What Is Scripts Extension?

Applies To: Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Vista

What Is Scripts Extension?

Active Directory domains use the Scripts extension to run scripts on client computers. The Scripts extension consists of two components; an MMC server-side snap-in and a client-side extension (CSE). A Group Policy CSE is a dynamic-link library (DLL) on the client (target) that interacts with the Group Policy infrastructure and that implements Group Policy scripts on the target. You can control how the Scripts CSE implements scripts by using the Group Policy Object Editor on the server. The following figure shows Group Policy Object Editor, a Microsoft Management Console (MMC) snap-in with the scripts node.

Group Policy Object Editor

Group Policy Object Editor

Before the introduction of the GPO Scripts extension, user logon scripts were added to the user account object. Only one script was added to the object, and the script was a user script; no computer scripts were allowed.

The Scripts CSE now allows the following four script types, corresponding to four of the target events triggering the Scripts extension:

  • User logon scripts

  • User logoff scripts

  • Computer startup scripts

  • Computer shutdown scripts

Other Scripts extension trigger events are:

  • User policy refresh event

  • User policy force refresh event

  • Computer policy refresh event

  • Computer policy force refresh event

  • Secedit tool or gpupdate

These events tell the computer which scripts need to be run at each script execution opportunity; these events do not run the scripts.

Scripts are added to the Group Policy object (GPO), and multiple scripts for each script type can be added to the GPO. A script can be written in any language supported by the client computer, with Windows Script Host (WSH) supported languages and command files being the most common. WSH languages include VBScript and JScript, which are the languages used for the sample scripts included with Group Policy Management Console (GPMC).

Script names and their command-line arguments are stored in the registry when script policy processes. You can specify Administrative Templates Group Policy settings that modify how Group Policy scripts behave by using the options shown in the following table. These settings are located under Computer Configuration|Administrative Templates|System|Scripts.

Computer Configuration Script Options

Option Description

Allow logon scripts when NetBIOS or WINS is disabled

This setting requires Windows Vista or later.

Enable this setting to allow user logon scripts to run if NetBIOS or WINS is disabled during logons across forests without the DNS suffixes being configured.

Run logon scripts synchronously

Enable this option to force the system to run the scripts synchronously, one after another. This option exists for computer and user configuration, which can have a different value. In case of conflict, the computer configuration setting prevails.

Run startup scripts asynchronously

The default setting is for scripts to run synchronously (and hidden). Use this option to optimize the startup/logon processes so users can logon before startup scripts have finished.

Run startup scripts visible

Enable this option to run startup scripts in a visible window.

Run shutdown scripts visible

Enable this option to run shutdown scripts in a visible window.

Maximum wait time for Group Policy scripts

Use this option to set the script timeout interval. The default interval is 600 seconds (10 minutes), and valid intervals range from 0 to 32000 seconds.

If the value of this setting is greater than 900 seconds (15 minutes), for computers running Windows 7 you need to raise the value under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gpsvc for PreshutdownTimeout to a corresponding value that is slightly greater than the value of the "Maximum wait time for Group Policy scripts" value. For example, in order for "Maximum wait time for Group Policy scripts" to work with a value of 30 minutes, you should set the gpsvc for PreshutdownTimeout registry entry to a value of 1800000 (The registry setting value is in milliseconds).

Run Windows PowerShell scripts first at computer startup, shutdown

This setting requires Windows 7 or Windows Server 2008 R2.

Enable this option to run PowerShell scripts before non-PowerShell scripts at computer startup and shutdown.

Run Windows PowerShell scripts first at user logon, logoff

This setting requires Windows 7 or Windows Server 2008 R2.

Enable this option to run PowerShell scripts before non-PowerShell scripts at logon and logoff.

You can specify user configuration Group Policy settings that modify how Group Policy scripts behave by using the options shown in the following table. These settings are located under User Configuration|Administrative Templates|System|Scripts

User Configuration Script Options

Option Description

Run logon scripts synchronously

Enable this option to force the system to run the script synchronously, one after another. This option also exists for Computer configuration, which can have a different value. In case of conflict, the computer configuration setting prevails. On computers running Windows XP, the explorer starts before scripts finish running.

Run legacy logon scripts hidden

Enable this option to run legacy, Windows NT version 4–type logon scripts hidden. By default these run visible and so can be canceled by users.

Run logon scripts visible

Enable this option to run logon scripts in a visible window.

Run logoff scripts visible

Enable this option to run logoff scripts in a visible window.

Run Windows PowerShell scripts first at user logon, logoff

This setting requires Windows 7 or Windows Server 2008 R2.

Enable this option to run PowerShell scripts before non-PowerShell scripts at logon and logoff.

Change History

Date Revision

December 13, 2010

Updated the topic so it applies to Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

Added information about configuring the value of the gpsvc for PreshutdownTimeout registry entry for computers running Windows 7 when the Maximum wait time for the Group Policy scripts setting is greater than 900 seconds.

Added settings that require Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

Deleted row that incorrectly listed Run logoff scripts synchronously.