Loginscript versus GPO

Posted on 2012-09-13
Last Modified: 2012-09-21
Please explain loginscript versus GPO.
Probably logonscript was made before GPO's existed? Everything in loginscript can/should be moved to GPO (are CANNOT?).
If you have both, which runs first + will one overwrite the other?

Question by:janhoedt
    LVL 5

    Expert Comment

    LVL 11

    Expert Comment

    Are you trying to comapre  workstation mode with domain mode Login process?

    In a domain when a user logs on,  Group policy is processed fist and then depending on what scripts you may have you can use the script to run at logon as logonscripts.

    Author Comment

    So GPO is always processed first and logonscript can overwrite ... until GPO refreshes (after 15 minutes)?
    LVL 25

    Expert Comment

    The simplest way to think of it is this - Group Policy Objects are basically ways of manipulating the computer or user hives of the registry. These are executed at logon, and then at regular intervals thereafter.

    Logon/startup/shutdown scripts are exactly that - they are scripts (BAT file, VBScript, PowerShell etc) that execute when certain condition occur - a computer startup or shutdown event, a user logon or logoff.

    In an ideal world, you should be able to manipulate everything via GPO, but in the world we really live and work in, some things just can't be manipulated this way - as an example, the library views in Windows 7/2008 R2 are registry keys that have no associated GPOs so for one customer I've just had to write a login script that loops through them when a user logs on and removes the public folders from the users' documents library view. Mapping different drives based on user group is another example.

    If it's possible to do via GPO or GPP then that is preferrable but if not, then scripts can help. Usually :-)
    LVL 57

    Expert Comment

    by:Mike Kline
    So there is no rule that you have to move login scripts to a GPO (group policy preferences).  you can go that way.    I would start to go that way but in my last job we had a 3000 line login script that had grown over 9 years...that was not something we could easily move.

    The login script in the user's account properties will run first.  


    LVL 25

    Expert Comment

    Oh and you define which scripts run via group policy, by the way, but these are again just basically registry entries and will be executed during / after group policy processing.

    And yes, an update to a group policy may well update and therefore change a setting defined in a script.
    LVL 25

    Expert Comment

    Group policies tend to give the perception of being quicker and of course if you edit them, they apply without a logoff or reboot (most times - some settings will still require this).

    But if you have a complex login script that is quick enough to run and your users are happy with there is no definable requirement to change except perhaps to streamline it and for neatness.

    As I say, in most instances you will have both in your environment.
    LVL 16

    Expert Comment

    Usually with GPO's you will assign a startup / login script for the user config or computer config.  Login scripts attached to the domain level will fire, but if there are other login scripts in the GPO settings down below linked to OU's then they will get fired next.

    I will link login scripts in the GPO for OU's that I want to capture data or map drives, etc....
    LVL 26

    Accepted Solution

    by: janhoedtPosted on 2012-09-14 at 13:09:39ID: 38398661
    So GPO is always processed first and logonscript can overwrite ... until GPO refreshes (after 15 minutes)?

    Yes, you are correct.
    GPO's are applied based on the domain hierachy and placement of GPO's
    The Computer policies are applied when the Computer starts and before the use logs on.
    Once the user logs on, the Use policies are applied and then the logon script runs.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found listed in my profile here: http:…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    730 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now