How Scripts Extension Works

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

How Scripts Extension Works

The Scripts extension is one of the Group Policy extensions that automate configuration of the Group Policy infrastructure. The Scripts extension consists of two parts. The server-side extension, a Microsoft Management Console (MMC) snap-in, enables administrators to make enterprise-wide script Group Policy settings. The Scripts client side extension (CSE) implements those settings on the client computer. A separate process, Userinit, actually runs the scripts.

In this section

  • Scripts Extension Architecture

  • Scripts Extension Protocols

  • Scripts Extension Physical Structure

  • Scripts Extension Processes and Interactions

  • Network Ports Used by Scripts Extension

Scripts Extension Architecture

The Group Policy Scripts client-side extension (CSE) is managed by the Group Policy core, which stores a list of Group Policy objects (GPOs) received from Active Directory. The GPO list is then passed into the Scripts CSE where the scripts.ini file of each GPO is read from the Sysvol folder. This information required for script processing is stored in the client registry. When Group Policy is finished processing, the WinLogon process retrieves the registry information, and then creates a Userinit process that actually runs the scripts. During logoff and shutdown, WinLogon again creates a Userinit process to run the relevant scripts. The Userinit process uses the ShellExecute command to run each script. The following figure shows the Scripts extension architecture and the client-server interaction of the two extension components.

Scripts Extension Architecture

Scripts Extension Architecture

Components important to the Scripts extension, seen in the preceding figure, are described in the table below. Components not seen in the figure, but important to the process are also described.

Scripts Logical Architecture Components

Component Description

Group Policy engine

The Framework that manages and implements the Group Policy settings and configurations, made by the admin, across all client-side extensions (CSE). Userinit actually executes the script; not the CSE. Userenv.dll is the Group Policy engine module.

Scripts client-side extension (CSE)

The Scripts CSE is the component that is called by the Group Policy engine, and that applies the scripts setting. The Scripts CSE writes the relevant script information into the registry. It does not run the scripts.


WinLogon is the service that contains the Group Policy engine.

Resultant Set of Policy (RSoP) snap-in

Displays the results of Group Policy, including what scripts have run and when they were last run. For more information about RSoP, see “What Is Resultant Set of Policy?.”


Called by Winlogon to run Group Policy scripts by calling ShellExecute.

Local GPO

Contains Group Policy settings for the local computer, including potential scripts policies.

The CSE registration information is written at setup to the HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\ GPExtensions registry key. This registry key structure exists on both the target and on the domain controller systems.

Scripts Extension Protocols

The various protocols used within the Scripts extension architecture are summarized in the following table.

Scripts Extension Protocols

Protocol Description


Windows API function call.

NTLM or Kerberos

Authentication protocol used by the client to authenticate with Active Directory.

Server Message Block (SMB)

SMB is a file access protocol used by Userinit to access the Sysvol folder.

Distributed Component Object Model (DCOM)

DCOM is used by CSEs to communicate with Windows Management Instrumentation (WMI).

Scripts Extension Physical Structure

Most Group Policy settings are stored in the Group Policy template, part of the domain controller’s file system. Group Policy templates are stored in the %systemroot%\SYSVOL\sysvol\domainname\policiessubfolder. The root of each Group Policy template contains a Gpt.ini file. Each Group Policy template contains a Machine and User subfolder, both of which contain a Scripts subfolder that contains the Scripts.ini file. The Machine Scripts subfolder contains a Shutdown and a Startup subfolder. The User Scripts subfolder contains a Logoff and a Logon subfolder. These four subfolders contain their respective Group Policy scripts to be implemented on the target by the Scripts CSE.

Components important to the Scripts CSE are described in the following table.

Scripts Physical Architecture Components

Component Description

Sysvol folder

The Sysvol folder contains the set of folders shared on each domain controller that stores file-system domain information, as compared to registry domain information. The Sysvol folder is one of the locations that the Scripts.ini file is stored. The other location is the Local GPO.

Group Policy template

The Group Policy template is part of the GPO, and is the portion of Group Policy settings stored in the file system and shared between domain controllers. The Group Policy template makes up the majority of the Group Policy settings. Each Group Policy template folder is a subfolder of the Policies folder and has a globally unique identifier (GUID).


Gpt.ini is a file in the Group Policy template root folder that stores the GPO version number of the Group Policy template. The Group Policy CSEs use this version number to confirm that directory and file components are synchronized correctly.

ADM folder

The ADM folder stores the System.adm file, among others.

Machine folder

The Machine folder stores GPO Computer settings files. One of the subfolders is the Scripts folder.

User folder

The User folder stores GPO User settings files. One of the folders is the Scripts folder.

Scripts folder

The Scripts folder, a subfolder of both the Machine and User folders, stores the Scripts.ini file and references scripts to be run.

Scripts.ini file

The Scripts.ini file is stored on the Sysvol folder in the Scripts folder and stores the path to each script.

External Scripts server

A server, other than the domain controller, on which the actual scripts can be stored.

Scripts Server-side extension Snap-in

A snap-in that is a server side component that loads with Group Policy Object Editor. The snap-in displays a Scripts node under Windows Settings of both Computer Configuration and User Configuration.

Logon folder

A subfolder of the Sysvol folder containing any user logon scripts to be implemented by the Scripts CSE.

Logoff folder

A subfolder of the Sysvol folder containing any user logoff scripts to be implemented by the Scripts CSE.

Startup folder

A subfolder of the Sysvol folder containing any computer startup scripts to be implemented by the Scripts CSE.

Shutdown folder

A subfolder of the Sysvol folder containing any computer shutdown scripts to be implemented by the Scripts CSE.

Scripts Extension Processes and Interactions

The Scripts CSE processes all applied GPOs. The Scripts CSE reads the command-line options for the scripts from the Scripts.ini file. If a full path is specified, the full path is stored in the registry. If only a name is specified, the CSE creates the full path to the file in the Sysvol folder, prior to storing it in the registry. On Windows XP and better, The Scripts CSE stores this information in the client’s registry, in the following keys:

  • HKEY_LOCAL_MACHINE\Software\Policies\Windows\System\Scripts

  • HKEY_CURRENT_USER\Software\Policies\Windows\System\Scripts

The script type is stored as one of the following registry values:

  • Logon

  • Logoff

  • Startup

  • Shutdown

The Scripts CSE sorts scripts by using the following rules:

  • By GPO priority

  • By priority order within each GPO

Scripts are usually stored in the Startup and Shutdown subfolders of the Machine\Scripts folder or in the Logon and Logoff subfolders of the User\Scripts folder. Scripts can be stored in a different location, or on a different server. However, for the script to run, the script file must be available and accessible (read access) for it to be run. Note that the user must have read access for logon and logoff scripts and the computer must have access for startup and shutdown scripts. Both are members of the Authenticated Users group, so by default both have access to run their respective scripts. The script is run from the file path location stored in Scripts.ini and the script is not cached on the client computer. If the network is unavailable when scripts are set to run, they will not run.

Network Ports Used by Scripts Extension

The following table summarizes the network protocols and port numbers used by the Scripts CSE. The Scripts extension impersonates the user and computer for network communication.

Port Assignments for Scripts CSE

Task Port (Protocol)

Retrieve GPO list

TCP 398 (LDAP)

Retrieve Group Policy container

TCP 398 (LDAP)

Request Distributed File System (DFS) referral for the Sysvol folder on the domain controller

TCP 445 (SMB)

Determine Sysvol DFS replica location for the Sysvol folder on the domain controller

TCP 445 (SMB)

Open and read Gpt.ini

TCP 445 (SMB)

Open and read Group Policy template settings files

TCP 445 (SMB)

Return Group Policy template file

TCP 445 (SMB)