A common item for companies to put into place on their machines are scripts that run during various times that a user interacts with a computer. Most commonly, we refer to these as logon scripts, but that technically is only one of four different places where a self-running script can be initiated by Group Policy. Scripts are popular with IT departments because you can create a script to be as big or as small as you would like, and get that script to do many different things to the computer or user account.
Using a GPO, you can specify a script to run whenever a computer starts up or shuts down, and you can also specify a script to run whenever a user logs in or logs out. In regard to the Computer Configuration section of Group Policy, where we are configuring settings that pertain to the computer account itself, we have the ability to specify Startup and Shutdown scripts. Implementing scripts with Group Policy is slightly more complicated than the settings we have been configuring so far in this chapter, so let's spend a minute and walk through the process step by step:
- Build your script. This is outside the scope of Group Policy, but we will assume you have a sample script ready to go. If you want to prove that this is working, you could even create a super simple batch file that echos some piece of information and then does a "pause" so that you can verify you see this activity upon login. Or maybe make a batch file that creates a new text file somewhere on the hard drive, then you could start the computer and go check whether that new file showed up.
- Copy your script into the appropriate location on your Domain Controller (or into the shared SysVol in multi-DC environments). This part can be a little bit confusing, because the folders where Group Policy goes looking for the script don't exist by default. You see, Group Policy needs to be able to pull the script from somewhere centralized, and what better location than inside SysVol, which is where Group Policy files and data are stored anyway?
Startup scripts typically go inside \<Domain>SysVol<Domain>Policies<Policy GUID>MachineScriptsStartup, and scripts that you want to run during a shutdown process go inside \<Domain>SysVol<Domain>Policies<Policy GUID>MachineScriptsShutdown.
-
- What are these <Domain> and <Policy GUID> things, you ask? Each GPO is stored inside SysVol based on a unique global identifier number—a GUID. You can see from the following screenshot that I have created a Startup.bat script and placed it inside the default appropriate location within my domain. I expanded the screenshot as wide as I dared for the purpose of printing legibly inside this book, but, even so, some of it was truncated. You get the idea though:the <Domain> gets replaced with the name of your domain, and <Policy GUID> is the actual GUID identifier for the GPO, to which you are installing this script:
- I mentioned that this folder structure doesn't exist by default, unless you cause Group Policy to think that you are about to implement a script of some kind, and then Group Policy will go ahead and create these folders. In order to do this, you need to open the script configuration setting inside GPME and click on a button called Show Files. Go ahead and browse to the policy setting, located at Computer Configuration | Policies | Windows Settings | Scripts (Startup/Shutdown). Double-click on either Startup or Shutdown, as if you were going into this setting to configure it. Down near the bottom of the screen, you will see a Show Files... button. Go ahead and click on that button.
- This button opens up File Explorer to the exact location where you want to place your Startup Script! Now you can simply copy your script into this folder.
- Once your script is in place inside the filesystem, edit the new GPO that you are using to initiate the script, and navigate back to Computer Configuration | Policies | Windows Settings | Scripts (Startup/Shutdown). Double-click on whichever script you are trying to put into place (Startup or Shutdown), and click the Add... button. Then click Browse... and select the script file:
The GPO is now configured to run the script called Startup.bat whenever the computer is started. Link and filter this new GPO down to your workstations, and whatever you plug into that script file will run during each start of the operating system.