Play hide-and-seek with the logon script dialog box

Windows 2000 won't let you watch the logon scripts execute to ensure the scripts work properly. However, with some help from John Sheesley, you can turn on the logon script dialog box.

Logon scripts can be very useful to help configure workstations after users log on to the network. The problem is, like any program, they can sometimes be difficult to write and debug. This is compounded by the fact that Windows 2000 Professional workstations don’t display a dialog box after the user logs in. So how do you debug a logon script if you can't see what it’s doing? Start by reading this Daily Feature.

Danger! Danger! Danger!
This Daily Feature explains ways to make changes to your server's registry. Make sure you have complete backups of your server before performing any technique in this article. If you make a mistake when making changes to a server's registry, you may cause the server to become unbootable, requiring a reinstallation of Windows. Proceed with extreme caution.

Why can't I see the logon script dialog box?
Windows 9x and Window NT clients all displayed a logon script dialog box when users logged on. As a matter of fact, you had to jump through several hoops to disable the box.

When Microsoft shipped Windows 2000 Professional, it changed the default behavior of the logon script dialog box. Rather than displaying the box, Windows 2000 Professional just runs the script unbeknownst to the user. This behavior is great from an end-user standpoint, but for network administrators, it can make things difficult. Without the dialog box, it’s hard to debug scripts and make sure they work the way you intend.

However, by making a change to group policies from your Windows 2000 server, you can temporarily turn the logon script dialog box back on. After you’ve debugged your script, you can then go back and turn the box off again.

Getting the dialog box to display
First, you’ll need to start the Group Policy editor on your Windows 2000 server. Click Start | Programs | Administrative Tools | Active Directory Users And Computers. When Active Directory Users And Computers appears, right-click your domain and select Properties. After the Properties screen appears, click the Group Policy tab.

You’ll see a list of currently defined group policies for your domain in the middle of the screen. If you haven’t done much work with group policies, you’ll only see one called Default Domain Policy. Because we’re only going to temporarily change the logon script dialog box, this would be a good policy to use. Alternatively, if you don’t want to change the Default Domain Policy, you can click Add and create a new group policy especially created to turn on the dialog box. Just remember to delete the policy later. For now, select Default Domain Policy and click Edit.

You’ll then see the Group Policy MMC appear. In the left pane, click User Configuration | Administrative Templates | System | Logon/Logoff. This will display all of the logon/logoff options for your group policy. Midway down the Policy column in the right pane, you’ll see an entry labeled Run Logon Scripts Visible. In the Setting column, this value should be set as Not Configured. Because the Windows 2000 Professional default behavior is to not display logon script dialog boxes, effectively the Not Configured setting disables the logon script dialog box.

To change it, double-click Run Logon Scripts Visible to display the Run Logon Scripts Visible Properties page. Select the Enabled radio button to turn on the dialog box.

If you also are going to use logoff scripts, you may want to temporarily enable the logoff script dialog box, which is also turned off by default. To do so, click the Next Policy button at the bottom of the Run Logon Scripts Visible Properties page. This will display the Run Logoff Scripts Visible Properties page. Again, click Enable.

After you’ve enabled the policies, you’ll notice that the Setting column shows a value of Enabled for your policy. Close the Group Policy MMC, go write your logon scripts, and watch them execute on the Windows 2000 Professional workstations. Because the group policy applies globally, you can also test the logon script on several different workstations on your network to make sure it works without having to do any other reconfiguration on the server. After you make sure everything is in working order, you’ll need to reverse the process I described to disable the logon script dialog box. Don't forget to also turn off the logoff script dialog box if you enabled it.

Why shouldn't users see the logon script dialog box?
Normally, logon scripts aren’t too exciting, so if users see what’s happening, they may just become curious and ask a few questions. But because you can also use logon scripts to help enforce security on your network, you may not want users to see what’s going on. For example, you can configure a logon script to send a message to you to let you know when a particular user logs on. Or you could create a logon script that executes a program that captures screens or keystrokes while the user works. Certainly, you wouldn’t want a user to notice if that’s what you were doing. And, unfortunately, the logon script dialog box gives all of the logon script’s secrets away as the script executes.

Of course, most troubling are those users who close the logon script dialog box while it’s running. Sometimes users see a strange box appear as they’re logging in and aren’t patient enough to wait for it to execute, so they close it. This stops the logon script from completing, leaving the workstation only partially configured.

But I'm not running Windows 2000 Server!
If you’re not running Windows 2000 Server, naturally you can’t use group policies to control the logon script dialog box behavior. Window NT 4.0 Server doesn’t support group policies. So what do you do? You don’t have much of a choice. You’ll need to make a change to the Windows 2000 Professional workstation’s registry.

To enable the dialog box, log on to your server as Administrator or as a user with administrator rights. Start the registry editor and navigate the left pane until you get to the HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\System hive. If System doesn’t exist, you’ll need to add it. To do so, select Add Key from the Edit menu. When the Add Key window appears, enter System in the Key Name field and click OK.

Select System and then check for or add the HideLogonScripts value. If it doesn't exist, you'll need to add it by selecting Add Value from the Edit menu. When the Add Value menu appears, enter HideLogonScripts in the Value Name field. Check to make sure that the Data Type list box contains the value of REG_DWORD. Click OK when you've finished.

You'll then see the DWORD Editor screen. In the Data field, enter a value of 0. Exit out of the Registry Editor to save the changes. The logon script dialog box should then appear when you log on. To disable it, go back into the registry and delete the HideLogonScripts value.

Logon scripts can be useful but sometimes are a pain to get working right, especially if you're running Windows 2000 Professional and you can’t watch the script run to see what the problems are. However, by making some changes on your Windows 2000 server, you can force your workstation to display the box. Just don’t forget to hide the box when you’re finished.

Editor's Picks