For many years Windows logon scripts were a common method of customising the user profile in the enterprise. Their usefulness has been slowly eroded with the introduction of new features and changes to best practices. With the introduction of Group Policy Preferences, they could finally be dead in the water.
Drive and printer mappings are probably the most common function of the logon script. However, the introduction of Microsoft Distributed File System combined with Access Based Enumeration has meant that some organisations have reduced their user drive mappings to just two - a personal “Home” drive root share and a shared department root share. Printer Location Tracking allows users to find and map their own network printers, removing custom logic from the logon script and providing better support for travelling users and hot-desk workers.
The integration of Group Policy Preferences (GPP) into the Microsoft toolset further nails the coffin on logon scripts, providing a managed method of setting drive mappings, shortcuts and environment variables amongst others.
Even if you haven’t managed to consolidate your drive mappings, GPP has an option called item-level targeting that allows a single GPO to cope with multiple variations. This feature extends the usual scope of management filtering beyond the entire GPO, to the individual settings within it - or at least the GPP settings within it. The targeting can be based on a whole range of criteria (see later), but for the purpose of drive mappings, security group membership filtering is probably the most useful.
A single GPO could contain all the drive to share mappings in the organisation and an item-level filter on each mapping would mean that only members of the associated security group would actually get each mapping. This is very similar to the method often used in logon scripts, but without the scripting overhead.
So can we get rid of logon scripts completely? Probably not.
In an enterprise Windows environment, there are lots of ad-hoc scripts and programs that need to be called and a logon script is a useful option. Applications may need folders created in the user’s home drive, mailbox migrations may need a mail profile “switch” utility to run, laptops may need to client-side cache re-pointed to a new UNC path when a home drive is moved.
The monolithic logon scripts of the past do seem to be dead though. A lightweight script, often with no user interface is all that is needed in the modern environment.
GPP Item-level targeting options:
I
1 comment:
As a good logon script replacement I recommend using desktop authority that is avialable from http://www.logonscriptreplacement.com.
It uses special technology called "validation logic" that is much more flexible in settings apply than mentioned above group policy preferences.
Group policy preferences use only item level targeting.
For example, if you need to filter all items within a group policy to desktops in a particular subnet you have to set targeting manually on overy item within that group policy.
But in desktop authority you can apply validation logic at the profile level and it automatically applies to all settings within the profile.
Post a Comment