What Is The Difference Between Login Scripts, Computer and User Logon Scripts / Programs

Author:

Nirmal Sharma MVP

COMMUNITY SOLUTIONS CONTENT DISCLAIMER

MICROSOFT CORPORATION AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, OR ACCURACY OF THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN. ALL SUCH INFORMATION AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORT, TITLE AND NON-INFRINGEMENT. YOU SPECIFICALLY AGREE THAT IN NO EVENT SHALL MICROSOFT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OF OR INABILITY TO USE THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF MICROSOFT OR ANY OF ITS SUPPLIERS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES.

SUMMARY

The following knowledgebase article explains about the difference between Login Scripts, computer and User Logon Scripts / Programs.

MORE INFORMATION

You may have noticed the following policy settings in Group Policy and for a while confused about these policy settings for user.
 
There are three places in Group Policy where you can configure programs to run when a computer starts and after a user logon to the system. These three places are under the following container:
 
User Configuration\Windows Settings\Scripts (Logon\Logoff)
 
User Configuration\Administrative Templates\System\Logon
 
Computer Configuration\Administrative Templates\System\Logon
 
In the last two, you will see the following policy settings:
 
            Run these programs at user logon
            Do not process the run once list
            Do not process the legacy run list
 
The above policy settings appear in both: User and Computer Configuration container.
 
For “Run these programs at user logon” policy setting, if this policy setting is configured in both the container (user and computer) the user policy setting will run just after computer policy setting.
 
For last two “Do not process the run once list” and “Do not process the legacy run list” policy settings, if this policy setting is configured in both the container (user and computer) the computer policy setting will take precedence over user policy setting.
 
Why so? The reason is very simple. The Run Once list is configured in Local Machine (HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce) only. The programs in this registry key are processed only after user has logged on to the system. There is no RunOnce key for user. That is why computer RunOnce will run after user RunOnce.
 
Now, you may ask that there is logon programs, login scripts and logon scripts but there is no Logoff Programs? It is because a program requires system resources when it runs whereas a logoff shuts down all the applications. While a windows is shutting down a program can not stay in memory.
 
There is a difference between running a program and a script. Please note the difference. A program is something which is installed on users computer and you configure in “Run these programs at user logon” by specifying the full path of that program. This program runs Locally. On other hand, a script is something which is run over the network. You need to specify a complete path of the program you wish to run when a user’s login script has finished.
 
So the point is very clear and the script or programs are run in the following order:
 
  1. Computer Startup / Script runs.               Will be applicable to all the computers
  2. User Login script runs.                            Will be applicable to all the users.
 
    After user login script has finished, the Winlogon at workstation will retrieve a list of programs to run on local computer from GPO.
 
  1. Computer logon programs run                Will be applicable to all the computers.
  2. User logon programs run                        Will be applicable to all the users.
 
In above, if there is no conflict in policy settings so all the program will run one by one.
 
Group Policy Key terms:
 
Not Configured           
This means Policy setting is not configured and Winlogon service at client end, while processing the Group Policy Objects from domain controller, will not process this policy
setting.
 
Disabled
This means Policy setting is configured but Domain Controller will not publish it for processing or Winlogon at workstation will not process this setting.
 
Enabled
This means Policy setting is configured and will be processed by Winlogon service at workstation.
 
The Microsoft has designed two options for Group Policy for NOT processing Group Policy settings. The “Disabled” option in Policy settings are configured per policy setting whereas “Disable User or Computer Policy settings” in property of GPO is used to NOT to process any policy settings configured in the said container. The later option overrides settings configured in earlier option.
 
  1. Computer policy settings only run when computer starts just before user logon. Example, you have a network drive to map for all computers. This network drive mapping will be available for all the users who log on to that system.
  2. User policy settings only run after user log on to the system. In above example, the network drive mapping will be available to all users who logs on to the system.
  3. Third option is filtering Group Policy settings using groups. This option doesn’t necessarily defeat the above rule but is here to process the GPO for selected users or computers. In above example, if you create a Group called “ServiceComputers” and put 4 computers in that group and apply a policy setting to this group then only the 4 computers will receive this policy.
 
Other options are “Block Policy Inheritance” and “No Override”. The first option can be set on a child policy meaning you can not set this option at site level or there is no use of this option at parent policies. This option, if enabled, forces child GPO not to accept any policy settings coming from Parent GPO. The “No Override” option, if enabled, forces child GPO not to block any policy setting coming from parent GPO. If there is a conflict in the policy, the Parent GPO settings will be applied provided “No Override” option is enabled.
 
गुण

आलेख ID: 556007 - पिछली समीक्षा: 14/02/2017 - संशोधन: 1

Microsoft Windows Server 2003, Datacenter Edition (32-bit x86), Microsoft Windows Server 2003, Enterprise Edition (32-bit x86), Microsoft Windows Server 2003, Standard Edition (32-bit x86), Microsoft Windows Server 2003, Web Edition

प्रतिक्रिया