Share via

Group Policy Logon Scripts on VPN

Neil Shaw 1 Reputation point
2020-11-13T11:47:34.453+00:00

Hi,
So with the increase in work from home we're starting to run into issues with managing user devices due to the use of logon and startup scripts.

I'm sure we're not alone in this. Our users sign into the corporate VPN after they've logged into their laptop, so there is no connection to the domain controllers at logon, and so the logon scripts cannot run.

Is there any workaround for this situation? About the only possibility I've come across is pushing the logon scripts to the local device using a GPO and then having the logon scripts point to this local script, assuming that GPOs are cached on the local device and so can still be triggered at logon; but not sure how feasible this is, or if it will even work.

Thanks,
Neil

Windows for business Windows Client for IT Pros User experience Other

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. San 6 Reputation points
    2022-09-01T10:08:15.167+00:00

    hi neal,

    you can solve it easily with a windows task. create a GPO which deploys a task that is triggered by event.
    set the GPO action to update, in case you later do any changes it will aut. update them.
    settings for the event are:

    protocol : application
    source : rasclient
    event-ID : 20225

    dealy : your choice (usually 30sec work fine).

    then on action tell the task to run your usual loginscript.

    this will then add a task to the user's machine, which is listening for a entry with ID 20225 in the application event protocol.
    as soon as a entry is done (this happens when the tunnel is up and running), it will wait for 30 sec and then perform the action supplied.

    the 30sec thin is because some times, even when the tunnel is up and running, the "full connection" to the office lan may still take a bit more time and then the
    run of the loginscript will fail.

    thru the targeting you can even set specific rules to what/who etc. this GPO shall apply

    the nice thing about this is also, that if you change the task or any settings (on the DC)
    it will update them by it self thru GPO updates :)) .

    link the GPO to the desired user OU and your are done!

    cheers
    san

    236911-image.png

    236856-image.png

    236869-image.png

    236857-image.png

    236921-image.png

    1 person found this answer helpful.
    0 comments
  2. Leon Laude 86,026 Reputation points
    2020-11-13T12:59:21.577+00:00

    Hi @Neil Shaw ,

    What exactly is the logon script doing?
    GPOs over VPN is indeed a challenge, because most GPOs initialize before the VPN tunnel is fully connected, basically when the computer is starting.

    I can provide you with some information that quite a few of my customers have done, that is to create a shortcut on each user's desktop which the user can run whenever they run into issues, such as mapped network drives not being mapped.

    The shortcut can simply run the script and the script could be whatever you desire, then you have clear guidance for each end-user to click on "this" shortcut if they run into problems.

    ----------

    (If the reply was helpful please don't forget to upvote or accept as answer, thank you)

    Best regards,
    Leon

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.