How to Write Effective Network Logon Scripts
Multiple logon scripts can be created to map drives differently for different groups of people. This allows logon scripts to be very specific, creating only those mapped drives necessary for each unique group of users. Mapping drives provides an easy way to get to resources, but the user must also have permissions to access those files. Remember, it is best practice to protect resources by allowing the least amount of access and allowing access on an as-needed basis versus allowing full access to everyone.
- Log onto the domain controller running active directory.
- Open "Notepad". NOTE: It is important to use Notepad, not Wordpad. Notepad is an ASCII text editor and does not apply any formatting to the document.
- Decide if you want to display the drive mapping script to users.
- If allowed, users are shown a black command line window showing each drive being mapped when they log into a device on the network.
- Most commonly the script starts with an "@echo off" statement to prevent the window from being displayed to users as it is less disruptive.
- Next choose whether or not you want to clear drive letters on the local machine before mapping drive letters. This statement is used to make sure the drive letters you are mapping are available before the mapping occurs. It is helpful in situations: when users map their own drives, when external USB drives are connected, etc.
- To clear drive letters before mapping drives, type the statement "net use 'X': /delete /yes" for each letter corresponding to a drive you plan to map.
- The 'X' represents the drive letter mapping to delete but can be any letter of the alphabet.
- The /yes forces the drive letter to be deleted even if it is in use.
- NOTE: This command is not required for the logon script to run. However, if you do not include them and users report they do not have the correct drive mappings, the drive letter was likely already in use which prevented the logon script from running correctly.
- Lastly, create statements mapping the desired network paths. Mapped drives can point to multiple servers on the same network. Before mapping drives, be sure users have the appropriate permissions to access the files.
- To map a drive letter, type "net use 'X': \\server/folder name".
- The 'X" represents the drive letter being mapped.
- Only the letters A-Z can be used for drive mapping.
- Some letters should not be used for drive mapping. Using A - D as drive mappings is not recommended because they are commonly used by the operating system and can create horrible conflicts.
- External USB drives and other devices create drive letters sequentially based on the next available letter. As a result, the further down the alphabet you assign mapped drive letters the less likely conflicts are to occur.
- Name the file using a .bat extension and save it in the following location: "\Windows\SYSVOL\sysvol\domain name\scripts".
- Add the logon script to each user profile desired on the Profile tab. If you have multiple logon scripts, enter the correct one for each user.
- Open "Active Directory Users & Computers".
- Right-click on a user and select "Properties".
- Click on the "Profile" tab.
- Under "User Profile", type the name of the script into the "logon script:" box.
- Click "Apply" and "Ok".
- Repeat for each user.
- Test to be sure the drive letters are mapped and the correct files are available to users.
As always, knowing how to use the tools at our disposal can save time and be extremely efficient when they affect groups of users at the same time!