Domain logon script when users logon with local accounts

Posted on 2011-04-29
Last Modified: 2012-06-21
Our network contains two Windows 2003 domain controllers and a Windows 2003 member server running Exchange. Our small group of workstations are all Windows XP Pro, which users log onto using local user accounts. They can then access shares on the servers based on AD group membership or individually assigned ACLs. I have tried to use GPO to control a logon script that records user information on the server but I can only get it to work if the user logs on with a domain account. Scripts assigned through domain profiles don't work either. Could it be that cached credentials are being used to establish connections with the server so netlogon doesn't really occur every time a user logs onto his local workstation? Is there a way around this?
Question by:ru-rd
    LVL 30

    Assisted Solution


    Author Comment

    This would work. I would have to log on as Administrator on each workstation and set this up for each local user. I was hoping to be able to do it through GPO so I could take advantage of the logoff feature also.
    LVL 7

    Assisted Solution

    For the local account you can use gpedit.msc to add the logon script. You will have to add the script manually to all the computers though.
    But if you have setup a domain then why are the users logging in with local accounts? Why not use domain accounts?

    Author Comment

    Gpedit.msc on the local machine should allow me to take advantage of assigning both logon and logoff scripts. However it doesn't seem to work. As the local Administrator, I used gpedit to copy the login.bat file to the %systemroot%\System32\GroupPolicy\User\Scripts\Logon folder, then ran gpupdate /force from a command prompt. Logged on as a local user and checked the shared server folder to see if the user information got logged. It didn't. I know it's not a permissions issue because when I ran the login.bat file manually it worked perfectly.

    Accepted Solution

    I found the problem! The Microsoft knowledge base article 315245 that IanTh pointed me to says the default location for the logon scripts is %SystemRoot%\System32\Repl\Import\Scripts. My XP machines didn't have this folder, and besides, this article describes how to assign a logon script to a profile for a local user's account. I wanted a way to use GPO, so I thought the article didn't apply. Gpedit on the local machine as ashutoshsapre recommended seemed like it should work but it didn't.
    When I revisited the MS article I noticed "For a Microsoft Windows 2000 version of this article, see 258286" and I realized these XP machines had been upgraded from W2k so maybe that's why I couldn't find the described default folder. In the W2k version of the article it clearly states that the default folder is not created on a new installation of Windows. Therefore, the %SystemRoot%\System32\Repl\Imports\Scripts folder must be created and shared out with the share name netlogon.
    This gave me an idea! Instead of creating that specific folder I shared the %SystemRoot%\System32\GroupPolicy\User\Scripts\Logon folder, which was the default folder according to gpedit on my machines, and named it "netlogon". Now everything works!

    Author Closing Comment

    Others comments gave me clues to track down the final solution which I have posted to clarify the steps taken to complete the resolution.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    Suggested Solutions

    I'm sure that every Windows systems administrator has written, or at least used, a batch or VBS login script at some point in their career, whether it is to map network drives, install printers, or set some user preferences.  No more! With Window…
    Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now