UAC, Administrators and Logon Scripts...

Logon script implementations prior to User Account Control (UAC) were fairly simple. Apply a logon script to user and the script did what it was supposed to. Post-UAC is a much different experience. There are things to take into account that, hopefully, this post will help explain.

Logon scripts can be applied to user accounts using

• The Active Directory Logon script defined in the user account properties
  NOTE: Only one can be specified. Therefore, it would need to call others.

•  A GPO Logon script

When a user is not part of the local Administrators group, scripts execute under the standard user access token. But when the user is part of the local Administrators group, scripts execute differently.

In the following scenarios, two logon scripts were applied at each login. Either both batch (CMD) or both VBScript (VBS).

Red = Bad, Yellow = OK, Green = Good

In conclusion, we found that using the Active Directory Logon script defined in the user account properties in conjunction with a VBScript file provided the most reliable results. This provided accurate drive mappings for the standard user account and no drive mapping for the administrative user account (or elevation). Conversely, the use of a batch file did allow accurate drive mappings for the standard user account, it also provided unavailable drive mappings to the administrative user account.

NOTE: This post does not apply to mapping drives using Group Policy Preferences.