Jul 17 2007

Group Policy Login Scripts

Use these scripts to assign printers to workstations.

One of the most mysterious and confusing aspects of network administration has to be the use of Active Directory and Group Policy. But this doesn’t have to be the case. Most issues come from a lack of understanding of what Group Policy is, how it works and what can really be done with it. Answering a simple question can clear up a lot of these mysteries — to wit: “How do I use Group Policy to assign printers to workstations?”

The first step is to back up everything that you can in more than one way. Once safety is ensured, you can proceed confidently. Next, you can write a script that adds a network printer on a Windows workstation, and then create a Group Policy to assign that printer to some workstations. Use your imagination afterward to fit this example into your work life.

Scripting Tips

Scripting is a way for systems administrators to save all sorts of time and to reduce management headaches. I’ve never met a sysadmin who refuted the idea that scripting is invaluable. If you want to be a superlative administrator, learn a scripting language. Visual Basic Script is a great one to know; JavaScript is good too; Windows Script is nice as well for Windows environments; and DOS batch scripting is also handy in many cases. You don’t need a computer science degree; any beginner book on scripting can get you started.

When assigning printers, there are a few assumptions to consider. We will assume that you have a Windows-based computer network, and on this network is a print server (this can be any computer), and on this print server is at least one printer that users share.

Scripting is fluid, so there are many other ways to do this. Here’s the script; you just follow along.  Open Notepad and type this text in:

Set objNetworkPrinter = CreateObject("WScript.Network")
strConnectString = "\\your print server’s host name here\share name of your printer here"
strResult = objNetworkPrinter.AddWindowsPrinterConnection(strConnectString)

Please insert the computer name (aka, host name) of your print server where indicated and the share name of your target printer where indicated. Now, save the file with an intuitive name (for this example let’s call it “printer_mapper”), then change the file extension from “.txt” to “.vbs.” The script is complete.

Save this file somewhere on the network where users can read and execute permissions to the file. They need this, or it won’t run. In a Windows domain, I suggest the netlogon share of the domain controller itself. This is a central place; it’s already there, and it was intended for this use.

Group Policy’s Role

Now you’re ready to create the Group Policy to orchestrate this madness. I use Group Policy Management Console (GPMC), which is a free download from Microsoft that I highly recommend if you intend to use Group Policy.

Simply open GPMC, create a new policy, then open either Computer Configuration or User Configuration (depending on how you intend to administer your domain), open Windows Settings, and select Scripts (Logon/Logoff). In the details pane to the right, you should see Logon and Logoff. Double-click Logon. Click Add. Now browse for the script, and click OK

You can add several more scripts here. You know best what needs to be done in your environment. Do you want to have people get a standard network drive mapped to a certain network share?  Then use the net use command in a DOS batch script, and add it in this policy. Do you want the workstations to refresh their domain policy every time they log in? Then use the gpupdate command in a DOS batch script, and add it to this policy. You could even create another VB script to set certain people or groups as local administrators on the workstations, then add that as well.

Other Juicy Tidbits

In addition to scripting, there are myriad other helpful things you can do with Group Policy. While you still have GPMC open, let’s review a few popular options. Open the policy you just created and peruse the Computer Configuration section.

Under Windows Settings, Account Policy, you will find the password policy section. Use this to define password age, complexity and uniqueness.

Under Windows Settings, Account Lockout Policy, you will find the settings to lock a user account after a certain number of invalid password attempts. This is a great tool to prevent unauthorized users from cracking your users’ passwords.

Under Administrative Templates, Windows Components, Windows Update, you can define exactly how you want the workstations to perform Windows updates.

Under Administrative Templates, Network, Network Connections, Domain Profile or Standard Profile (Domain Profile takes effect when the users are on the domain, Standard Profile takes effect when the users are away), you will find the settings to configure the Windows firewall on Windows XP SP2 or newer workstations. This is a handy tool that lets you make program exceptions, open and close ports, restrict remote administration policies, set logging policy and much more. Now reboot your workstations, and let the automatic printer mapping and network configuration begin. 

What About Vista?

These scripts and policies should work with Windows Vista. Microsoft appears to have improved the operating system in this area. Vista has more than 700 new policy settings that the discriminating administrator can configure. Many have been badly needed for some time — among them, the ability to apply local policies to administrators and nonadministrators separately.

Jeremy Dotson is a LAN administrator for Tronair (www.tronair.com), a manufacturer of aircraft ground support equipment in Holland, Ohio.