Windows 2008: GPO for Login Script

Posted on 2012-08-21
Medium Priority
Last Modified: 2012-08-24

1)      This is related to the Login Script
2)      The OS for the Domain Controller is Windows 2008 server
3)      The login scrip’s name is Login.bat which contains as the followings:

REM @echo off

Net use Y: \\Bobafilesrv\Marketing

Net use W: \\Bobafilesrv\Accounting

Net use P: \\Bobafilesrv\Public


I go to the Domain Controller
- Go to C:\Windows\Sysvol\Domain\Scripts folder
- I put the Login.bat at the above Scripts folder
- I click Refresh at the Domain Controller

I want to create GPO for Login script which will be enabled to a OU
- OU’s name is “Test Script”
- The users in this OU are:
   * JBlack (permitted for Marketing folder)
   * PBrown (Permitted for Accounting folder)
   * Other “authenticated users” (Permitted for Public folder)

I went to Server Manager > Features > Group Policy Management ...>Test Script
- I create a new GPO called “Login script”
- The PATH: User Configuration> Policies>Window Setting>Scripts (Logon/Logoff)
- I select “Logon” and I put the Login.bat there

Then, I go to the workstation , and login as JBlack
-      I do “ gpupdate /force”
-      I do “ gpresult” ( and I can see that the GPO called Login Script is being enforced)

However, When I double-click “My computer”, I did not see “the network drives” at all

Somebody knows what is the problem?

Thank you

Question by:tjie
LVL 13

Expert Comment

ID: 38317733
Drive mappings are done on the Computer so they are applied before the CTRL+ALT+DEL screen.  You may have to reboot rather then do a GPUpdate.

If you use the Login Script in the ADUC Profile tab on the user accounts this will work for sure.
LVL 14

Expert Comment

ID: 38317781
you can also modify this by

REM @echo off

Net Delete y:
Net use Y: \\Bobafilesrv\Marketing

Net Delete W:
Net use W: \\Bobafilesrv\Accounting

Net Delete P:
Net use P: \\Bobafilesrv\Public


check gpresult and rsop.msc on given users.

LVL 24

Expert Comment

ID: 38317899
@xDUCKx is correct - its a login script - therefore you need to log out and back in to have the script execute here...
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.


Author Comment

ID: 38317977
For xDUCKx:
-I reboot The Domain Controller --> Still the same: the script does not work
- I log off and log back in at the Workstation (for the above users) --> same thing: does not work
- Yes, Using login scrip in the ADUC profile --> it worked (but this is not my question)

For Janpakula:
- I did Edit the login.bat per your direction --> Does not work

For smckeown777:
- Please see xDUCKx --> does not work

Any other approach?

LVL 28

Expert Comment

ID: 38318033
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 38318296
Is the user a member of the local Administrators group on the workstation?  This can cause problems with login scripts because of privilege elevation levels.

Expert Comment

ID: 38318382

Did you try to execute your .bat file while loged on to the workstation and see if the drives will map?

1) If they don't you have security problem somewhere either at share level or NTFS level

2) If your drives will map but you will receive access denied (or similar) when accessing check NTFS privileges

3) If they won't map there might be a problem with the user being local admin on the workstation (or domain admin) and it wont map automatically due to privilege elevation levels.

Hope this helps

Author Comment

ID: 38318608

- I can not read the video.Please summary if you may

hypercat & intelligence,
- The above users (jblack and pbrown) are only "domain user"
- OK, i add them to the Local Administrator of the workstation and test again --> The same resutl; i can not see the network drive

To confirm further, I go to the Profile tab of the above users
- I disable the GPO firstly ...
- I put the login.bat at this profile tab of each user
- And when I login again (Just as a domain user) as jblack or pbrown, i can see the 3 network drives

So The above approaches are not working.

LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 38320334
Remove the user from the local admins group - you don't want them there. I was asking because if they are local admins this can cause problems with group policy processing, so you want them to be in the local Users group not local admins.

This may seem like a silly question - but in your description of how you set up the GPO, I'm not sure that you set up the GPO so that the login.bat file is in the proper location. It sounds to me as though the batch file isn't being processed because it isn't properly configured in the policy.  Is the login.bat script in the Scripts folder in the GPO - it has to be in that specific scripts folder, OR you have to point the GPO to the Scripts folder where it resides.  Please do a screen capture of the Scripts dialog box and one of the location in your file system where the login.bat file is saved, and post them.

Also, have you checked the event log on the workstation to see if there are any group policy processing errors?

Author Comment

ID: 38327384
Please see the attachment. I take out the user from the Local admin group. I checked whether the GPO is enforced (gpupdate /force and gpresult); yes, the gpo is enforced.
Please do some adjustment. The Domain here is "Covina-W2k8.com" (Not Boba.com); the file server is aoafilesrv (not "bobafilesrv").
Here is the screen shot (pls see the attachment). I hope you can get ideas to make this GPO working. Note: The login script's name is "pause.bat" (Not login.bat as I mention in the question above). Thank you

LVL 38

Accepted Solution

Hypercat (Deb) earned 2000 total points
ID: 38329387
I think the path you've got listed for the location of your script is the problem.  Here's what I would recommend doing:

1.  Make a copy of your pause.bat file and put it on the desktop of the machine you're using to manage group policies.
2.  Open the Test policy properties and open the Logon Properties dialog box.
3.  Remove the current path you have listed for the location of the script.
4.  Click the Show Files button in the dialog box.  Copy and paste the batch file from your desktop into the default script folder location that you just opened. Close the file system window and go back to the Logon Properties dialog box.
5.  Click the Add button, then click the Browse button under "Script Name."
6.  Select the login.bat file shown in the browse window and then click Open. The script name now shows in the "Add a Script" dialog box.  Click OK.
7. Click OK to accept the change and close the Logon Properties dialog box.

Now retest and see if the group policy works.

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question