Distribution through Login Scripts
Applies To: Windows Server 2008, Windows Server 2008 R2
Login scripts can help distribute the rights policy templates by copying them from a file share to the local computers. Once you create a script, you can provide the script to the AD RMS user clients through a Group Policy object (GPO). Be aware that the login script runs every time a user logs on to the computer.
To enable login scripts, you will need to:
Create a script and store it in a location within the SYSVOL folder
Assign the permissions to the script to run
Assign the script to GPO
Create a script and store it in a location within the SYSVOL folder
You can use logon scripts to assign tasks that will be performed when a user logs on to a particular computer. The scripts can be stored in the following the location in a Windows 2008 domain controller where GUID is hexadecimal string for specific Group Policy Object in use.
%SystemRoot%\SYSVOL\sysvol\<domain DNS name>\Policies\{GUID}\User\Scripts\Logon
Note
If you are using a Windows 2003 domain controller, you can store the login script in the following location:
%SystemRoot%t\SYSVOL\sysvol\domainname \scripts
Sample logon script:
' --------------------------------------------------------------------' This is an example vbs script to copy the xml files to the ADRMS
' template locations for both XP SP2 and Vista.
'
' Note that this script always copy the xml files to the location. You
' can improve the script to copy the files only when not exist or when ' updated, etc. You should also add error checking. Make sure firewall ' is open to copy the files through network
' --------------------------------------------------------------------
Option Explicit
Dim Obj,objFileSys
Dim OSVersion
Dim ADRMSTemplatePath, ADRMSTempatePathParent
Dim pathUserProfile, pathLocalAppData
Dim orginalTemplatePath
' --------------------------------------------------------------------
' Change this file location for AD RMS right policy templates
' --------------------------------------------------------------------
orginalTemplatePath = "\\FileServer\Templates\*.xml"
Set Obj=WScript.CreateObject("Wscript.Shell")
Set objFileSys = CreateObject("Scripting.FileSystemObject")
OSVersion=Obj.RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentVersion")
' --------------------------------------------------------------------
' Check operating system version and call create directory and copy the file
' functions
' --------------------------------------------------------------------
If OSVersion = 5.1 then ' XP
pathUserProfile=ExpandEnvironment("%USERPROFILE%")
ADRMSTemplatePath = objFileSys.BuildPath(pathUserProfile, "Application Data\Microsoft\DRM\Templates")
CreateFolderAndCopy(ADRMSTemplatePath)
Elseif OSVersion = 6.0 then ' Vista
pathLocalAppData=ExpandEnvironment("%LocalAppData%")
ADRMSTemplatePath = objFileSys.BuildPath(pathLocalAppData, "Microsoft\DRM\Templates")
CreateFolderAndCopy(ADRMSTemplatePath)
Else ' add more if you wish
End If
Set Obj = Nothing
Set objFileSys = Nothing
' --------------------------------------------------------------------
' Create Folder and Copy sub routine
' --------------------------------------------------------------------
Sub CreateFolderAndCopy(Path)
ADRMSTempatePathParent = objFileSys.GetParentFolderName(Path)
If objFileSys.FolderExists(Path) <> True Then
if objFileSys.FolderExists(ADRMSTempatePathParent) <> True then
objFileSys.CreateFolder ADRMSTempatePathParent
End If
objFileSys.CreateFolder Path
End If
' add path and error checking
objFileSys.CopyFile orginalTemplatePath, Path
End Sub
' --------------------------------------------------------------------
' Get Environment Variable
' --------------------------------------------------------------------
Function ExpandEnvironment(Environment)
On Error Resume Next
Dim objWshShell
Set objWshShell = WScript.CreateObject("WScript.Shell")
If Err.Number = 0 Then
ExpandEnvironment = objWshShell.ExpandEnvironmentStrings(Environment)
Else
WScript.Echo "Error: " & Err.Description
End If
Set objWshShell = Nothing
End Function
Assign the permissions to the script to run
A login script runs with the credentials of the user. Appropriate permissions must be set to the script itself. By default, the Authenticated Users group has read and run permissions to the script.
Assign the script to GPO
After you copy the script to the appropriate location, use the following steps:
Open Group Policy Management console and navigate to Group Policy Objects tree under your domain.
Right-click an appropriate Group Policy Object and click Edit. If none exists, create a new Group Policy Object.
In the Group Policy Management Editor, locate the following folder:
User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)
Double-click the Logon script object. Click Add, click Browse, and then click the script you want to add.
After you select the script, click Open, and then click OK.
Click OK, and then close the Group Policy Management console.
For additional information see: Create System Startup / Shutdown and User Logon / Logoff Scripts