In the current active directory infrastructure, running login script can be done via the user account settings or GPO settings.
The user account settings were the way to run login scripts before GPO was introduced. This way is not easy to manage and very constant.
Moving to GPO login scripts seems to help allot, you could target deferent type of users by creating deferent GPO objects and filtering them.
What happened? The amount of GPO objects grew and we found ourselves with dozens of GPOs and more work.
Now we have GPP which help us group many changes, drive mapping Etc. Together in a single GPO.
Using the Targeting option we can make target our change to a very specific group of users or workstations.
The downsize of GPP is that it does not have any execution features, meaning that we cannot remove the login script entirely and still need multiple GPOs.
I found a way to use the targeting mechanism to run login script, this way you can replace all the GPOs that are running login script with only one.
What I did is to add a registry key (Replace Script1 with your script name):
Key “HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Script1”
Type: REG_SZ
Value: \\domain\netlogon\script1.vbs
.gif)
This way the script is not permanent and will be removed and reapplied each startup.
.jpg)
