Link to home
Start Free TrialLog in
Avatar of Scott Borison
Scott BorisonFlag for United States of America

asked on

How can I run a domain logon script on recent versions of Windows 10?

A logon script that used to run on domain computers no longer runs at logon.  From the web I learned that this might be an issue on Windows 10 Version 1909 and later. I can "see" the NETLOGON folder and the script from the network. I can open NETLOGON and run the script.  But I can't get it to run at logon. I need this or some other means of loading templates to the domain computers.

Avatar of Seth Simmons
Seth Simmons
Flag of United States of America image

But I can't get it to run at logon.

how have you been running the script?
did you try putting pause as the last line of the script so you can see the window output and any errors?

What do the scripts do?
You might have blocked it by software policy.
You could use powershell scripts. no info to which to respond.

Logon scripts should not be referring to external share location, they should be contained within the GPO from which they are triggered,  copy the netlogon script into the GPO where you want it to run, login scripts, show files, paste the file here and it should run.
Scripts should be run from the DC's NetLogon share or from within the policy (GPOs) folder on the DC.
i.e. \\server\SYSVOL\<fqdn>\Policies\<policy number>\User.

For decades, logon scripts run invisibly and also with a 5 minute delay.

Google "login script delay" for a how-to about disabling that delay.
There are several ways to run a logon script i.e. GPO, properties on AD account, Local machine policy, local startup.
First thing to do is determine the method and check that nothing has changed around that.

Do you know if it is actually not running or is it running and then generating an error?
If it is not running it could be that something on permissions changed or it could indicate that the initiation method (i.e. AD account properties changed)
If it is actually running and just erroring it would be a matter of debugging the script. 
@peter, no disagreement there. ADUC property logon_script will run from netlogon
The issue I think with running logon scripts from GPOs that reference netlogon scripts might be what breaks with the newer security implementations.
i.e. a GPO process triggers an access restriction by using a UNC to run a scripts....
Avatar of Scott Borison


My expertise is a little short on some of these comments so let me see if i can ask the right question(s).
1. I have not tried pause, although it appears the script doesn't start at all.
2.   The  script is to write a bunch of templates in to a folder to be used by WORD. And it does so fine if I just launch it from the netlogon folder visible on my network
3. i tried changing the logon script delay

@arnold  i think you mean there should be no mention of logon scripts in the GPO.  That the logon script in NETLOGON runs at logon, and that maybe my attempts make it run via GPO break the security features of the client. So I should purge any references to a logon script from my GP. There are some as part of my efforts to fix the problem 
To clarify,

You have one central login script that can be run out of the netlogon folder when the logon script is set as part of a user's ADUC setting.

You can also run an unlimited number of login scripts that are part of a USER GPO policy
I think the USER GPO based login script script needs to be stored within the confines of the GPO such that it is seen as a local script versus remote.

What does the script do,
is it using xcopy \\somepath\someshare\somefile %userprofile%\appdata\local\microsoft\ etc?

at the top of your login script do you have @@echo off?

Does your setup require synchronized application of policies or asynchronous?

Might the GPO you think applies actually does not?

you might be able to use Group Policy Preferences to push files to user.

Not sure what files/templates you are pushing
might it benefit if the templates are actually pushed to the Public user on each workstation/computer that will make a single copy available to all users on the system?
The other possibility is the file already present and the option you are using does not overwrite an existing file.....
Test with another script in a test GPO for a test user. Let it create a folder on the desktop:
md %userprofile%\desktop\test

Open in new window

If that folder gets created shortly after logon, scripts via GPO work.

Then you'll need to add logging to your script. Simply redirect the output to a file

Open in new window

@arnold I just have one script, and the runs a robocopy. That writes, overwrites, etc as is should if I just run the script. maybe the ADUC setting is incorrect? If Interpret this right then perhaps the right thing is to remover all references to the script in NETLOGON  as a GPO. or GPOs since I've been messing with it so much.

Other references will not disturb the script. If it runs twice, so be it, it still works.

Please add a line that allows you to verify if it is running after all, like the one I wrote down.
Avatar of arnold
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Another thought, robocopy might not be the path on logon.

Try using the full path
C:\windows\system32\robocopy and see if that makes a difference.
I was asking the wrong set of questions and was confused about where the logon script exists. The hint was about ADUC, and sure enough I now see that is set in the user profile. Thank you.