Computer Performance, Windows 2003 Vista Best Practice

Best Practice Ezine #79
Time to Write out the Logon Script?

Best Practice Ezine. Computer Performance. Advertise

Real time network monitor

Take the pain out of network traffic analysis.

Download your copy of the SolarWinds' free Real-time NetFlow Analyzer.

Free SolarWinds Subnet Calculator

The subnet calculator will assist you in managing IP addresses.

To let you into a secret, this utilities is fun to use, even if you don't have a pressing need to calculate your IP address space.

Get your free advanced Subnet calculator

Time to write out the Logon Script?

I realize that I have to handle any suggestion that people abandon their logon scripts with extreme care.  Let me begin by explaining my least contentious proposal; if you really need logon scripts, for example to map printers, then do them right, that means assigning Logon Scripts via Group Policy.  It's time for one of my Litmus Tests, which are designed to distinguish between amateur and professional administrators.

Best Practice Litmus Test: How do you apply logon scripts in Windows Server 2003?

Amateurs configure logon scripts the NT 4.0 way.  They go to Active Directory Users and Computers, then they configure logon scripts individually, via the User's property sheet, Profile tab and Logon script dialog box.

Professionals assign logon scripts via Group Policy.  When you use this method, launch the GPMC (Group Policy Management Console), head for the User Configuration, Windows Setting, Scripts and select Logon.  When the policy window opens, click Add and Browse for your logon script File name.  

I have a tip for assigning scripts via Group Policy. Before you start the above procedure, copy (ctrl c) the logon script file - not the code, then when you reach the Browse File Name dialog box, paste the file (ctrl v).  What this tip does is save you browsing in the SysVol folder and getting lost amongst those folders beginning with strange hexadecimal numbers.  At the bottom of this link are screen shots of my paste logon script tip.  At the bottom of this link are screen shots of my paste logon script tip.

To recap, the advantages of applying logon scripts via Group Policy compared to the Profile tab are as follows:

1) Central administration, configure just one setting for everyone in the OU. There is no need to visit every user's property sheet, just because you changed the name of the logon script. In addition, you can deploy multiple logon scripts with Group Policies.

2) You can also assign scripts to the computer rather than user, these are called Start Up scripts.  Incidentally, I have never seen a Profile tab for a computer object, thus you could not apply the old NT 4.0 method to computers.

3) You can use Group Policy to run Logoff or Shutdown scripts, however, I confess, I have yet to see anyone apply Shutdown scripts in real life.

If you want to learn more about configuring Group Policies, then I recommend TrainSignal's video material.  At TrainSignal they divide IT training into modules.  They have step-by-step instructions prepared by experienced administrators to show you how to configure the Group Policy settings.  TrainSignal will exceed your expectations.

Real Life Example written by Mike G.

I've located the VBS files for each logon script under the NETLOGON share of the DC in a folder called "Logon Scripts".  The six folders underneath represent my six regions within the company. This allows me to grant NTFS permissions on each regional folder to the local IS guys so they can modify their logon scripts (only), without having to give them permissions to the DC or the directories where the group policy lives. This keeps them in a separate folder than the Group Policies that launch them (so you don't have to know those long strange hexadecimal numbers).

Logon Script via Group PolicyI link the group policies that launch the logon scripts to the site. (this may not be right for everyone) This is because I have 60 offices and we frequently have people shift to other offices to help out. By adding them to the local office security group, they get the proper NTFS permissions on the server and the logon script launches for the office they're in, not their home office (which would be the case if it's linked to an OU).

We have an Intranet page where folks can go to "Map your Office Network Drive Letters". So if they do need access to their home office drives, they go to this page and select their office. It then launches the .... login script.vbs from the folder on the DC so they can map drives as they need them. (this works great for remote users on the road or at home too).

Guy continues...

Time to Write out the Logon Script

Last week I floated the suggestion that Home Drives could be replaced by folder redirection.  This week my more contentious prediction is that in two computer generations - say 6 years, logon scripts will be phased out.  My prediction is that all the present logon script instructions could in future be applied through bigger and better Group Policies.

My goal this week is merely to plant the seed of an idea.  That idea is to actively seek alternatives to Logon Scripts.  I want to emphasise that with logon scripts, the past does not equal the future.  The first time I saw this entrenchment in the old technology was in the spring of 1966.  Mad Mick said words to the effect of, 'I would sooner eat sewage than ride a Japanese motor bike'.  Well in the autumn of 1966, Mad Mick traded in his leaking Triumph 650 Bonneville for a brand new Japanese Honda CB 450.  I remember it well because John 'The Monst' and I frog marched Mick to the toilet.  I will leave the rest of that particular saga to your imagination.

My point is that everyone suffers from this inability to let go of the past and embrace the future, with me its mobile phones.  I just stick to the basic mobile,  I don't take pictures, and wish they would make a model with bigger buttons.

I also want to make it clear that I love logon scripts.  If my prediction comes true, and one day logon scripts die out, then it would be fitting that I am chief mourner.  The reason being I have made a good pin money from my logon script ebooks.  On that score, I still say that logon scripts are a great way of learning VBScript because you get instant action and don't need Active Directory to run the scripts.  As for VBScript, it's easy to predict that VBScript in general and WMI scripts in particular, have a rosy future.  For example, there is a WMI setting within Group Policies where you can control factors such as applying the policy to XP but not to Windows 2000 machines.

If you are looking for handy network utilities, try some of the free downloads at Tools4Ever

Humour Section

I have a confession to make. Some of my efforts at providing links remind me of Tommy Cooper's magic, that part where the trick keeps going wrong. Well, this week I have double checked all links. So, if you want a good laugh here are Will and Guy's Tommy Cooperism'

Computer Training Software - Recommended Training VideosGuy Thomas recommends Computer Training Software

Their topics and material are ideal for getting you started with VBScript.  The videos are easy to follow and you can control the pace.  Try their free demo material and then see if you want to buy the full package. See more about VB Script Training CD.

 *

Google

Web  This website

Guy Recommends: SolarWinds Engineer's Toolset v10Engineer's Toolset v10

The Engineer's Toolset v10 provides a comprehensive console of utilities for troubleshooting computer problems.

There are so many good gadgets, it's like having free rein of a sweetshop. Thankfully the utilities are displayed logically: monitoring, discovery, diagnostic, and Cisco tools.  Download your copy of the Engineer's Toolset v 10

 

Home Copyright © 1999-2010 Computer Performance LTD All rights reserved.

Please report a broken link, or an error.