Distribution through Login Scripts

Applies To: Windows Server 2008, Windows Server 2008 R2

Login scripts can help distribute the rights policy templates by copying them from a file share to the local computers. Once you create a script, you can provide the script to the AD RMS user clients through a Group Policy object (GPO). Be aware that the login script runs every time a user logs on to the computer.

To enable login scripts, you will need to:

  1. Create a script and store it in a location within the SYSVOL folder

  2. Assign the permissions to the script to run

  3. Assign the script to GPO

Create a script and store it in a location within the SYSVOL folder

You can use logon scripts to assign tasks that will be performed when a user logs on to a particular computer. The scripts can be stored in the following the location in a Windows 2008 domain controller where GUID is hexadecimal string for specific Group Policy Object in use.

%SystemRoot%\SYSVOL\sysvol\<domain DNS name>\Policies\{GUID}\User\Scripts\Logon


If you are using a Windows 2003 domain controller, you can store the login script in the following location:
%SystemRoot%t\SYSVOL\sysvol\domainname \scripts

Sample logon script:

' --------------------------------------------------------------------' This is an example vbs script to copy the xml files to the ADRMS 
' template locations for both XP SP2 and Vista. 
' Note that this script always copy the xml files to the location. You 
' can improve the script to copy the files only when not exist or when ' updated, etc. You should also add error checking. Make sure firewall ' is open to copy the files through network
' --------------------------------------------------------------------
Option Explicit   

Dim Obj,objFileSys
Dim OSVersion
Dim ADRMSTemplatePath, ADRMSTempatePathParent
Dim pathUserProfile, pathLocalAppData
Dim orginalTemplatePath

' -------------------------------------------------------------------- 
' Change this file location for AD RMS right policy templates 
' --------------------------------------------------------------------
orginalTemplatePath = "\\FileServer\Templates\*.xml"

Set Obj=WScript.CreateObject("Wscript.Shell") 
Set objFileSys = CreateObject("Scripting.FileSystemObject")

OSVersion=Obj.RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentVersion") 

' --------------------------------------------------------------------
' Check operating system version and call create directory and copy the file 
' functions
' --------------------------------------------------------------------
If OSVersion = 5.1 then  ' XP
 ADRMSTemplatePath = objFileSys.BuildPath(pathUserProfile, "Application Data\Microsoft\DRM\Templates")
Elseif  OSVersion = 6.0 then  ' Vista
 ADRMSTemplatePath = objFileSys.BuildPath(pathLocalAppData, "Microsoft\DRM\Templates")
Else ' add more if you wish
End If

Set Obj = Nothing
Set objFileSys = Nothing

' --------------------------------------------------------------------
' Create Folder and Copy sub routine
' --------------------------------------------------------------------
Sub CreateFolderAndCopy(Path)

ADRMSTempatePathParent = objFileSys.GetParentFolderName(Path)

If objFileSys.FolderExists(Path) <> True Then
 if objFileSys.FolderExists(ADRMSTempatePathParent) <> True then
    objFileSys.CreateFolder ADRMSTempatePathParent
 End If
    objFileSys.CreateFolder Path
End If

'  add path and error checking 
objFileSys.CopyFile orginalTemplatePath, Path

End Sub

' --------------------------------------------------------------------
' Get Environment Variable
' --------------------------------------------------------------------

Function ExpandEnvironment(Environment)   
    On Error Resume Next  
    Dim objWshShell        
    Set objWshShell = WScript.CreateObject("WScript.Shell")   
    If Err.Number = 0 Then  
        ExpandEnvironment = objWshShell.ExpandEnvironmentStrings(Environment)   
        WScript.Echo "Error: " & Err.Description   
    End If  
    Set objWshShell = Nothing  
End Function  

Assign the permissions to the script to run

A login script runs with the credentials of the user. Appropriate permissions must be set to the script itself. By default, the Authenticated Users group has read and run permissions to the script.

Assign the script to GPO

After you copy the script to the appropriate location, use the following steps:

  1. Open Group Policy Management console and navigate to Group Policy Objects tree under your domain.

  2. Right-click an appropriate Group Policy Object and click Edit. If none exists, create a new Group Policy Object.

  3. In the Group Policy Management Editor, locate the following folder:

    User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)

  4. Double-click the Logon script object. Click Add, click Browse, and then click the script you want to add.

  5. After you select the script, click Open, and then click OK.

  6. Click OK, and then close the Group Policy Management console.

For additional information see: Create System Startup / Shutdown and User Logon / Logoff Scripts