How to configure Windows Active Directory logon scripts

There are instances when you need to run a script or program every time a user logs into your Windows network. One way to automate this is to configure and assign a Windows logon script to a particular user or group account.

Enabling Windows logon scripts is a two-stage process. The first stage is to create the script itself, and the second stage is to assign the logon script to a domain user (or group) account.

I. Where to save the logon script:

  1. Create your logon script and save it in the appropriate format (Example: logon.bat, logon.vbs).
  2. Go to your domain controller and copy the script into the %SystemRoot%SYSVOLSysvolDomainNameScripts local folder (Ex. C:WINDOWSsysvolsysvolENTIIS.COMSCRIPTS).

This folder corresponds to the domain controller’s NETLOGON network share folder.

This makes the script accessible over the network via the \ServerNameNetlogon network share folder.


To summarize:
If your domain controller’s name “DC01”, and if you have a script named “logon.bat”, which is saved on DC01’s “C:WINDOWSsysvolsysvolENTIIS.COMSCRIPTS” folder, then you can access the script over the network by going to the “\DC01netlogon“ network share folder, or by simply running \DC01netlogonlogon.bat.

II. How to assign a logon script to a user or group:

1. First, open “Active Directory Users and Computers” on the domain controller.

Active Directory Users and Computers

2. Now right click on the user you want to have the logon script and select the properties menu.

A properties dialog like the one shown below will appear. Select the ‘Profile’ Tab

By default, if no exact network path is given, as shown in Figure 3, above, Active Directory will assume that the user profile logon script will be at the %SystemRoot%SYSVOLSysvolDomainNameScripts folder.

3. Click Apply.

4. Click OK.

Once configured, the logon script will run (on the local machine where the user logged in) every time the user logs into the network using the corresponding account.

Note: You have to check if the user account used to log into the local machine has the appropriate rights to run or execute programs.

Posted in Technology and tagged , , , .


  1. I try running an executable program like a link to notepad.exe by logon-script. In an test-ou it runs quite well in the foreground, when the user logs on. In the productivity-AD, the notpad flashes shortly and is endet without a possibility to use. I’d like to know the difference between both. RSOP shows no difference, but there is one.

Leave a Reply

Your email address will not be published. Required fields are marked *