Required Group Policy settings for your logon script

Windows displays a "Welcome" screen that hides your logon script. By default, it only gets visible, if the execution takes more than 30 seconds. To change this, you must set a Group Policy setting. You must also disable print driver restrictions to allow users to install printer drivers.

But - all you need to do is to import a custom ADMX policy template file and you're done.

Logon GPO Settings

Setting policies using a custom ADMX file

When you used the Logon Script wizard to set up the logon script, a custom ADMX file was put on the computer that executed the wizard. If this computer is a domain controller, where you edit your Group Policy settings, you will automatically have the "FastTrack Logon" item in the Group Policy Management Editor, as shown below. If it does not appear automatically, follow the procedure under screenshot. You can get to this screen any time either by walking through the logon script wizard, or in logon script edit mode, click the left "GPO settings" menu. Once you have the "FastTrack Logon" configuration in place, simply enable all these 4 settings. You can either enable the settings per user or per machine.

Group policy custom ADMX file

If you already have Software Deploy in place

If you have already set up Software Deployment, you can enabled the same settings here per machine. You can say that it has no place in Software Deploy, but it is simply there for your convenience, in case you set this up first and now need to set up a logon script. The screenshot below is from the Software Deployment wizard, where you enable the settings under "Logon Script Policies". If you enable theses settings here, you do not need to set Group Policy settings also.

General Software Settings



Windows 2003 Server

If you are still using the unsupported Windows 2003 server, you do not have support for admx file. In this case, please follow this alternative procedure, setting the same settings by individual Group Policy settings.

Making your logon script visible

To set the registry key per user, open your Group Policies and locate "User Configuration -> Preferences -> Windows Settings -> Registry" and create a new registry item using these data:
  • Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  • Value name: DelayedDesktopSwitchTimeout
  • Value type: REG_DWORD
  • Value data: 0
Group policy for showing a logon script


Enable drive mappings for administrators

When administrators log on, they may not get the drive mappings from the logon script. This is because the logon process runs with an elevated token, whereas the Explorer starts with an unprivileged token. This is a UAC explained in this technet article. To enable drive mappings for administrators, set this registry the same way as in the previous section:
  • Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  • Value name: EnableLinkedConnections
  • Value type: REG_DWORD
  • Value data: 1

Run logon script synchronously

If you have not enabled the group policy "Run logon script synchronously", the first part of the logon script may not execute before the explorer starts, the first time a user logs on. To enable synchronously logon script execution, please set the group policy "Run logon script synchronously" under "User Configuration -> Policies -> Administrative Templates -> System -> Scripts" to "Enabled".

Group policy for running logon script synchronously


Allowing printer drivers to be installed for unprivileged users

If you use the ConnectPrinter or ConnectIPPrinter commands to connect printers, you should remove the security warnings for installing printer drivers. Locate "Point and Print Restrictions" under "Computer Configuration -> Policies -> Administrative Templates -> Printers" and set to "Disabled". Under Windows 2003, this key exists under "User Configuration -> Policies -> Administrative Templates -> Control Panel -> Printers" instead.

Group policy for disabling printer warnings


Booting into the desktop on Windows 8.1

While you have the registry preferences open for the user or computer, you might as well set a key for booting into Desktop Mode on Windows 8.1, assuming this is your company preference. To boot directly into Desktop Mode on Windows 8.1, create another entry with these data (0 = Start in Desktop Mode, 1 = Start in Start Screen):
  • Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage
  • Value name: OpenAtLogon
  • Value type: REG_DWORD
  • Value data: 0


LATEST CYBERSECURITY BLOGS

Ransomware Attack Hits Indian Tech Giant Tata Technologies

A recent Ransomware attack forced the Indian Multinational Technology giant to suspend several IT services. Here's the breakdown.

Future Proofing Your Organization with the Right Privileged Access Management Solution

Explore how Privileged Access Management can safeguard your organization against evolving cyber threats. Discover crucial insights in our upcoming blog on selecting the right solution for long-term security and efficiency.

Avoid these 5 Remote Access Security Mistakes

Discover the top 5 remote access security mistakes that put your data at risk. Learn how to avoid these pitfalls and enhance your cybersecurity posture.


Rating: 5 out of 5

"Use this as a replacement for VBScript and PowerShell"

"It's easy to include attractive GUI elements in FastTrack scripts, beyond the basic dialog boxes and text input that VBScript offers ... Another powerful feature is the ability to distribute scripts as Windows Installer (.msi) or standard .exe files. Although interesting in its own right, this ability results in a much more intriguing capability: to repackage -- or wrap -- software installers as .msi files without using snapshots. If you've ever created an .msi installer file from before-and-after system snapshots, for use with a software distribution system such as Group Policy or SCCM, then you know how hit-and-miss the results can be."

Read full review


Rating: 8 out of 10

"Faster than the rest"

"We found the FastTrack syntax to be more transparent and easier to learn than Microsoft's PowerShell – the editor in particular provided good support in this regard. the Script Editor offers a large number of options from the command set through to simple output of graphical elements, which cannot be achieved at all with PowerShell or other solutions or only with a significantly greater level of effort."

"Anyone wanting to tackle the many hurdles in everyday admin and especially anyone for whom logon scripts and client automation is a priority will benefit from the variety of functions offered by FastTrack."

Review in English      Review in German