scripts uses a complex configuration employing Loopback Processing policies. Why can't you just configure a GPO to launch logon script using just the User Configuration settings above and apply the GPO to the Accounts OU where your users? In a simple organization, this would work fine, but in our large organization this breaks down for several reasons:

Why You Might Not Want to Move Users to Your Accounts OU

Moving users to your unit's Accounts OU requires additional effort on the part of the OU Admin and may not be necessary, depending on how much you need to manage the individual attributes of the users. The details of this discussion are out of scope for this document and are covered in Active Directory at the University of Michigan (PDF). Users that are left in the People OU can be easily managed in the following three ways:

Group Policy 101

In the simplest environment, a single Group Policy with both User and Computer Configuration sections can applied to an OU that contains both users and computers.

In a more complex environments, users and computers are usually in separate OUs requiring two GPOs. The first GPO would have just the User Configuration section of the GPO configured and applied to the OU where the users are located. The second GPO would have just the Computer Configuration section of the GPO configured and applied to the OU where the computers are located.

In our environment, users may be located in OUs where we cannot apply Group Policies.

Loopback Policies to the Rescue

You can configure a special GPO setting in the Computer Configuration section of the GPO that applies to the computers in your Organizations OU that tells Active Directory to also apply the User Configuration section of that same GPO to all the users that log on to that computer, regardless of what OU their user object is located in. Any user logging onto one of your computers will always get your logon script. They will also get any other user configuration you have set.