none
Logoff Script good practice

    Question

  • We have a problematic software that modifies the windows shell so that upon logon, it bypasses the local workstation (Win7) and connects to a Virtual machine (win7, Xendesktop). But when a local admin logs in, there's a possibility that it might break and a repair on that software is needed.

    So I want to use a logoff script in GPP, where if local admin is logged in, then a repair should run. So my question is, where should I placed the batch file, does the file have to reside inside GPO folder \\domain.com\sysvol\domain.com\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\USER\Scripts\Logoff or can it be inside the root of the sysol folder.

     

    • Moved by Bill_Stewart Sunday, September 20, 2015 8:03 PM Move to more appropriate forum
    Sunday, September 20, 2015 1:16 PM

All replies

  • You should post questions about Group Policy in the GP forum.  They will help you with GP: This is a scripting forum.

    Group Policy


    \_(ツ)_/

    Sunday, September 20, 2015 2:25 PM
  • We have a problematic software that modifies the windows shell so that upon logon, it bypasses the local workstation (Win7) and connects to a Virtual machine (Win7, Xendesktop). But when a local admin logs in, there's a possibility that it might break and a repair on that software is needed.

    So I want to use a logoff script in GPP, where if local admin is logged in, then a repair should run. So my question is, where should I placed the batch file, does the file have to reside inside GPO folder \\domain.com\sysvol\domain.com\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\USER\Scripts\Logoff or can it be inside the root of the sysol folder.

    Thanks.

    Sunday, September 20, 2015 2:54 PM
  • Great idea!!
    Sunday, September 20, 2015 2:56 PM
  • Hi Goku,

    Thanks for your post.

    The logon script is one you configure that runs during logon and a logoff during logoff.  There are almost endless possibilities of what the script can be because it depends on what you can script.  

    Common uses for this is mapping drives and printers.

    You could read about the articles.

    Assigning User Logon and Logoff Scripts

    https://technet.microsoft.com/en-us/magazine/dd630947.aspx

    Overview of Logon, Logoff, Startup, and Shutdown Scripts

    https://support.microsoft.com/en-us/kb/198642

    And now since many items such as mapping a drive and adding printers can all be done without a script. If you want to do that with group policy preferences, you may refer to the articles below.

    http://www.microsoft.com/en-us/download/details.aspx?id=24449

    http://blogs.technet.com/b/askds/archive/2009/01/07/using-group-policy-preferences-to-map-drives-based-on-group-membership.aspx

    Best Regards,

    Mary Dong


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 21, 2015 7:35 AM
    Moderator
  • > in, then a repair should run. So my question is, where should I placed
    > the batch file, does the file have to reside inside GPO folder
     
    You can place it whereever you like, just make sure the user has access
    to it.
     
    I'd recommend a local path on the client computer, so it will run even
    if no network is available.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Monday, September 21, 2015 10:44 AM
  • A logoff script under a GPO will reside in the script folder under the GPO on the SYSVOL share.  When you add the script to the GPO in GPMC it will be moved to the correct location.

    See the following Technet article for detailed instructions.

    https://technet.microsoft.com/en-us/library/cc781361(v=ws.10).aspx


    \_(ツ)_/

    Monday, September 21, 2015 11:46 AM
  • > A logoff script under a GPO will reside in the script folder under the
    > GPO on the SYSVOL share.  When you add the script to the GPO in GPMC it
    > will be moved to the correct location.
     
    Sorry, jrv - no to both... The script will reside where you create it,
    and if you assign it as a logoff script, you simply browse to its
    location - nothing will move anywhere.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Monday, September 21, 2015 12:07 PM
  • It needs to be moved to the SYSVOL folder logon scripts folder under the GPO. 

    \_(ツ)_/

    Monday, September 21, 2015 12:11 PM
  • Example:

    \\testnet.local\SYSVOL\TESTNET.local\Policies\{1D85076A-1EF4-4B68-A1C9-C1EFFF6935A1}\User\Script

    Under each GPO there is a user\scripts and a computer\scripts folder.  Navigate to any gpo and check. They are created by default when the GPO is created.

    Follow the instructions in the above linked article to add a script to this location.  The "Computer" branch is where we place the "startup/shutdown" scripts.  All scripts in these folders are processed under the GPO an are managed by the scripts section of the GPO editor.

    Scripts managed by a GPO should not be placed in other locations for many reasons.


    \_(ツ)_/


    • Edited by jrv Monday, September 21, 2015 12:19 PM
    Monday, September 21, 2015 12:19 PM
  • > Scripts managed by a GPO should not be placed in other locations for
    > many reasons.
     
    Disagree - they SHOULD be placed in other locations for many reasons.
    Just to give two of them:
     
    a) avoid spreading your scripts within each individual GPO folder - keep
    them together to help managing them.
    b) put them locally on the client computers, so they will not cause
    network traffic and will be able to run in case of offline situations
    ...
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Monday, September 21, 2015 12:59 PM
  • Very bad idea.  It can cause many issues with GP.  The script folders are where they are for a reason.

    With modern GP we should also not be doing very much with scripts.  Drives and printers and most other things should be done with GPP.

    You can bunch your scripts but, when things go wrong, good luck finding the cause.

    Note that the scripts folders guarantee correct replication of the scripts across the domain.


    \_(ツ)_/

    Monday, September 21, 2015 1:20 PM
  • > Very bad idea.  It can cause many issues with GP.  The script folders
    > are where they are for a reason.
     
    I wonder how I was awarded this MVP thing if I'm that wrong :-)))
     
    > With modern GP we should also not be doing very much with scripts.
    > Drives and printers and most other things should be done with GPP.
     
    "No" again. But we are leaving the scope of this thread, don't we?
     
    GPP cannot handle conflicting drive assignments, they cannot handle
    unavailable servers, they cannot handle printer settings, they will
    block startup and logon until finished. And numerous other issues...
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Monday, September 21, 2015 4:02 PM
  • Sorry Martin. Most of that is not true.  I have used GP and GPP for years. I see no blocking.  If you define the mappings correctly they get set in users profile and only are reapplied if the policy is changed.

    I am not saying that we would never use a logon script.  I am saying that 99% of the time it is unnecessary.


    \_(ツ)_/

    Monday, September 21, 2015 4:13 PM