Active Directory How-To
Exploring Logon Scripts for Active Directory
In an Active Directory environment, you can create a logon script that can be applied to user accounts that automatically goes to work once a user logs in.
- By Troy Thompson
- 02/09/2016
Logon scripts can be used to assign tasks that will be performed when a user logs in to the domain. There are many things that the logon script can do, such as set system environment variables, carry out operating system commands and call other scripts or executable programs. Not that I would recommend this, but I knew a network administrator who sent out information about the birth of his child via logon script. Text editors like Notepad can be used to create the script, which is simply a file containing batch language commands. Logon scripts are generally stored on the domain controller in the Netlogon share, which is located at %systemroot%\System32\Repl\Imports\Scripts folder. Once this script is placed in the Netlogon share, it will automatically replicate to all domain controllers in the domain. The types of scripting files that are supported are:
Batch File Commands: These are stored in text files with the .bat or .cmd file name extension. Batch files can automate a series of tasks that could be run from a command line. Scripts written using batch file commands are run by the command shell.
Visual Basic Scripting Edition (VBScript) Commands: These are stored in text files with the .vbs file name extension or JScript commands for text files with the .js file name extension. VBScript and JScript allow you to construct a more complicated script. The Windows Script Host can run these scripts from the desktop of the computer or from a command line.
Once the logon script has been created, you can assign it to one or more local users, sites, domains, or organizational units (OUs). For a user in Active Directory, you would simply open the properties for the user and click on the Profile tab. In the Logon Script box, type the name of the script that was saved on the server to assign it to that user (see Figure 1).
Logon scripts can be set up in many different ways. They can contain If, Then statements just like a simple procedural language program.
Tasks that are commonly performed by logon scripts include the following:
- Mapping or unMapping Network Drives
- Installing and Setting a User's Default Printer
- Log Computer Access
- Gathering Information
Mapping and Unmapping Network Drives
If your Active Directory contains groups such as Engineering, Marketing, and Management, you can assign user accounts to those groups. Inside the logon script, you can then have procedures run based on the group membership. For instance, if you wanted to map the drive H: to different server shares for each of the groups, the scripting language would look like the following:
Const Engineering = "cn=engineering"
Const Marketing = "cn=marketing"
Const Management = "cn=management"
Set ADSysInfo = CreateObject("ADSystemInfo")
Set CurrentUser = GetObject("LDAP://" &
ADSysInfo.UserName)
strGroups = LCase(Join(CurrentUser.MemberOf))
If InStr(strGroups, Engineering) Then
wshNetwork.MapNetworkDrive "H:",
"\\ServerName\Engineering\"
ElseIf InStr(strGroups, Marketing) Then
wshNetwork.MapNetworkDrive "H:",
"\\ServerName\Marketing\"
ElseIf InStr(strGroups, Management) Then
wshNetwork.MapNetworkDrive "H:",
"\\ServerName\Management\"
End If
To map a drive for all users regardless of group membership, you can simple add the following code to the top of your logon script where G is the drive letter to connect:
Net Use G: \\ServerName\ShareName
To remove a mapping for all users, add the following code to the top of your logon script where G is the drive letter to remove:
Net Use G: /Delete /Y
Installing and Setting a User's Default Printer
To install and add a printer for use with those in the Engineering group, you would insert the following code into the logon script:
If InStr(strGroups, Engineering) Then
wshNetwork.AddWindowsPrinterConnection
\\PrintServer\HPLaser
wshNetWork.SetDefaultPrinter
\\PrintServer\HPLaser
Endif
Log Computer Access
The following code, when inserted into a logon script, will all you to see which computers were accessed by a specific user.
; The next line sets variables for date
FOR %%A IN (%Date%) DO SET Today=%%A
SET Today=%Today:/=%
SET Today=%Today:-=%
; The next line creates a directory for today if it does not exist
IF NOT EXIST \\ServerName\Logs\%Today% MD \\ServerName\Logs\%Today%
; The next line logs the computer name and the date and time in a file with the user's name
>> \\ServerName\Logs\%Today%\%UserName%.log ECHO %ComputerName%,%Date%,%Time%
Gathering Information
The following code, when inserted into a logon script, will allow you to capture the IP and MAC address of the computer.
; The next line sets variables for date
FOR %%A IN (%Date%) DO SET Today=%%A
SET Today=%Today:/=%
SET Today=%Today:-=%
FOR /F "tokens=1,2 delims=:" %%A IN ('IPCONFIG /ALL ˆ| FIND "Address"') DO (
FOR /F "tokens=1,2" %%C IN ("%%~A") DO FOR %%E IN (%%~B) DO SET %%C%%D=%%E
)
>> \\ServerName\Logs\%Today%\%UserName%.log ECHO.%IPAddress%,%PhysicalAddress:-=%
There are unlimited numbers of things you can insert into logon scripts. The code represented in this article may have to be tweaked to work in your environment, but it gives you an idea of what can be done. It is also recommended that you test a logon script with a single test user before implementing for all users. Remember that logon scripts add to the amount of time it takes for a user to logon, so it may not be advisable to make the script too long.
About the Author
Troy Thompson has worked in network administration for over 25 years, serving as a network engineer and Microsoft Exchange administration in Department of Defense, writing technology articles, tutorials, and white papers and technical edits. Troy is a Cisco Certified Academy Instructor (CCAI), and has numerous other certifications including CCNA, MSCE+I, Network+, A+ and Security+. Troy has also traveled the world playing music as the guitarist for the band Bride. Contact information is [email protected].