Logon Scripts on a Windows Server

Logon Scripts Concepts



Assign a logon script to a user or group



Understanding logon scripts

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2


Understanding logon scripts

A logon script runs automatically whenever a user logs on to a computer running a member of the Windows Server 2003 family of operating systems. The script can contain operating system commands, such as those that make network connections or start programs. Logon scripts can also set environment variables to specify information such as the computer search path and the directory for temporary files. A logon script is usually a batch file (.bat or .cmd file name extension), but any executable program can be used.

Logon scripts are optional. You can use them to configure user working environments by creating network connections and starting programs. Logon scripts are useful when you want to affect the user work environment without managing all aspects of it.

Script files are text files that contain script commands. The Windows Server 2003 family of operating systems supports these types of scripts:

  • Batch file commands are stored in text files with the .bat or .cmd file name extension. Batch files automate simple series of tasks that would otherwise be run from a command line. Scripts written using batch file commands are run by the command shell. For more information about the command shell, see Command shell overview.
  • Visual Basic Scripting Edition (VBScript) commands are stored in text files with the .vbs file name extension, and JScript commands are stored in text files with the .js file name extension. VBScript and JScript allow the administrator to construct sophisticated scripts. The Windows Script Host can run these scripts from the desktop of the computer, or from a command line. For more information about the Windows Script Host, see Windows Script Host.

After you create a logon script, you can assign it to one or more local users, sites, domains, or organizational units (OUs).

For more information about specific tasks related to assigning scripts, see Logon Scripts How To….






Logon script assignment

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2


Logon script assignment

On computers running operating systems in the Windows Server 2003 family, you can assign a logon script to a user account. When a user logs on and a path to a logon script is present in the user account, the file is located and run.

You can also assign logon and logoff scripts, and computer startup and shutdown scripts by using the Group Policy snap-in. These scripts apply to the entire scope of users and computers for which a particular Group Policy object applies.

In Computer Management, you can use the User Property dialog box to assign logon scripts to user accounts by typing the file name (for example, Clerks.bat) in the Logon script text box. At logon, the server authenticating the logon locates an assigned logon script. It looks for the specified file following the local logon script path on the server (usually %systemroot%\SYSVOL\sysvol\domain_name\scripts). If a relative path is provided before the file name (for example, Admins\User1.bat), the server looks for the logon script in that subdirectory of the logon script path.

The entry in the Logon Script text box specifies only the file name (and, optionally, the relative path) and does not create the actual logon script. You create a logon script with the specified name and place it in the appropriate directory on the appropriate replication export server.

You can place a logon script in a local directory on a user’s computer. You would typically use this location, however, when you are administering user accounts that exist on a single computer rather than in a domain. This logon script runs only when a user logs on locally to the computer and does not run when the user logs on to the domain. You must place the logon script using the computer’s logon script path or in a subdirectory of that logon script path. The default location for local logon scripts is the %systemroot%\System32\Repl\Imports\Scripts folder. This folder is not created on an new installation of Windows XP. A folder must be created and shared with the name netlogon; for step-by-step instructions, see Share a folder or drive. The NTFS permissions of this folder should allow users and server operators only read and execute permissions, and should allow administrators full control. The folder is created and shared automatically on domain controllers, so you should not attempt to create a netlogon folder on a domain controller manually.

For more information, see: Logon Scripts How To…Group Policy overview, and Privileges.






Creating logon scripts


Updated: January 21, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2


Creating logon scripts

You can use logon scripts to assign tasks that will be performed when a user logs on to a particular computer. The scripts can carry out operating system commands, set system environment variables, and call other scripts or executable programs. The Windows Server 2003 family supports two scripting environments: the command processor runs files containing batch language commands, and Windows Script Host (WSH) runs files containing Microsoft Visual Basic Scripting Edition (VBScript) or Jscript commands. You can use a text editor to create logon scripts. Some tasks commonly performed by logon scripts include:

  • Mapping network drives.
  • Installing and setting a user’s default printer.
  • Collecting computer system information.
  • Updating virus signatures.
  • Updating software.

The following example logon script contains VBScript commands that use Active Directory Service Interfaces (ADSI) to perform three common tasks based on a user’s group membership:

  1. It maps the H: drive to the home directory of the user by calling the WSH Network object’s MapNetworkDrive method in combination with the WSH Network object’s UserName property.
  2. It uses the ADSI IADsADSystemInfo object to obtain the current user’s distinguished name, which in turn is used to connect to the corresponding user object in Active Directory. Once the connection is established, the list of groups the user is a member of is retrieved by using the user’s memberOf attribute. The multivalued list of group names is joined into a single string by using VBScript’s Join function to make it easier to search for target group names.
  3. If the current user is a member of one of the three groups defined at the top of the script, then the script maps the user’s G: drive to the group shared drive, and sets the user’s default printer to be the group printer.

To create an example logon script

  1. Open Notepad.
  2. Copy and paste, or type, the following:
    Const ENGINEERING_GROUP     = "cn=engineering"
    Const FINANCE_GROUP         = "cn=finance"
    Const HUMAN_RESOURCES_GROUP = "cn=human resources"
    Set wshNetwork = CreateObject("WScript.Network")
    wshNetwork.MapNetworkDrive "h:",
    "\\FileServer\Users\" & wshNetwork.UserName
    Set ADSysInfo = CreateObject("ADSystemInfo")
    Set CurrentUser = GetObject("LDAP://" &
    strGroups = LCase(Join(CurrentUser.MemberOf))
    If InStr(strGroups, ENGINEERING_GROUP) Then
        wshNetwork.MapNetworkDrive "g:",
    ElseIf InStr(strGroups, FINANCE_GROUP) Then
        wshNetwork.MapNetworkDrive "g:",
    ElseIf InStr(strGroups, HUMAN_RESOURCES_GROUP) Then
        wshNetwork.MapNetworkDrive "g:",
        "\\FileServer\Human Resources\"
    End If
  3. On the File menu, click Save As.
  4. In Save in, click the directory that corresponds to the domain controller’s Netlogon shared folder (usuallySystemRoot\SYSVOL\Sysvol\DomainName\Scripts where DomainName is the domain’s fully qualified domain name).
  5. In Save as type, click All Files.
  6. In File name, type a file name, followed by .vbs, and then click Save. WSH uses the .vbs extension to identify files that contain VBScript commands.


  • To open Notepad, click Start, point to All programs, point to Accessories, and then click Notepad.
  • To use the example logon script, you need to change the group names, network drive letters, and Universal Naming Convention (UNC) paths to match your system environment.
  • To run a logon script, you need to assign the script to a user or a group. For more information, see Assign a logon script to a user or group.

For more information about creating and using logon scripts, see Logon Scripts, Windows Script at the Microsoft Web site, and theMicrosoft Windows Resource Kits Web site.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.









Using Logon Scripts in Pure and Mixed Active Directory Environments

This article looks at the differences in implementing logon scripts in pure and mixed Active Directory environments, including how to use Group Policy to assign scripts and how to run Windows Script Host (WSH) scripts from batch files.

Logon scripts can be useful tools for configuring desktop environments for users. Some of the things such scripts can be used for include mapping network drives, connecting to shared printers, gathering system information, synchronizing system clocks, and so on. In fact, just about anything you can do from the command-line can be done using a logon script.

Logon scripts have been around for a while and most administrators of Windows-based networks have had occasion to use them. On Windows NT domain-based networks things were simple: if a user needed to have his environment configured using a logon script, the administrator would first write a logon script using the batch programming language, which has been around since the days of MS-DOS. Once written, this script was saved using a .bat extension to make it executable, but to make it work for a particular user the script needed to be found in the NETLOGON share of the domain controller to which the user’s account was authenticated. In Windows NT this NETLOGON share corresponded to the %systemroot%\system32\repl\import\scripts folder, and by placing the script in this folder on the PDC it was automatically replicated to all BDC’s in the domain. Once this was done, the administrator only had to add the name of the script to the Logon Script Name field on the User Environment Profile dialog box using User Manager for Domains.

Then Windows 2000 came along, with its support for assigning logon scripts using Group Policy and its built-in support for Windows Script Host (WSH) as an alternative for traditional batch scripts. While WSH lets you create much more powerful logon scripts and Group Policy lets you manage logon scripts more easily, a problem arises when your networking environment has a mix of desktops that include legacy platforms like Windows 95/98 and Windows NT 4.0 Workstation. The rest of this article provides some suggestions for managing logon scripts in both a mixed (Windows 2000/XP/2003 and legacy Windows 95/98/NT) environment and a pure Windows 2000 (or later) environment. 

Using Logon Scripts in a Mixed Environment

By “mixed environment” I mean a mixture of Windows clients that support Group Policy (Windows 2000/XP/2003) and those that don’t (Windows 95/98/NT). Managing logon scripts in environments that include Linux/UNIX or Mac desktops is beyond the scope of this discussion. For simplicity, we’ll focus here on Active Directory environments that have domain controllers running Windows 2000 Server and/or Windows Server 2003 and a mix of current and legacy Windows desktops.

Let’s say you want to use a logon script in a mixed environment to configure users’ desktop environments by mapping a drive letter to a network share. A simple batch file logon script that does this might be this:

        @echo off
        net use x: \\filesrv\budgets

To use this script, type it into Notepad and save it as logon.bat or something similar. Then put the script into the NETLOGON share on a domain controller, which if your domain controllers are running Windows 2000/2003 can be found at %systemroot%\sysvol\sysvol\<domain_DNS_name>\scrip ts as shown in Figure 1:

Posted Image

Figure 1: Location of NETLOGON share on Windows 2000/2003 domain controllers

Once this script is placed in the NETLOGON share it will automatically replicate to all domain controllers in the mynewforest.com domain.

The next step is to assign the logon script to the user accounts of users who need to have the script run on their desktop machines. To get the script to run on Bob Smith’s machine, for example, use Active Directory Users and Computers to open the Properties sheet for the User object representing Bob Smith and select the Profiles tab. Then simply type the name of the script in the Logon Script field as shown in Figure 2 below. Note that if you store your logon script in a different share than NETLOGON, you should type the full UNC path instead to the script in the Logon Script field below but make sure the script replicates to all your domain controllers.

Posted Image

    Figure 2: Assigning a logon script to user Bob Smith

If you want to leverage the power of Windows Script Host in a mixed environment, you can do so two ways:

    * Download and install the appropriate Directory Services Client (DSClient) for Windows 95/98 or Windows NT. DSClient allows these legacy Windows platforms to participate in an Active Directory environment and they include support for WSH and VBScript. To obtain DSClient for the appropriate platform, see article 288358 in the Microsoft Knowledge Base.
    * Download and install Windows Script Host for Windows 95/98/NT. Doing this lets you run VBScript scripts on these platforms, but it doesn’t give you ADSI functionality so this limits the usefulness of WSH for scripting purposes. You can obtain WSH for Windows 95/98/NT from the Microsoft Download Center.

Either way, once your legacy Windows desktops support WSH you can write your logon scripts in the more powerful VBScript language instead of the limited batch programming language. Unfortunately, in a mixed environment you can’t directly assign a .vbs script to a user account on the Profile tab as shown in Figure 2 above as this won’t work on legacy Windows clients. The workaround to this problem is to do the following:

   1. Write your logon script using VBScript and save it with a .vbs extension, for example logon.vbs.
   2. Store your logon.vbs file in the NETLOGON share on your domain controller.
   3. Use the batch programming language to write a traditional logon script that calls your logon.vbs script and save it with a .bat extension, for example logon.bat.
   4. Store your logon.bat file also in the NETLOGON share on your domain controller.
   5. Assign logon.bat on the Profile tab of each user account as described previously above in Figure 2.

A simple logon.bat script that calls a logon.vbs script would be the following:

        @echo off
        wscript %0\..\logon.vbs

And a simple logon.vbs script that maps the x: drive to the \\filesrv\budgets share would be:

        Dim wshNetwork
        Set wshNetwork = CreateObject("Wscript.Network")
        wshNetwork.MapNetworkDrive "x:", "\\filesrv\budgets"

Now when Bob logs on to his machine, logon.bat executes and calls logon.vbs which maps x: drive to the budgets share as desired. And this will work on both your legacy Windows 95/98/NT desktops and your newer Windows 2000/XP desktops. 

Using Logon Scripts in a Windows 2000 or Later Environment

If all your desktops are running Windows 2000 or later, then the first thing you should do is forget the Profile tab as far as logon scripts are concerned. In fact, forget the Profile tab entirely as the fields on this tab are provided only for downlevel (Windows NT or earlier) environments. Instead, use Group Policy to assign your logon scripts, which is a far more powerful and flexible approach than what the Profile tab provides. Furthermore, forget the batch programming language and use VBScript to write your logon scripts as this lets you create far more powerful scripts than batch scripts. If you haven’t yet learned VBScript, see the Resources section at the end of this article for some tutorials.
Let’s use our logon.vbs script above that maps a drive and assign it to all our company employees in Winnipeg. The beauty of Active Directory is that you can create organizational units (OUs) for different locations or departments in your company and then create Group Policy Objects (GPOs) and link them to each OU. In Figure 3 you can see that we have three OUs in our mynewforest.com domain: Toronto, Vancouver, and Winnipeg:

Posted Image

    Figure 3: Users in the Winnipeg OU need a logon script assigned to map a network drive

To assign logon.vbs to the users in Winnipeg, right-click on the Winnipeg OU and select Properties. Then select the Group Policy tab, where you can see we’ve already created a new GPO named WinnipegGPO and linked it to this OU (Figure 4):

Posted Image

    Figure 4: The WinnipegGPO is linked to the Winnipeg OU

Click Edit to open the WinnipegGPO and navigate to User Configuration\Windows Settings\Scripts as in Figure 5 below:

Posted Image

    Figure 5: Policy settings for assigning logon and logoff scripts

Now right-click on Logon in the right-hand pane and select Properties (Figure 6):

Posted Image

    Figure 6: Assigning a new logon script using the WinnipegGPO

Click the Show Files button to open the default folder where logon scripts assigned using Group Policy are stored on your domain controller (Figure 7):

Posted Image

    Figure 7: Default folder where logon scripts assigned using Group Policy are stored on a domain controller

Note from this figure that logon scripts assigned using Group Policy are stored in a subfolder of the SYSVOL share on your domain controllers. This subfolder of SYSVOL is named \sysvol\<domain_DNS_name>\<policy_GUID>\user\scrip ts\logon and the contents of this folder (being in SYSVOL) are automatically replicated to all domain controllers in the domain.
Now, using Windows Explorer, find the logon.vbs script we created earlier and press CTRL+C to copy it to the clipboard. Then return to the folder in Figure 7 above and press CTRL+V to copy logon.vbs into the folder where it needs to be. Close the folder window and return to the Logon Properties screen in Figure 6 previously and click the Add button to open the Edit Script dialog box, and in the Script Name field type logon.vbs, the name of the script you want to assign (Figure 8):

Posted Image

    Figure 8: Assign the logon script

Click OK twice and the script has been assigned. Now once Group Policy refreshes on Bob’s machine, the next time he logs on to his machine he’ll see X: drive when he opens My Computer or Windows Explorer.


If you want to learn how to start writing WSH scripts using VBScript, or find some useful scripts others have already developed, here are a few resources to check out:

    * Scripting on MSDN


    * Script Center on TechNet


    * VBScript Primer


    * WSH Primer


    * VBScript User’s Guide


    * VBScript Language Reference