This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 78%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJV%3C/text%3E%3C/svg%3E)
Hi, I am fairly new to sysadmin so any tips are welcome.
I am trying to deploy a logon script for Password notifications.
As a first step I made a testing script to run:
[system.Reflection.Assembly]:: LoadwithpartialName('System.windows.Forms')
[system.windows.Forms.Messagebox]:: Show('Logon script runnin...' , 'WARNING')
ping -n 10 10.170.4.52
I linked it to OU 'X'. OU 'X' contains my low level account.
I am just trying to figure out how to run a script on logon in our environment.
Firstly I stored the script in a C:\tmp folder I created for testing purposes. This didn't work, I temporarily granted all domain users and pc's access to that folder. It didn't work.
Then I looked moor online and found out scripts are supposed to be in a folder in sysvol. something of this format:
\servername\SysVol\doamin\Policies{F3E42D53-EBE0-49F7-8780-199C13D4B880}\User\Scripts\Logon
I update the GPO, I do gpupdat/force on the host computer.
Nothing happens, no script runs.
I have little experience with scripts and running them through GPO's
So please if you have ideas on how to solve this issue. Even a link to more documentation I failed to find would be a lifesaver.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello Jasper Vandenbrande,
Thank you for posting in Q&A forum.
The login script should be stored in the sysvol file. A SYSVOL is a shared folder that stores a copy of a domain's public file servers, which are replicated among all domain controllers in the domain. The sysvol folder is created when AD is installed, and it is used to store information such as GPO and Script. At the same time, the information stored in the sysvol folder is copied to all DCs in the domain. For more information about sysvol files, please refer to the Active Directory: Active Directory: SYSVOL and NETLOGON | Microsoft Learn.
If you implement a boot script and apply startup script to domain computer, the script file needs to be stored in IP or hostname\sysvol\domain name\Policies\unique ID\Machine\Startup.
In your case, you want to implement a login script and apply logon script to domain users, the script file needs to be placed in IP or hostname\sysvol\domain name\Policies\unique ID\USER\Scripts\Logon
You can try the steps below:
1.Create an OU and put user objects into this OU.
2.Create one GPO and you can rename this GPO as logon script.
3.Put the this command line or Power Shell script file to this folder below: \domain.com\SYSVOL\domain.com\Policies{5EE96627-35BD-434C-9C6A-4AE328E7D13A}\User\Scripts\Logon
4.Edit this GPO as below.
Navigate to User Configuration Policies\Windows Settings\Scripts (Logon/Logoff)
Right click Logon and select the logon script under the path \domain.com\SYSVOL\domain.com\Policies{5EE96627-35BD-434C-9C6A-4AE328E7D13A}\User\Scripts\Logon
5.If the specific users logon, then this user will apply the logon GPO.
Please check out the links below: Working with startup, shutdown, logon, and logoff scripts using the Local Group Policy Editor | Microsoft Learn.
For more information, you can also check the following link for details: Running PowerShell Startup (Logon) Scripts Using GPO | Windows OS Hub (woshub.com).
I hope the information above is helpful.
If you have any question or concern, please feel free to let us know.
I hope the information above is helpful.
If you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
If the Answer is helpful, please click "Accept Answer" and upvote it.
Hi Daisy
Thank you so much for the documentation and help. I double checked my work from yesterday and according to this documentation the GPO should run.
I also made a few more normal GPO's to test out what is happening. I made one for Password security.
When I logon with my test user, nothing happens. I did a gpupdate /force. Restarted. Nothing again. When I do a gpresult /R I see that no GPO's apply to the user.
AS I said I am fairly new to it work and I work in a complex AD. Multiple companies with barely any clean housing. Our AD is synched with Azure.
So two new questions arise: 1 could it be that some GPO on a top level blocks other GPOS's?
Second question since we are using Azure AD and Intune, could it be that the GPO's get blocked from there somewhere?
I appreciate all your help.
Kind regards
Jasper
Hello Jasper Vandenbrande,
Good day!
You can also sign in one user in the OU on one domain client.
And check if this group policy setting applies to this user via gpresult file.
For checking User Configurations within gpresult, we can follow steps below.
Logon the machine using normal domain user account (that applies this gpo).
Create a folder named F1 in C drive.
Open CMD (do not run as Administrator).
Type gpresult /h C:\F1\gpo.html and click Enter.
Open gpo.html and check if there are these gpo settings under "User Details".
1.could it be that some GPO on a top level blocks other GPOS's?
2. since we are using Azure AD and Intune, could it be that the GPO's get blocked from there somewhere?
A: Yes, if everything is OK. It could be what you said. You can also test it in one pure on-premise local AD domain and check if it works.
If you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou