1
00:00:06,080 --> 00:00:09,170
Now let's look at log on slash log off scripts.

2
00:00:10,140 --> 00:00:12,610
So very similar to start up and shut down.

3
00:00:12,630 --> 00:00:13,890
Log on and log off.

4
00:00:13,890 --> 00:00:20,130
Scripts run in this case the user's context because the user has to log on in order for log on script

5
00:00:20,130 --> 00:00:22,380
to or a log off script to run.

6
00:00:23,340 --> 00:00:26,820
So it's good for making changes to user settings and data.

7
00:00:27,860 --> 00:00:33,590
So if you need to make a change to HK underscore current underscore user in the registry or you need

8
00:00:33,590 --> 00:00:38,340
to copy a file into the user's profile like a shortcut file or something like that.

9
00:00:38,420 --> 00:00:43,010
It's the right place to do that kind of thing because it's essentially running as the user.

10
00:00:43,980 --> 00:00:46,440
Now it does run of log on and log off.

11
00:00:46,500 --> 00:00:49,910
So it obviously requires the user to log on to execute.

12
00:00:49,920 --> 00:00:54,150
And on the downside, it does require the log on slash log off to run.

13
00:00:54,180 --> 00:00:59,850
So you had that trigger point that that only trigger point is the log on slash log bar cycle.

14
00:01:00,770 --> 00:01:06,170
Again, just like startup scripts, it's up to you to provide logging in your log on scripts just to

15
00:01:06,170 --> 00:01:10,340
find out if they really need to run again or if they've done something wrong.

16
00:01:11,310 --> 00:01:16,500
You know, one thing that you need to be aware of with scripts in general, in group policy is that

17
00:01:16,500 --> 00:01:21,360
there's a default timeout on the script actually executing and completing of 10 minutes.

18
00:01:22,330 --> 00:01:27,280
What that means is that for some reason you've done something in your script that's causing it to hang.

19
00:01:27,490 --> 00:01:32,740
Then your user could be sitting there literally for 10 minutes waiting for the script to execute before

20
00:01:32,740 --> 00:01:34,750
they're able to move on with their desktop.

21
00:01:35,710 --> 00:01:37,720
So that's something to keep in mind.

22
00:01:38,670 --> 00:01:43,830
And really, when you're writing your scripts, it's easy to write a script that just does a dry mapping

23
00:01:43,830 --> 00:01:45,180
or a registry change.

24
00:01:46,130 --> 00:01:51,320
It's a lot harder to write a script that the test to see if those things need to be done and then logs

25
00:01:51,320 --> 00:01:56,300
that they're doing it correctly and then having exception handling in the case that they can't do it

26
00:01:56,300 --> 00:01:56,990
correctly.

27
00:01:57,960 --> 00:02:03,150
And so that's what I always recommend if folks are going to use scripts that you use them correctly

28
00:02:03,150 --> 00:02:08,310
because the downside of scripts is they can cause really bad and hard to troubleshoot delays for the

29
00:02:08,310 --> 00:02:08,780
user.

30
00:02:09,730 --> 00:02:14,830
And again, they'll run every time, regardless of whether they need to, unless you script around that.

31
00:02:15,830 --> 00:02:21,290
So I showed you the UI in startup and shutdown scripts and I showed you the General Scripts tab.

32
00:02:22,230 --> 00:02:23,940
Well, log on slash log off.

33
00:02:23,940 --> 00:02:25,960
Scripts have the same identical UI.

34
00:02:25,980 --> 00:02:30,150
So what I wanted to do in this screenshot is show you the PowerShell Scripts tab.

35
00:02:31,090 --> 00:02:35,620
So if you were going to add a PowerShell reference, you would use that add button and essentially it

36
00:02:35,620 --> 00:02:40,600
would browse you into the CIS fall portion of the GPO, just like it did for the log on scripts.

37
00:02:41,570 --> 00:02:46,730
And or I'm sorry, start up scripts and you be able to add a reference to a dot PS1 file.

38
00:02:47,680 --> 00:02:53,590
You can also set the order of script processing so you can control whether PowerShell scripts run first

39
00:02:53,590 --> 00:02:55,720
or last within this GPO.

40
00:02:56,610 --> 00:03:00,550
And that's in the case of, let's say, you have some scripts that depend on other scripts.

41
00:03:00,720 --> 00:03:04,800
You might have regular scripts that depend on PowerShell scripts or vice versa.

42
00:03:04,980 --> 00:03:09,420
You can control which scripts for specified to run first within this GPO.

43
00:03:10,300 --> 00:03:13,150
And that's useful if you have that scenario.

44
00:03:14,100 --> 00:03:19,140
I don't know that I would necessarily recommend having multiple types of scripts running in a single

45
00:03:19,140 --> 00:03:24,030
GPO, unless you're, like I mentioned earlier, doing a lot of good logging and testing to make sure

46
00:03:24,030 --> 00:03:25,800
that those scripts run properly.

47
00:03:26,770 --> 00:03:30,010
But you do have that flexibility within this tab.

48
00:03:30,940 --> 00:03:35,770
So now let's go and implement a log on script and I'm going to try something different.

49
00:03:36,770 --> 00:03:41,570
I'm going to use a PowerShell based logon on script in my next example.