Windows Group Policy vs. Logon Scripts. What’s the right option?
Written by Mark Farrugia, Microsoft Premier Field Engineer.
Recently I was asked an interesting question from one of my customers: “What is Microsoft’s recommended practice around using Logon Scripts versus using Group Policy?”
To my knowledge, Microsoft doesn’t provide a lot of guidance with respect to this specific question. The logon script parameter available in every user principal’s profile property page is a remnant from the Windows NT days, and it’s a feature that was used heavily from the Novell era. It’s a legacy feature that has been kept around for Microsoft customers for compatibility reasons, but a number of customers are still utilizing this functionality.
When I asked around Microsoft for some official guidance on whether customers should keep using this capability, none existed. Several of my esteemed colleagues had told me that they provide designs to their customers strongly recommending to standardize on Group Policy based management, but none could tell me that is definitively the right way to do it.
What Dependencies Are There when Selecting Group Policy vs. Logon Scripts?
To choose a solution depends on a number of factors, some of which are:
- Technical competence of operational staff – do they understand one technology better than the another?
- Performance – what is going to give the user the most optimal log on experience?
- Security – what will allow the operational staff ensure the ongoing security of their environment?
- Operational overhead – is one option better than the other from a cost-benefit perspective?
These factors all need to be balanced when making a decision around a log on script for a large user environment.
So What Is The Right Way?
There is no easy answer to this question because it totally depends on the organization. For example, at one of my customer engagements, even though I was strongly encouraged to stick to group policies by some of my colleagues, I ended up recommending a hybrid model because operational procedures required it:
- For system wide enterprise settings, policies and application settings, these settings were applied to all their workstations via group policy.
- However, this organization will still use a log on script that will be mapping a number of network drives for their user base. This was recommended because it was easier to control the mapped drive process in this case through a script over GPO.
In this case, my customer’s environment required a change record to keep track of all modifications of Group Policy. Additionally, the structure of the drive mappings flow from Enterprise wide drive mappings to Line of Business to Individual drive mappings would have created too many GPOs to manage efficiently.
The logic within the script is easier to create which looked for an individual drive mapping script, instead of creating multiple group policies and utilizing group policy preferences, which in turn would require security filtering and possibly some WMI filtering.
So, is there a right answer 100% of the time?
No, there is not.
Is there a Microsoft “Best Practice” on Group Policy vs. Logon Scripts?
No, there is not.
Microsoft provides the tools to empower the administrator to get their job done as efficiently as possible, and allows them more than one avenue to get said job done. It is up to the administrator to choose a technology path that will provide the least operational overhead to manage while maintaining appropriate security protections, and allow them to work with a technology they are comfortable with.