So far in this chapter, we’ve talked about the many ways you can work with user profiles and data within profiles to optimize the user environment. Now let’s look at an additional technique for optimizing user environments that involves scripts. In Windows Server 2003, you can configure two types of scripts to help configure the desktop and user environment:
Computer scripts, which are run at startup or shutdown
User scripts, which are run at logon or logoff
Not only can you write these scripts as command-shell batch scripts ending with the .bat or .cmd extension, but you can also write them using the Windows Script Host (WSH). WSH is a feature of Windows Server 2003 that lets you use scripts written in a scripting language, such as Microsoft JScript (.js files) and Microsoft VBScript (.vbs files).
Computer and user scripts can be used to perform just about any commonly run task. Startup and shutdown scripts can be used to perform any system-wide task, such as maintenance, backups, or virus checking. Logon and logoff scripts can be used to perform user-related tasks, such as launching applications, cleaning up temporary folders, setting up printers, or mapping network drives.
The three basic steps for using scripts with Group Policy are as follows:
Create the script, and save it with the appropriate file extension.
Copy the script you want to use to an accessible and appropriate folder so that it can be used with Group Policy.
Assign the script as a startup, shutdown, logon, or logoff script in Group Policy.
To run a startup or shutdown script, a computer must be in the site, domain, or OU linked to a GPO that contains the script. Similarly, to run a logon or logoff script, a user must be in the site, domain, or OU linked to a GPO that contains the script.
Most scripts are easy to create. For example, with command-shell batch scripts, you can connect users to shared printers and drives with the NET USE command. Let’s say that at logon you want to connect the user to a printer named CustSvcsPrntr on a print server called PrntSvr03. To do this, you type the following command in a Notepad file:
net use \prntsvr03custsvcprntr /persistent:yesYou then save the script with the .bat extension. Next you copy this file to an accessible folder so that it can be used with Group Policy and you assign it as a logon script. From then on, any user logging on to the affected site, domain, or OU can run the logon script and be connected to the printer.
You can assign startup and shutdown scripts as part of a group policy. In this way, all computers in a site, domain, or OU run the scripts automatically when they’re started or shut down.
To configure a script that should be used during computer startup or shutdown, follow these steps:
Copy the startup or shutdown script you want to use to a network share or other folder that is easily accessible over the network.
Start the Group Policy Object Editor. In the Group Policy Management Console (GPMC), right-click the GPO you want to modify and select Edit.
In the Computer Configuration node, double-click the Windows Settings folder, and then click Scripts.
To work with startup scripts, right-click Startup, and then select Properties. Or right-click Shutdown, and then select Properties to work with shutdown scripts.
Any previously defined startup or shutdown scripts are listed in order of priority, as shown in Figure 7-12. The topmost script has the highest priority. The priority is important because by default startup and shutdown scripts do not all run at the same time. Instead, they run one at a time (synchronously) in order of priority.
To change the priority of an existing script, select the script in the Script For list, and then click the Up or Down button as appropriate to change the priority order.
To change the parameters associated with a script, select the script in the Script For list, and then click Edit. You can then change the script name and the optional parameters to pass to the script.
To define an additional startup or shutdown script, click Add. This displays the Add A Script dialog box (Figure 7-13). Click Browse, and in the Browse dialog box, find the script you want to use and then click Open. The script is copied to the MachineScriptsStartup or MachineScriptsShutdown folder for the related policy. By default, policies are stored by GUID in the %SystemRoot%SysvolDomainPolicies folder on domain controllers.
To delete a script, select the script in the Script For list, and then click Remove.
You can assign logon and logoff scripts as part of a group policy. In this way, all users in a site, domain, or OU run the scripts automatically when they’re logging on or logging off.
To configure a script that should be using during logon or logoff, follow these steps:
Copy the logon or logoff script you want to use to a network share or other folder that is easily accessible over the network.
Start the Group Policy Object Editor. In the GPMC, right-click the Group Policy Object you want to modify, and then select Edit.
In the User Configuration node, double-click the Windows Settings folder, and then click Scripts.
To work with logon scripts, right-click Logon, and then select Properties. Or right-click Logoff, and then select Properties to work with logoff scripts.
Any previously defined logon or logoff scripts are listed in order of priority, as shown in Figure 7-14. The topmost script has the highest priority. The priority is important because logon and logoff scripts are started in order of priority by default. Unlike startup and shutdown scripts, however, logon and logoff scripts are not synchronized and can run simultaneously, so if you’ve configured multiple logon or logoff scripts, they can all run at the same time.
To change the priority of an existing script, select the script in the Script For list, and then click the Up or Down button as appropriate to change the order.
To change the parameters associated with a script, select the script in the Script For list, and then click Edit. You can then change the script name and the optional parameters to pass to the script.
To define an additional logon or logoff script, click Add. In the Add A Script dialog box (Figure 7-15), click Browse. In the Browse dialog box, find the script you want to use, and then click Open. The script is copied to the UserScriptsLogon or UserScriptsLogoff folder for the related policy. By default, policies are stored by GUID in the %SystemRoot%SysvolDomainPolicies folder on domain controllers.
To delete a script, select the script in the Script For list, and then click Remove.
When you configure and work with computer and user scripts, you should keep several things in mind. Computer and user scripts are not visible to the user when they run. This prevents users from canceling execution of the script and also ensures that the actual tasks performed by the script are hidden.
You can make scripts visible to users when they are running by enabling the following policy settings as appropriate:
Run Startup Scripts Visible under Computer ConfigurationAdministrative TemplatesSystemScripts.
Run Shutdown Scripts Visible under Computer ConfigurationAdministrative TemplatesSystemScripts.
Run Logon Scripts Visible under User ConfigurationAdministrative TemplatesSystemScripts.
Run Logoff Scripts Visible under User ConfigurationAdministrative TemplatesSystemScripts.
By default, Windows limits the total time allowed for scripts to run to 10 minutes. If a logon, logoff, startup, or shutdown script has not completed running after 10 minutes (600 seconds), the system stops processing the script and records an error event in the event logs.
You can modify the timeout interval by completing the following steps:
Access the GPO with which you want to work. Access Computer ConfigurationAdministrative TemplatesSystemScripts.
Double-click Maximum Wait Time For Group Policy Scripts, and then select Enabled, as shown in Figure 7-16.
In the Seconds combo box, specify the wait time to use in seconds. In the rare case in which you want Windows to wait indefinitely for scripts to run, use a value of 0.
Note
Think carefully about the wait time. It is extremely important in ensuring that scripts run as expected. If you set the wait time too short, some tasks might not be able to complete, which can cause problems. If you set the wait time too long, the user might have to wait too long to get access to the system.
Click OK.
Computer and user scripts run in slightly different ways. By default, Windows coordinates the running of scripts so that startup scripts run one at a time, in order of priority. This means the system waits for each startup to complete before it runs the next startup script. If you want to allow startup scripts to run simultaneously, which might allow startup to complete faster, you can enable Run Startup Scripts Asynchronously under Computer ConfigurationAdministrative TemplatesSystemScripts.
By default, logon and logoff scripts are not synchronized and can run simultaneously. Thus, if you’ve configured multiple logon or logoff scripts, they all run at the same time. This setting is designed to ensure that there is little or no delay in displaying the desktop during logon or closing the desktop during logoff. If you’d rather ensure that all logon scripts are complete before allowing users to access the desktop, you can configure logon scripts to run synchronously (one at a time). To do this, enable Run Logon Scripts Asynchronously under Computer ConfigurationAdministrative TemplatesSystemScripts or under User ConfigurationAdministrative TemplatesSystemScripts. By default, the setting in Computer Configuration has precedence over the setting in User Configuration.