Server 2003 - Group Policy - Logon/off scripts - how? (EASY Points!)

Hello Experts,

Simple question this time :)

Running Microsoft Server 2003, how do I add a Group Policy setting for all users on the domain that, runs a simple batch (.bat) file on user logon and logoff?

So here's the setup:
On the server, there is a file C:\logonoff.bat
Domain: WEST

So how do I get the server to run the file logonoff.bat, for any user on WEST, anytime they log on or off?
Who is Participating?
Rob WilliamsCommented:
You can find the runas syntax by entering at a command line  runas  /?
As you mentioned, adding the password in clear text can be a huge security risk, especially where it is an admin password. However, good news is, runas doesn't support the password in the command line <G>, can only be supplied when prompted. However, if you wish to go down that road, you can download RunAs professional:

If no other responses here in the next 24 hours, regarding "running a batch file with elevated privileges", you might want to post another question with that in the title, and maybe in the 2003 server forum. Where it is a bit of a different question, you might "get some new blood". If I come up with a better idea I'll post here.

Rob WilliamsCommented:
You can add it to group policy as a logon and a log off script. Although you don't have to, to assure the file and user have the right permissions it is best to move it to the NETLOGON share which is usually located the server in:
C:\Windows\SYSVOL\sysvol\<your domain name>\Scripts

Then add it to the GPO:
User Configuration | Windows settings | Scripts | Logon and or Logoff | right click on logon/logoff -properties | add | point to script
Apply the GPO to an Organizational Unit that contains the users you which to affect.
XestrixAuthor Commented:
"Apply the GPO to an Organizational Unit that contains the users you which to affect."

So selecting the Domain as the group, or even the 'Students' group(which is the main priority) should work? Right now I have everything setup except the file isn't in the NETLOGON, and as far as I can tell it isn't working at all. So, could the whole problem be the file location/permissions then?

Also, I noticed in the User Configuration | Windows settings | Scripts | Logon and or Logoff, I have the file selected, and the parameters part left blank, but when I click on the 'View Files' button, it opens a completely different, empty folder, that is not C:\ as specified. Also, dragging thge bat file into this folder does nothing.

Thanks for the quick response Rob! I'll go try moving the file to NETLOGON and see if that resolves the issue. :)
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

Rob WilliamsCommented:
Both applying to the domain or the students group will work. General best practices suggests not using the domain policy unless necessary.

Yes the permissions could well be the issue. When the script is initiated, as I recall, it will use the users credentials.

As for the C:\ drive  Which one are you referring to, and which is the server referring to, PC or Server C:  It may be part of the confusion.
Rob WilliamsCommented:
ps- I don't know if you are aware but Group Policy changes take up to 5 minutes on the server and 90 minutes on the workstation to update. To force immediately on the workstation at a command line enter:
for WinXP and Server 2003
  gpupdate  /force
for Win2K user GPO's
for Win2K computer GPO's
XestrixAuthor Commented:
Thanks for all the help Rob! I didn't know it took that long to apply though, I'll try force applying.

I -was- able to succesfully set the policy to startup/shutdown now! The problem -is- that logon/off runs as the user logging on/off, and since the script I'm trying to run requires Admin privledges, it would not run. So, here's the question, can I run a script at user logon/off with Admin rights, or as evcen as Local System like startup/shutdown?

And for clarification, the C:\ I was referencing -was- the C:\ on the Server, not the Local Machine, though this isn't an issue any longer :)
Rob WilliamsCommented:
There is also an option to run a start up or shut down script under
Computer Configuration | Windows settings | Scripts | Startup/Shutdown
I believe these are run with admin privileges, though not sure. Would that work for you?
There are work around for the others. Do you know why they need to be admins. In some cases you can change the file permissions in others it might be much more elaborate.
XestrixAuthor Commented:
Okay, The Startup/Shutdown is what I have been able to get working, and they run as Local System, which is fine. I would like to be able to use the script at logon/off as Local System if possible.

The reason that the script needs some manner of admin privledges is because it needs to be able to Start/Stop services and merge local registery.
Rob WilliamsCommented:
I can't recall how to run it with elevated privileges. You might be able to do it using Runas or the SU utility from older Windows resource kit. I'll do a little digging and hopefully someone else may spot this as well.
XestrixAuthor Commented:
Sorry about the long time for response, had to go to class :P

Anyways, runas would work, I just need to remember the switrches for silent, without prompting for Admin password. The only concern I had with that was hardwiring the admin password into the coding seemed to be too much of a security risk.
Rob WilliamsCommented:
Thanks Xestrix,
XestrixAuthor Commented:
No problem, I graduated, so the school networking isn't my problem anymore x3 Anyways I just went ahead and used startup/shutdown and it seemed to work just fine~
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.