VBS Logon Scripts, Part Two
In the previous article, we wrote a VBS logon script. In the fourth installment of our seven-part series on scripting in Windows 2000 Active Directory, we will attach that logon script to an organizational unit. This will cause every user in the OU to receive this script.
VBS Logon Scripts, Part Two
by Jim Hudson
This article is derived from Special Edition Using Active Directory, by Jim Hudson and Sean Fullerton (Que Publishing, November 2000).
Attaching a Logon Script Through Group Policy
After we have written or identified our WSH script, we can attach it to a site, domain, or organizational unit through Group Policy. First we must choose the container object that we want to receive the logon script. In our example, we have identified an organizational unit called support that will use our logon script. These are desktop support people for one of our business units, and we want to configure the desktop when they log on so that certain tools and features will always be available to them.
First we must open the Group Policy editor. Because we are applying this script to users, we will choose the User Configuration/Windows Settings/Scripts node of Group Policy, as shown in Figure 1.
Group Policy Interface
To apply a logon script here, we must double-click the logon icon in the name pane of the Group Policy editor. This opens the Logon Properties Page, shown in Figure 2. Here we can assign and configure one or more logon scripts for this Group Policy.
Logon Script Property Page
At this point, to understand what we are going to do next, we need to understand a little bit about Group Policy architecture. A Group Policy object is really made of two things: a Group Policy container, which is information about the Group Policy, stored in Active Directory; and a Group Policy template, which is a series of filesystem objects, such as files and folders. The Group Policy identifier is the GUID. This system generated hexadecimal number is used to synchronize the information in AD with the filesystem. The Group Policy container is replicated to other domain controllers through normal AD replication, and the Group Policy template is replicated to other domain controllers through the File Replication Service (FRS).
If we want our logon script to be universally available, we need to copy it to the scripts subdirectory of our Group Policy template. To do so, simply use the Explorer to right-click/copy your file, and then click the Show Files button, seen in Figure 2. This will open the Logon page, shown in Figure 3. We can then paste the file into this page. After we have done so, this file will be replicated to all other domain controllers in our domain.
NOTE
Notice the path at the top of Figure 3. This is the filesystem path to the SYSVOL share on the local domain controller. Because the GUID is the name of the Group Policy, the folder is named using the GUID.
The group policy logon folder
When we close the Logon page, we can use the Add button on the Logon Properties page to add our logon script. This will open the Add a Script input box, shown in Figure 4.
Adding a logon script
We can either type the name of our script or use the browse button. If we have added our script to the Logon folder, it will appear in the Browse page, shown in Figure 5. We can simply select it and click open. This will return us to the Add a Script page, where we click OK. Our script is now applied as a logon script to this Group Policy. Remember that every edit is an implied save in the Group Policy editor.
Although we have demonstrated applying a script to the logon event for a user, remember that we can apply scripts at the startup/shutdown of a computer, and logon/logoff of a user using Group Policy.
Browsing for a logon script