[gptalk] Vista logon scripts: launchapp.wsf - and the other "need to know"!

  • From: "Mills, Mark" <Mark.Mills@xxxxxxxxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Fri, 8 Jun 2007 15:39:23 -0500

Thanks to everyone who either emailed me directly or commented in
GPTalk.  I had posted my problem (running multiple scripts with
launchapp.wsf does not work, only one per logon, not per GPO) on a few
different Group Policy and Active Directory Sites.  I was getting so
desperate I emailed every blog\website mentioned on activedir.com!
With Vista being so new no one knew the answer but everyone did point to
Darren Mar-Elia as being the "GP Answer Guy". 


I figure out the solution and it involved the use of limited access
tokens, the task scheduler, and modifying launchapp.wsf for each GPO
initiated at logon.


Here is a summary of what you may need to know to map drives in Vista:

1.      If your user is a local admin, then the existing GPO logon
script you have won't work. Your logon scripts should work for non-local


2.      Your existing logon script wont work for a local admin because
your local admin has to receive a "limited user token" to map drives.
Per AdamV http://www.gpanswers.com/community/viewtopic.php?p=5625#5625
(I'm summarizing his post here: Group Policy and logon scripts process
using the elevated user token, and the desktop and all subsequent
processes use the limited token. Windows restricts processes started
with a limited token from the ability to share information with
processes started with the elevated token.  


3.      The workaround is to run a "launchapp.wsf" script which will
give your local admin a limited access token so the mapping of drives is
done at a protected level, instead at an admin level.  Remember in Vista
even though you log in as Local Admin you are not running everything at
an Admin level.  (To run programs at an admin level you right click the
*.exe and choose "run as admin".)  LaunchApp.wsf is easy to use; see my
graphic at the bottom.  


4.      After you get LaunchApp.wsf working with your script you will
want to edit the script and comment out the lines that create annoying
dialog box.  Comment out the following lines: WScript.Echo "Task
definition created. About to submit the task."  and   WScript.Echo "Task
submitted for all drives." 


5.      WAIT - DON'T Stop Here, you have to know about the new
functionality with Task Scheduler!   In order to launch your mapped
drive logon script LaunchApp.wsf schedules a job to run your GPO logon
script with that limited token I was talking about.


6.      So why was it important to know about Task Scheduler?  Because
the LaunchApp.wsf created a scheduled job called "Launch App As
Interactive User" and if you have LaunchApp.wsf being used for several
GPO's it will choke on itself in the Task Scheduler because to the OS it
looks like your creating several scheduled jobs with the same name. 


7.      So how do I run several GPO's that have to invoke LaunchApp.wsf
to run?  At first I modified my logon script GPO, to run logon scripts
synchronously.  This worked because it forces LaunchApp.wsf to launch
and complete one scheduled job at a time.  The negative: it takes longer
for users to logon in synchronous mode.


8.      To get out of having to use "Logon Script Synchronous Mode",
open up LaunchApp.wsf and look again for the line strTaskName = "Launch
App As Interactive User" and add the name of the GPO your trying to run
to the end of the name.  So the line would look like strTaskName =
"Launch App As Interactive User - Mapped drives for Programming Dept".
This causes each GPO that uses LaunchApp.wsf to create its own scheduled
task with its own name.  It also makes it easier to see what is
happening in the new Task Scheduler Event log. 


9.      Lastly, obviously you only have to run launchapp.wsf for Vista
Clients.  Now you could create a WMI filter that states SELECT * from
Win32_OperatingSystem WHERE Caption LIKE "%Vista%" But I found it nicer
to not have to apply a filter by running LaunchApp2.wsf found at
Michaels Zill's blog at 
-group-policy-using-vista.aspx>   This allows you to create one GPO that
will apply to both XP and Vista Clients. 


Good Luck!






Mark Mills

Email: mark.mills@xxxxxxxxxxxxxxxxxxxxxx 


JPEG image

Other related posts:

  • » [gptalk] Vista logon scripts: launchapp.wsf - and the other "need to know"!