Loginscript versus GPO

Posted on 2012-09-13
Medium Priority
Last Modified: 2012-09-21
Please explain loginscript versus GPO.
Probably logonscript was made before GPO's existed? Everything in loginscript can/should be moved to GPO (are CANNOT?).
If you have both, which runs first + will one overwrite the other?

Question by:janhoedt

Expert Comment

ID: 38395555
LVL 11

Expert Comment

ID: 38395562
Are you trying to comapre  workstation mode with domain mode Login process?

In a domain when a user logs on,  Group policy is processed fist and then depending on what scripts you may have you can use the script to run at logon as logonscripts.

Author Comment

ID: 38398661
So GPO is always processed first and logonscript can overwrite ... until GPO refreshes (after 15 minutes)?
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

LVL 26

Expert Comment

by:Tony J
ID: 38405849
The simplest way to think of it is this - Group Policy Objects are basically ways of manipulating the computer or user hives of the registry. These are executed at logon, and then at regular intervals thereafter.

Logon/startup/shutdown scripts are exactly that - they are scripts (BAT file, VBScript, PowerShell etc) that execute when certain condition occur - a computer startup or shutdown event, a user logon or logoff.

In an ideal world, you should be able to manipulate everything via GPO, but in the world we really live and work in, some things just can't be manipulated this way - as an example, the library views in Windows 7/2008 R2 are registry keys that have no associated GPOs so for one customer I've just had to write a login script that loops through them when a user logs on and removes the public folders from the users' documents library view. Mapping different drives based on user group is another example.

If it's possible to do via GPO or GPP then that is preferrable but if not, then scripts can help. Usually :-)
LVL 57

Expert Comment

by:Mike Kline
ID: 38405857
So there is no rule that you have to move login scripts to a GPO (group policy preferences).  you can go that way.    I would start to go that way but in my last job we had a 3000 line login script that had grown over 9 years...that was not something we could easily move.

The login script in the user's account properties will run first.  


LVL 26

Expert Comment

by:Tony J
ID: 38405865
Oh and you define which scripts run via group policy, by the way, but these are again just basically registry entries and will be executed during / after group policy processing.

And yes, an update to a group policy may well update and therefore change a setting defined in a script.
LVL 26

Expert Comment

by:Tony J
ID: 38405880
Group policies tend to give the perception of being quicker and of course if you edit them, they apply without a logoff or reboot (most times - some settings will still require this).

But if you have a complex login script that is quick enough to run and your users are happy with there is no definable requirement to change except perhaps to streamline it and for neatness.

As I say, in most instances you will have both in your environment.
LVL 16

Expert Comment

by:Kevin Hays
ID: 38405891
Usually with GPO's you will assign a startup / login script for the user config or computer config.  Login scripts attached to the domain level will fire, but if there are other login scripts in the GPO settings down below linked to OU's then they will get fired next.

I will link login scripts in the GPO for OU's that I want to capture data or map drives, etc....
LVL 26

Accepted Solution

Leon Fester earned 2000 total points
ID: 38409104
by: janhoedtPosted on 2012-09-14 at 13:09:39ID: 38398661
So GPO is always processed first and logonscript can overwrite ... until GPO refreshes (after 15 minutes)?

Yes, you are correct.
GPO's are applied based on the domain hierachy and placement of GPO's
The Computer policies are applied when the Computer starts and before the use logs on.
Once the user logs on, the Use policies are applied and then the logon script runs.

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question