Location: FAQ's

Ads

Skyscraper
FAQ's

FAQ's

Please send me feedback on other topics and I will add them.  The easiest way to provide feedback is to use our Contact Us page.

You may also find our whitepapers a useful resource.

Disclaimer: Any FAQs below that require system configuration changes should be tested thoroughly in your environment. While I've tested all of these FAQs on my own systems, I make no warranties as to their effects on your environment.

Frequently Asked Questions

FAQs » Startup/Shutdown or Logon/Logoff Scripts  FAQ Category: Startup/Shutdown or Logon/Logoff Scripts

Can I copy startup/shutdown or logon/logoff scripts to the local GPO across machines in my environment?

Yes, essentially you need to do three things to activate a script within a local GPO:

Copy script file into appropriate directory on local system.
Create or modify scripts.ini file to refer to script
Modify gpt.ini file to ensure local GPO is processed
For example, if you need to deploy a startup script to a number of systems, you will need to first copy your script file (e.g. .bat, .vbs or other) to %windir%\system32\GroupPolicy\Machine\Scripts\Startup. Next, you'll need to create or edit the scripts.ini file within the %windir%\system32\GroupPolicy\Machine\Scripts folder. The scripts.ini file holds the name of the scripts that get called, and any command-line parameters that get passed. For example, the following scripts.ini file calls a script called startup.vbs with no parameters.

 

[Startup]
0CmdLine=startup.vbs
0Parameters=

 

If you have more than one script to call within the local GPO, then it will follow the first one as follows:

 

[Startup]
0CmdLine=startup.vbs
0Parameters=
1CmdLine=startup2.vbs

1Parameters= /%computername%

 

Once you've copied the script and edited the scripts.ini file, you need to ensure that the version of the local GPO is non-zero, and is incremented to account for the new script. This is a bit trickier because the file that holds the version information--called gpt.ini-- will exist already within the local GPO under %windir%\system32\GroupPolicy. You'll need to edit this file, parse the version= line and increment it. If you want to stick with the official incrementing scheme for Group Policy, then you need to increment the version number 1 for each machine-specific change you make (e.g. adding a startup script) and 65536 for each user-specific change (e.g. adding a logon script) you make. For example, if I have a workstation with a GPT.INI file that has a version number of 0, as shown below:

[General]
gPCFunctionalityVersion=2
gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}]
Version=0
gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}]

 
Then I'll need to change the value to 1 if I add a startup script, or 65536 if I add a logon script. Once these three changes are made, the script will be enabled on the local GPO for that machine.


[Back to top]

I know that scripts are only processed during foreground processing, but if I make a change to, say, a shutdown script, does the machine have to restart before the new script is picked up?

Its a good question. The answer is no, you don't have to go through a machine restart for the new shutdown script to be picked up. Even though scripts are only run during foreground processing, script policy is in fact processed in the background. In fact, Windows caches script information in the registry during policy processing, so if you add a new shutdown script policy while a machine is running, it will pick up that new script during background processing and will run it during the next shutdown. You can confirm that your workstations have picked up the new shutdown (or startup) script policy by looking under the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts

Or by looking in the following location for User Logon or Logoff scripts:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts


[Back to top]

What security context do startup scripts run in?

Startup scripts are machine specific and run before a user logs on. As a result they run in the context of the localSystem account on a computer. As localSystem, they have privilege to do just about anything on a Windows system. If a startup script needs to access network resources (e.g. a server share) however, localSystem will not work. Given that, Group Policy will change the security context of the script to that of the machine's computer account, which is a valid AD user (e.g. a machine named WorkstationA will have an account in AD called WorkstationA$--this account is hidden, but is represented by the computer object when you are viewing an AD domain). The machine account, just like any other user account in AD, is a member of the Authenticated Users and can thus access any network resources that a member of this group can. So, if you have a startup script that needs to access server resources, make sure that the computer's machine account has permissions to access those resources.


[Back to top]

Ads

Banner Inv
Copyright 2009 by GPOGUY.COM
Terms Of Use