Windows-Script

LOGON SCRIPTS

A script can also be initiated by logging into an NT Domain. By combining WSH with some other COM objects such as Active Directory Services Interfaces (ADSI) you can provide a lot of management functionality that traditionally required enterprise management products or 3rd party scripting products.

The alternatives for NT logon scripts are:

.bat files (pretty useless)
Kixtart - not bad but not officially support by Microsoft (even though it ships on the Resource Kit)
PERL script - a pig to learn and not very reusable (for non programmers like me)
Third party scripting apps (require licensing)

VBScript is worth investing in because the knowledge can be applied to Active Server Pages, MS Office applications and 3rd party applications that use the free VB Scripting engine. I should also mention that WSH supports JavaScript, but I won't.

How do NT Logon Scripts work?

NT's User Manager For Domains allows you to specify the name of a file that will be executed when on the users workstation when they logon to the domain.

On Windows 95 and 98 this is performed by a program called LMSCRIPT.EXE. This program will execute any .exe, .bat or .cmd (for NT) file that is specified in the user profile.
(Windows 2000 -NT5- supports WSH files directly)

To execute a WSH file you need to place the following files in the NetLogon share on all BDC's and the PDC (if this is over you head you need to talk to your NT Administrator).

Logon.bat - This file will call wscript.exe (or cscript) and pass the name of the script to execute. E.g.
wscript \\server\netlogon\logon.wsh
Copy your logon script into this same directory (.vbs or other) and create the .wsh file by right clicking the .vbs file and selecting 'properties' then click OK. This will set the script to never time out.
Enter the name of the batch file in the Domain user account (path not required)

Each user could have an individual script but this would be hard to manage. All users or a group of users could share the same logon script. The real power in WSH comes from COM. WSH includes some useful objects for Network, Registry and shell activities but there is nothing stopping you from using other COM objects. An example of this is the Active Directory Services Interface (ADSI) object. This lets you get user information from any NT, NetWare or LDAP directory. Now you can write a logon script that executes conditional code based on the NT group a user belong to. See the samples page to get started.

My Interactive Logon Script

One of the things I missed most after migrating from Novell to NT was logon script capability. I was faced with the limited functionality of batch files or 3^rd party programs such as Kixtart but the worst part was seeing that DOS window during the logon process even though we were using a graphically rich OS.

Although Policies and profiles can provide many of the desktop configuration requirements, there is no indication to the user of how much work you have put into ensuring that their PC has been configured correctly. By combining the power of Windows Script Host (WSH) and the graphical capability of Internet Explorer you can….

Imagine a DOS box showing drive mappings in progress and compare it with my logon script interface, screen1.

In this article I will describe the Windows Script and HTML code required to add a graphical user interface to your logon script.

Assuming your workstations logon to an NT Domain, here are the system requirements for the workstations: WSH v2 and ADSI (see references at the end of this article for download instructions).

Logon scripts are specified in the Domain User Profile for NT4 Domains or XXXX for the Active Directory. If all your workstations are running W2K Pro then you can specify the name of the VB Script file to execute otherwise you must specify the name of a batch file, which in turn will execute the VB Script file. The logon script should reside in the netlogon share location of all PDC and BDC domain controllers.

The full login script can be found in listing 1.

The logon script first creates an instance of IE by calling the following subroutine:

Sub CreateIE()
               On Error Resume Next
               Set oIE = CreateObject("InternetExplorer.Application")
               With oIE
                              .navigate \\server\netlogon\logon.htm
                              .resizable=0
                              .height=430
                              .width=350
                              .menubar=0
                              .toolbar=0
                              .statusBar=0
                              .visible=1
               End With
               Do while oIE.Busy
                              ' wait for page to load
                              Wscript.Sleep 100
               Loop
End Sub

This creates an instance of Internet Explorer, loads our logon html page and sets the browser properties we require (should be self explanatory).

The HTML file loaded into the browser window has some specially named sections that enables the logon script to change the HTML appearance through the Document Object Model (DOM). The HTML code can be found in listing 2.

Lets take a look at how the HTML and script code relate to each other. The User Name area is identified with the following HTML…

Through the DOM we can programmatically change the text by referencing the ID Msg1 with the following line of code in the logon script…

oIE.document.all.Msg1.InnerText = “Text to display”

To display the logged on user ID we use the following code in the logon script.

Set WSHNetwork = WScript.CreateObject("WScript.Network")
strUser = ""
While strUser = ""
strUser = WSHNetwork.UserName
Wend
ie.document.all.Msg1.InnerText = strUser

The while loop gets around a problem with Windows 95 where an error message states that the user is not yet logged onto the network.

The other ares of the html page that can be updated have the following ID’s:

scrolling (marquee)
Msg2 (list of drive letters)
wstatus (status window)

The next part of the logon script is the main function, which detects what groups a user belongs to and calls the appropriate subroutine for each group.

Public Sub Main()
    On Error Resume Next
    adsPath = "WinNT://DomainName/" & strUser
    Set objSAM = GetObject("WinNT:")
    Set objUser = objSAM.OpenDSObject(adsPath,"","", ADS_READONLY_SERVER)

    For Each Prop In objUser.groups
                     Select Case Prop.Name
                              Case "Division1"
                                              Call Division1()
                              Case "Division2"
                                              Call Division2()
                               Case "Division3"
                                              Call Division3()
                       End Select
               Next
End Sub

Using the OpenDSObject method allows us to specify a read only connection to the domain that results in ADSI connecting to any DC rather that just the PDC.

The subroutine for each group can write some information to the status window

strStatus = strStatus & vbCRLF & "Member of Division 1..."
oIE.document.all.wstatus.InnerText = strStatus

Because the InnerText value replaces the previous value we must keep appending to the string strStatus.

I have used a function to map drive letters so that I can detect if a users has a persistent drive mapping and delete it before mapping the new drive.

Sub MapDrive(strDrive,strShare)
               On Error Resume Next
               WSHNetwork.MapNetworkDrive strDrive, strShare
               If Err.Number Then
                              WSHNetwork.RemoveNetworkDrive strDrive
                              WSHNetwork.MapNetworkDrive strDrive, strShare
               End If
               ‘Update the Drives mapped list
               strMappedDrives = strMappedDrives & strDrive & " "
               oIE.document.all.Msg2.InnerText = strMappedDrives
               ‘Update the status window
strStatus = strStatus & vbCRLF & strDrive & " " & strShare
               oIE.document.all.wstatus.InnerText = strStatus
End Sub

This subroutine is called by passing the drive letter and UNC share path like this.

MapDrive "F:", "\\FileServer\Finance"

So our complete group based subroutine looks like this:

Sub Division1()
strStatus = strStatus & vbCRLF & "Member of Division 1..."
oIE.document.all.wstatus.InnerText = strStatus

strHomeDir = "\\UserServer1\" & strUser & "$"
MapDrive "H:", strHomeDir
MapDrive "K:", \\FileServer\Finance
End Sub

The strHomeDir string creates a path that includes the user ID and a dollar sign, which indicates a hidden share.

The IE window can be a useful debugging tool to see what groups the user belonged to and the full path to mapped drives but is it no good if the window is closed when the logon script completes so we check the status of a hidden check box with the following script.

If not ie.document.all.holdit.checked then

ie.quit()

End if

To enable the check box we use the on click event specified in the html body statement to specify the function to execute if the user clicks anywhere inside the window.

Sub Hold()

document.all.holdit.checked = true

End Sub

Now there is no reason your users should be faced with ugly DOS boxes ever again. You can also use this method to provide a user interface for your other admin scripts.

Download the files by clicking the links below and selecting File, Save from IE and change the file extension from .txt to the appropriate extension.

(Sign on with you Passport/Hotmail account before you try to download these files)

Logon.vbs
Logon.htm
ZIP of both files...