Link to home
Start Free TrialLog in
Avatar of Xestrix
Xestrix

asked on

Server 2003 - Group Policy - Logon/off scripts - how? (EASY Points!)

Hello Experts,

Simple question this time :)

Running Microsoft Server 2003, how do I add a Group Policy setting for all users on the domain that, runs a simple batch (.bat) file on user logon and logoff?

So here's the setup:
On the server, there is a file C:\logonoff.bat
Domain: WEST

So how do I get the server to run the file logonoff.bat, for any user on WEST, anytime they log on or off?
Avatar of Rob Williams
Rob Williams
Flag of Canada image

You can add it to group policy as a logon and a log off script. Although you don't have to, to assure the file and user have the right permissions it is best to move it to the NETLOGON share which is usually located the server in:
C:\Windows\SYSVOL\sysvol\<your domain name>\Scripts

Then add it to the GPO:
User Configuration | Windows settings | Scripts | Logon and or Logoff | right click on logon/logoff -properties | add | point to script
Apply the GPO to an Organizational Unit that contains the users you which to affect.
Avatar of Xestrix
Xestrix

ASKER

"Apply the GPO to an Organizational Unit that contains the users you which to affect."

So selecting the Domain as the group, or even the 'Students' group(which is the main priority) should work? Right now I have everything setup except the file isn't in the NETLOGON, and as far as I can tell it isn't working at all. So, could the whole problem be the file location/permissions then?

Also, I noticed in the User Configuration | Windows settings | Scripts | Logon and or Logoff, I have the file selected, and the parameters part left blank, but when I click on the 'View Files' button, it opens a completely different, empty folder, that is not C:\ as specified. Also, dragging thge bat file into this folder does nothing.

Thanks for the quick response Rob! I'll go try moving the file to NETLOGON and see if that resolves the issue. :)
Both applying to the domain or the students group will work. General best practices suggests not using the domain policy unless necessary.

Yes the permissions could well be the issue. When the script is initiated, as I recall, it will use the users credentials.

As for the C:\ drive  Which one are you referring to, and which is the server referring to, PC or Server C:  It may be part of the confusion.
ps- I don't know if you are aware but Group Policy changes take up to 5 minutes on the server and 90 minutes on the workstation to update. To force immediately on the workstation at a command line enter:
for WinXP and Server 2003
  gpupdate  /force
for Win2K user GPO's
SECEDIT  /REFRESHPOLICY  USER_POLICY  /ENFORCE
for Win2K computer GPO's
SECEDIT  /REFRESHPOLICY  MACHINE_POLICY  /ENFORCE  
Avatar of Xestrix

ASKER

Thanks for all the help Rob! I didn't know it took that long to apply though, I'll try force applying.

I -was- able to succesfully set the policy to startup/shutdown now! The problem -is- that logon/off runs as the user logging on/off, and since the script I'm trying to run requires Admin privledges, it would not run. So, here's the question, can I run a script at user logon/off with Admin rights, or as evcen as Local System like startup/shutdown?

And for clarification, the C:\ I was referencing -was- the C:\ on the Server, not the Local Machine, though this isn't an issue any longer :)
There is also an option to run a start up or shut down script under
Computer Configuration | Windows settings | Scripts | Startup/Shutdown
I believe these are run with admin privileges, though not sure. Would that work for you?
There are work around for the others. Do you know why they need to be admins. In some cases you can change the file permissions in others it might be much more elaborate.
Avatar of Xestrix

ASKER

Okay, The Startup/Shutdown is what I have been able to get working, and they run as Local System, which is fine. I would like to be able to use the script at logon/off as Local System if possible.

The reason that the script needs some manner of admin privledges is because it needs to be able to Start/Stop services and merge local registery.
Mmmmmm...
I can't recall how to run it with elevated privileges. You might be able to do it using Runas or the SU utility from older Windows resource kit. I'll do a little digging and hopefully someone else may spot this as well.
Avatar of Xestrix

ASKER

Sorry about the long time for response, had to go to class :P

Anyways, runas would work, I just need to remember the switrches for silent, without prompting for Admin password. The only concern I had with that was hardwiring the admin password into the coding seemed to be too much of a security risk.
ASKER CERTIFIED SOLUTION
Avatar of Rob Williams
Rob Williams
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks Xestrix,
--Rob
Avatar of Xestrix

ASKER

No problem, I graduated, so the school networking isn't my problem anymore x3 Anyways I just went ahead and used startup/shutdown and it seemed to work just fine~