FastTrack admin

Required Group Policy settings for your logon script

Windows displays a "Welcome" screen that hides your logon script. By default, it only gets visible, if the execution takes more than 30 seconds. To change this, you must set a Group Policy setting. You must also disable print driver restrictions to allow users to install printer drivers.

But - all you need to do is to import a custom ADMX policy template file and you're done.

Request a free demo

Logon GPO Settings

Department of Commerce Red Cross Kpmg Booking Aspen Dental Hamilton Beach Toyota Kawasaki Goodyear NOAA

Setting policies using a custom ADMX file

When you used the Logon Script wizard to set up the logon script, a custom ADMX file was put on the computer that executed the wizard. If this computer is a domain controller, where you edit your Group Policy settings, you will automatically have the "FastTrack Logon" item in the Group Policy Management Editor, as shown below. If it does not appear automatically, follow the procedure under screenshot. You can get to this screen any time either by walking through the logon script wizard, or in logon script edit mode, click the left "GPO settings" menu. Once you have the "FastTrack Logon" configuration in place, simply enable all these 4 settings. You can either enable the settings per user or per machine.

Group policy custom ADMX file

If you already have Software Deploy in place

If you have already set up Software Deployment, you can enabled the same settings here per machine. You can say that it has no place in Software Deploy, but it is simply there for your convenience, in case you set this up first and now need to set up a logon script. The screenshot below is from the Software Deployment wizard, where you enable the settings under "Logon Script Policies". If you enable theses settings here, you do not need to set Group Policy settings also.

General Software Settings



Windows 2003 Server

If you are still using the unsupported Windows 2003 server, you do not have support for admx file. In this case, please follow this alternative procedure, setting the same settings by individual Group Policy settings.

Making your logon script visible

To set the registry key per user, open your Group Policies and locate "User Configuration -> Preferences -> Windows Settings -> Registry" and create a new registry item using these data:
  • Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  • Value name: DelayedDesktopSwitchTimeout
  • Value type: REG_DWORD
  • Value data: 0
Group policy for showing a logon script


Enable drive mappings for administrators

When administrators log on, they may not get the drive mappings from the logon script. This is because the logon process runs with an elevated token, whereas the Explorer starts with an unprivileged token. This is a UAC explained in this technet article. To enable drive mappings for administrators, set this registry the same way as in the previous section:
  • Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  • Value name: EnableLinkedConnections
  • Value type: REG_DWORD
  • Value data: 1

Run logon script synchronously

If you have not enabled the group policy "Run logon script synchronously", the first part of the logon script may not execute before the explorer starts, the first time a user logs on. To enable synchronously logon script execution, please set the group policy "Run logon script synchronously" under "User Configuration -> Policies -> Administrative Templates -> System -> Scripts" to "Enabled".

Group policy for running logon script synchronously


Allowing printer drivers to be installed for unprivileged users

If you use the ConnectPrinter or ConnectIPPrinter commands to connect printers, you should remove the security warnings for installing printer drivers. Locate "Point and Print Restrictions" under "Computer Configuration -> Policies -> Administrative Templates -> Printers" and set to "Disabled". Under Windows 2003, this key exists under "User Configuration -> Policies -> Administrative Templates -> Control Panel -> Printers" instead.

Group policy for disabling printer warnings


Booting into the desktop on Windows 8.1

While you have the registry preferences open for the user or computer, you might as well set a key for booting into Desktop Mode on Windows 8.1, assuming this is your company preference. To boot directly into Desktop Mode on Windows 8.1, create another entry with these data (0 = Start in Desktop Mode, 1 = Start in Start Screen):
  • Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage
  • Value name: OpenAtLogon
  • Value type: REG_DWORD
  • Value data: 0

Outlook Signature Generation

Outlook Signatures

Build mass-deployable Outlook signatures using a Word-like designer. More
Graphical Logon Scripts

Codeless Logon Scripts

Build graphical logon scripts with your own logo by pure point and click. More
IP Printing

Kill your print servers

Print to IP printers directly. More
Software Deploy

Software Deploy and Inventory

Push software without a management server and inventory to the cloud. More
Zero Touch Thin PC

Tired of Desktop Authority?

Same features - less complexity. More

Want to terminate local admin rights?

Try our sister product Admin By Request
Laptop Backups

Lockdown Local Admins

Revoke local admins rights and have users request ad-hoc access under full audit. More

LATEST CYBERSECURITY BLOGS

Join the Free Webinar: Privileged Access Management for Linux

Admin By Request is the must-have enterprise cybersecurity tool that you can deploy on all your operating systems: Windows, macOS - and now Linux.

Admin Persona 1 of 5: The 'Pop'

A disruptive scenario of high volume, unpredictability, and urgency - here's how it can play out with and without Admin By Request.

Privileged Access Management Just Got Personal

The terms ‘use case’ or ‘usage scenario’ are cold and soulless words and not a good representation of the type of work we do here. Introducing ‘Usage Persona’: a more human approach to use case scenarios.


Rating: 5 out of 5

"Use this as a replacement for VBScript and PowerShell"

"It's easy to include attractive GUI elements in FastTrack scripts, beyond the basic dialog boxes and text input that VBScript offers ... Another powerful feature is the ability to distribute scripts as Windows Installer (.msi) or standard .exe files. Although interesting in its own right, this ability results in a much more intriguing capability: to repackage -- or wrap -- software installers as .msi files without using snapshots. If you've ever created an .msi installer file from before-and-after system snapshots, for use with a software distribution system such as Group Policy or SCCM, then you know how hit-and-miss the results can be."

Read full review


Rating: 8 out of 10

"Faster than the rest"

"We found the FastTrack syntax to be more transparent and easier to learn than Microsoft's PowerShell – the editor in particular provided good support in this regard. the Script Editor offers a large number of options from the command set through to simple output of graphical elements, which cannot be achieved at all with PowerShell or other solutions or only with a significantly greater level of effort."

"Anyone wanting to tackle the many hurdles in everyday admin and especially anyone for whom logon scripts and client automation is a priority will benefit from the variety of functions offered by FastTrack."

Review in English      Review in German

GET IN TOUCH!

Give us a call at 262.299.4600 to discuss how FastTrack can help your organization or email us here