Avatar of Scott Borison
Scott BorisonFlag for United States of America asked on

How can I run a domain logon script on recent versions of Windows 10?

A logon script that used to run on domain computers no longer runs at logon.  From the web I learned that this might be an issue on Windows 10 Version 1909 and later. I can "see" the NETLOGON folder and the script from the network. I can open NETLOGON and run the script.  But I can't get it to run at logon. I need this or some other means of loading templates to the domain computers.

Windows OSWindows 10Networking

Avatar of undefined
Last Comment
Scott Borison

8/22/2022 - Mon
Seth Simmons

But I can't get it to run at logon.

how have you been running the script?
did you try putting pause as the last line of the script so you can see the window output and any errors?

arnold

What do the scripts do?
You might have blocked it by software policy.
You could use powershell scripts. no info to which to respond.

Logon scripts should not be referring to external share location, they should be contained within the GPO from which they are triggered,  copy the netlogon script into the GPO where you want it to run, login scripts, show files, paste the file here and it should run.
Peter Hutchison

Scripts should be run from the DC's NetLogon share or from within the policy (GPOs) folder on the DC.
i.e. \\server\SYSVOL\<fqdn>\Policies\<policy number>\User.


This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
McKnife

For decades, logon scripts run invisibly and also with a 5 minute delay.

Google "login script delay" for a how-to about disabling that delay.
Robert

There are several ways to run a logon script i.e. GPO, properties on AD account, Local machine policy, local startup.
First thing to do is determine the method and check that nothing has changed around that.

Do you know if it is actually not running or is it running and then generating an error?
If it is not running it could be that something on permissions changed or it could indicate that the initiation method (i.e. AD account properties changed)
If it is actually running and just erroring it would be a matter of debugging the script. 
arnold

@peter, no disagreement there. ADUC property logon_script will run from netlogon
The issue I think with running logon scripts from GPOs that reference netlogon scripts might be what breaks with the newer security implementations.
i.e. a GPO process triggers an access restriction by using a UNC to run a scripts....
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
Scott Borison

My expertise is a little short on some of these comments so let me see if i can ask the right question(s).
1. I have not tried pause, although it appears the script doesn't start at all.
2.   The  script is to write a bunch of templates in to a folder to be used by WORD. And it does so fine if I just launch it from the netlogon folder visible on my network
3. i tried changing the logon script delay

@arnold  i think you mean there should be no mention of logon scripts in the GPO.  That the logon script in NETLOGON runs at logon, and that maybe my attempts make it run via GPO break the security features of the client. So I should purge any references to a logon script from my GP. There are some as part of my efforts to fix the problem 
arnold

To clarify,

You have one central login script that can be run out of the netlogon folder when the logon script is set as part of a user's ADUC setting.

You can also run an unlimited number of login scripts that are part of a USER GPO policy
I think the USER GPO based login script script needs to be stored within the confines of the GPO such that it is seen as a local script versus remote.

What does the script do,
is it using xcopy \\somepath\someshare\somefile %userprofile%\appdata\local\microsoft\ etc?

at the top of your login script do you have @@echo off?

Does your setup require synchronized application of policies or asynchronous?

Might the GPO you think applies actually does not?

you might be able to use Group Policy Preferences to push files to user.

Not sure what files/templates you are pushing
might it benefit if the templates are actually pushed to the Public user on each workstation/computer that will make a single copy available to all users on the system?
The other possibility is the file already present and the option you are using does not overwrite an existing file.....
McKnife

Test with another script in a test GPO for a test user. Let it create a folder on the desktop:
md %userprofile%\desktop\test

Open in new window

If that folder gets created shortly after logon, scripts via GPO work.

Then you'll need to add logging to your script. Simply redirect the output to a file
Copy...>%userprofile%\desktop\log.txt

Open in new window

All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ASKER
Scott Borison

@arnold I just have one script, and the runs a robocopy. That writes, overwrites, etc as is should if I just run the script. maybe the ADUC setting is incorrect? If Interpret this right then perhaps the right thing is to remover all references to the script in NETLOGON  as a GPO. or GPOs since I've been messing with it so much.


McKnife

Other references will not disturb the script. If it runs twice, so be it, it still works.

Please add a line that allows you to verify if it is running after all, like the one I wrote down.
ASKER CERTIFIED SOLUTION
arnold

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
arnold

Another thought, robocopy might not be the path on logon.

Try using the full path
C:\windows\system32\robocopy and see if that makes a difference.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
Scott Borison

I was asking the wrong set of questions and was confused about where the logon script exists. The hint was about ADUC, and sure enough I now see that is set in the user profile. Thank you.