Is it better to have one VBS script to control everything in a domain (with different OUs and two separate file servers), or use group policies (with scripts) to control groups?

joykennedyh used Ask the Experts™
What's a better practice:  1) to have one domain login script (a lengthy if/then/else file controlling drive mappings) or 2) to set up login scripts via group policies.  The domain has two organizationsl units (in two separate sites--using two different file servers).  The domain login script is lengthy, and someone would have to change/edit the script every time a new department/group is created.  Wouldn't it be better to control these settings/login settings via group policy, instead?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
If possible, it is better to have a collection of Group Policies and Login Scripts rather than a single login script.

Speaking from experience, a single login script is a real headache to administer, especially if it is being adminsitered by multiple staff.
Top Expert 2013
Another thing to look into especially for drive mappings and login scripts is group policy preferences, great white paper/overview here:
You can use targetting for groups..screenshots here:
Another method is to have a single logon script that reads an ini/config file that contains drives/printers based on security groups.  The the main script is never touched and the ini file only needs updating when new drives or printers are added.  You then only need to update your group memberships within AD to allow/deny access to resources covered by your script.
If you are doing drive mappings base on AD Groups, I suggest you stay away from IF THEN etc and use just CASE, may be a main FOR loop and inside just use CASEes. Like each CASE is for AD group to do drive mapping or copying shortcut etc. The problem with drive mappings is if you have tons of group and only limited drive letter F-Z, then you could have problem. Also, drive letter is meaning less from company to company...may be shortcuts are more meaningful as you can name it same as the AD Group name as well as sharename etc. Other advantage of shortcut is you can update the UNC path without touch the script if shared data gets moved to another server. If script is written this way, then one script would be preferred and just a couple of minute any IT folks can levarge and support/trouble the script as all you need to do is simply copy/paste case for new request etc.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial