Windows 2008: GPO for Login Script


1)      This is related to the Login Script
2)      The OS for the Domain Controller is Windows 2008 server
3)      The login scrip’s name is Login.bat which contains as the followings:

REM @echo off

Net use Y: \\Bobafilesrv\Marketing

Net use W: \\Bobafilesrv\Accounting

Net use P: \\Bobafilesrv\Public


I go to the Domain Controller
- Go to C:\Windows\Sysvol\Domain\Scripts folder
- I put the Login.bat at the above Scripts folder
- I click Refresh at the Domain Controller

I want to create GPO for Login script which will be enabled to a OU
- OU’s name is “Test Script”
- The users in this OU are:
   * JBlack (permitted for Marketing folder)
   * PBrown (Permitted for Accounting folder)
   * Other “authenticated users” (Permitted for Public folder)

I went to Server Manager > Features > Group Policy Management ...>Test Script
- I create a new GPO called “Login script”
- The PATH: User Configuration> Policies>Window Setting>Scripts (Logon/Logoff)
- I select “Logon” and I put the Login.bat there

Then, I go to the workstation , and login as JBlack
-      I do “ gpupdate /force”
-      I do “ gpresult” ( and I can see that the GPO called Login Script is being enforced)

However, When I double-click “My computer”, I did not see “the network drives” at all

Somebody knows what is the problem?

Thank you

Who is Participating?
Hypercat (Deb)Commented:
I think the path you've got listed for the location of your script is the problem.  Here's what I would recommend doing:

1.  Make a copy of your pause.bat file and put it on the desktop of the machine you're using to manage group policies.
2.  Open the Test policy properties and open the Logon Properties dialog box.
3.  Remove the current path you have listed for the location of the script.
4.  Click the Show Files button in the dialog box.  Copy and paste the batch file from your desktop into the default script folder location that you just opened. Close the file system window and go back to the Logon Properties dialog box.
5.  Click the Add button, then click the Browse button under "Script Name."
6.  Select the login.bat file shown in the browse window and then click Open. The script name now shows in the "Add a Script" dialog box.  Click OK.
7. Click OK to accept the change and close the Logon Properties dialog box.

Now retest and see if the group policy works.
Drive mappings are done on the Computer so they are applied before the CTRL+ALT+DEL screen.  You may have to reboot rather then do a GPUpdate.

If you use the Login Script in the ADUC Profile tab on the user accounts this will work for sure.
JAN PAKULAICT Infranstructure ManagerCommented:
you can also modify this by

REM @echo off

Net Delete y:
Net use Y: \\Bobafilesrv\Marketing

Net Delete W:
Net use W: \\Bobafilesrv\Accounting

Net Delete P:
Net use P: \\Bobafilesrv\Public


check gpresult and rsop.msc on given users.

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

@xDUCKx is correct - its a login script - therefore you need to log out and back in to have the script execute here...
tjieAuthor Commented:
For xDUCKx:
-I reboot The Domain Controller --> Still the same: the script does not work
- I log off and log back in at the Workstation (for the above users) --> same thing: does not work
- Yes, Using login scrip in the ADUC profile --> it worked (but this is not my question)

For Janpakula:
- I did Edit the login.bat per your direction --> Does not work

For smckeown777:
- Please see xDUCKx --> does not work

Any other approach?

MAS (MVE)EE Solution GuideCommented:
Hypercat (Deb)Commented:
Is the user a member of the local Administrators group on the workstation?  This can cause problems with login scripts because of privilege elevation levels.

Did you try to execute your .bat file while loged on to the workstation and see if the drives will map?

1) If they don't you have security problem somewhere either at share level or NTFS level

2) If your drives will map but you will receive access denied (or similar) when accessing check NTFS privileges

3) If they won't map there might be a problem with the user being local admin on the workstation (or domain admin) and it wont map automatically due to privilege elevation levels.

Hope this helps
tjieAuthor Commented:

- I can not read the video.Please summary if you may

hypercat & intelligence,
- The above users (jblack and pbrown) are only "domain user"
- OK, i add them to the Local Administrator of the workstation and test again --> The same resutl; i can not see the network drive

To confirm further, I go to the Profile tab of the above users
- I disable the GPO firstly ...
- I put the login.bat at this profile tab of each user
- And when I login again (Just as a domain user) as jblack or pbrown, i can see the 3 network drives

So The above approaches are not working.

Hypercat (Deb)Commented:
Remove the user from the local admins group - you don't want them there. I was asking because if they are local admins this can cause problems with group policy processing, so you want them to be in the local Users group not local admins.

This may seem like a silly question - but in your description of how you set up the GPO, I'm not sure that you set up the GPO so that the login.bat file is in the proper location. It sounds to me as though the batch file isn't being processed because it isn't properly configured in the policy.  Is the login.bat script in the Scripts folder in the GPO - it has to be in that specific scripts folder, OR you have to point the GPO to the Scripts folder where it resides.  Please do a screen capture of the Scripts dialog box and one of the location in your file system where the login.bat file is saved, and post them.

Also, have you checked the event log on the workstation to see if there are any group policy processing errors?
tjieAuthor Commented:
Please see the attachment. I take out the user from the Local admin group. I checked whether the GPO is enforced (gpupdate /force and gpresult); yes, the gpo is enforced.
Please do some adjustment. The Domain here is "" (Not; the file server is aoafilesrv (not "bobafilesrv").
Here is the screen shot (pls see the attachment). I hope you can get ideas to make this GPO working. Note: The login script's name is "pause.bat" (Not login.bat as I mention in the question above). Thank you

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.