Group Policy w/ User Agreements

[nmX.Memnoch]

Here's what you need to do.

- Make your KiX script. I'll use "logon.kix" for the purposes of this example.

- Make a batch file. In this instance I'll just use "logon.bat" for the filename. The contents of logon.bat should be: %0\..\KIX32.EXE %0\..\logon.kix

- Copy logon.bat, logon.kix and KIX32.EXE to the NETLOGON share of one of your domain controllers. They'll automatically replicate to other DCs from there.

- In Active Directory Users and Computers double click a user. Go to the Profile tab and under "Logon script:" enter logon.bat. Do this for every user that you want to run the logon script. Setting this option may be scriptable but I've never tried it.

%0\..\ translates to the NETLOGON share of whichever server the user authenticates against.

You can probably do this with a GPO but the problem is that I'm pretty sure you have to put the full path to the executable and the script in the batch file. I can play around with this, but I know for a fact that setting it up as the user logon script on the user's account works. I know it's a pain setting the option on every user...but you only have to do it once (and of course remember to do it on any new users).

If you want to test it with your GPO then just edit your batch file like so:

\\domainname.tld\SYSVOL\domainname.tld\Policies\{GPO_GUID}\User\Scripts\Logon\KIX32.EXE \\domainname.tld\SYSVOL\domainname.tld\Policies\{GPO_GUID}\User\Scripts\Logon\scriptname.kix

Honestly though, I really don't think it'll work because those usually aren't displayed on screen.

Edited April 26, 2007 by nmX.Memnoch

[bbbngowc]

What can I say? nmX.Memnoch You are a genius!!!! This worked great. The reason it wasn't working before was because, somehow I got the "%0" mixed and had it entered as "0%". Don't know that happened. But once I saw it, corrected it, it worked.

So, my users now are going to get this everytime they log on? I guess I'll just let this run for about 2 weeks, then turn it off. I'll see what happens.

Thanks again for this, it really helped me.

[nmX.Memnoch]

As long as you have it specified on a user they should be seeing it every time they login.

We have a consent statement that we have to agree to every time we login. Personally, I would just leave it in place and maybe just comment out the part that logs the output.

BTW, you can leave the script on all of your users and just comment parts out. For instance, if you wanted to comment out the MessageBox just put a /* before $X = MessageBox line and a */ after the EndSelect line. Alternatively you can just put a ; at the beginning of each line.

Again, I would recommend looking into AdminScriptEditor. It's not free, but it's not as expensive as some of the other editors out there. It also supports editing AutoIt, VBScript, CMD, BAT, XML and a several other languages. They're getting ready to release version 3.0 that will also add support for PowerShell. I've found it hard to beat some of the features as well.