Group Policy Blog

Group Policy Tips, Tricks, and News from Darren Mar-Elia

Warning!!!–Group Policy Logon Scripts Delays in Windows 8.1

Last month, I wrote an article on the Petri.co.il website, reviewing the new features around Group Policy in Windows 8.1. Buried in that list of new stuff was a feature that was perhaps a little unheralded and under-advertised, but one that may cause administrators a world of hurt if they are not expecting it. Specifically, I’m referring to the change in Group Policy-based logon script behavior for Windows 8.1 clients. If you are using Group Policy-based logon scripts today to map drives or printers, set up registry or environment variables, etc., when you migrate your client machines to Windows 8.1, those logon scripts won’t run until FIVE MINUTES after logon has started. For some users, this could mean broken environments as processes or environmental setup steps that are expected to kick off at logon don’t.

If you’re reading this and thinking “WTF!! Why did Microsoft do that?”, then you are probably not alone. Recently I had a conversation about this with several unsuspecting admins and once they discovered this default behavior, they were not happy. The reason this was done was to reduce the inevitable contention that can occur when logon scripts are running while lots of other stuff is going on, at user logon time. Ultimately logon scripts can be the biggest culprit of slow user logons in many environments, so what Microsoft attempted to do here is reduce that contention by delaying the running of logon scripts. This is a good idea in practice. What was not a good idea was to make it the DEFAULT behavior and force admins to have to react to it via the inevitable flurry of help desk calls, especially if they did not know about it ahead of time.

So, what do you do about it? Well the good news is that this behavior can be disabled or modified through Group Policy, using the policy under Computer Configuration\Policies\Administrative Templates\System\Group Policy\Configure Logon Script Delay, as shown here:

Configuring Logon Script Delay Behavior

Configuring Logon Script Delay Behavior

In this dialog you can configure logon script delay in increments of one minute, all the way down to zero, which disables the feature completely and reverts logon script processing behavior back to the way it was in prior versions of Windows.

If you are planning a deployment to Windows 8.1, I would make sure you incorporate this setting into your base image, or your base policies, to ensure that you get the behavior you want, and aren’t surprised about the behavior you don’t want!!

 

Darren

There are 14 comments .

Sander Berkouwer

Great info, Darren!

I was wondering…

Would you rather set the setting to Disabled or configure it as Enabled but set it to 0? Is there any difference in the two settings? It seems odd to me there’s two ways to disable it…

Also, if I have the Run Logon Scripts Synchronously setting configured as Enabled (in User Configuration\Administrative Templates\System\Logon), would a user really have to wait another five minutes before his/her desktop appears, or does the group policy client detect these two settings and not enable Logon Script Delay? Or does it only apply it in this case when you’ve modified it specifically?

Thanks!

Reply »
    Darren Mar-Elia

    Sander-
    Sorry, I just noticed this comment. I don’t think there is a preference one way or the other for setting this cache policy, but I would probably prefer setting it to 0–seems a bit more explicit :). In terms of the logon script synchronous setting, this is somewhat different and unrelated to this setting. Run logon scripts synchronously basically says, “once you start running logon scripts, don’t multi-thread them, but rather wait til script 1 finishes before running script 2″. So this behavior would not interact with the logon caching in any way (well, except to further elongate the time it takes for scripts to run completely to conclusion). Hope that helps!

    Darren

    Reply »
Gustav Brock —

Thank you Darren!
I spent two days debugging and packet sniffing this issue searching multiple times before hitting the right search sentence in Bing.

We have Win 2003 servers and for some reason Win8.1 has a little delay opening the Sysvol folder. Thus, it wouldn’t work with zero delay but 1 second does.
Here’s the script I call from GPO, Machine Startup:

Option Explicit

‘ Main script

Dim objShell

Dim strPath
Dim strKeyEnable
Dim strKeyDelay
Dim intValEnable
Dim intValDelay

strPath = “HKLM\SYSTEM\SOFTWARE\Policies\Microsoft\Windows\System\”
strKeyEnable = “EnableLogonScriptDelay”
strKeyDelay = “AsyncScriptDelay”
intValEnable = 1
intValDelay = 1

Set objShell = CreateObject(“WScript.Shell”)

objShell.RegWrite strPath & strKeyEnable, intValEnable, “REG_DWORD”
objShell.RegWrite strPath & strKeyDelay, intValDelay, “REG_DWORD”

Set objShell = Nothing

‘ End script
‘ —————————————————–

Reply »
    Darren Mar-Elia

    Cool. Is there any reason why you’re setting this from a startup script rather than using the Admin Template policy to control it? I’m not big on startup scripts that write the same reg value over and over again.

    Darren

    Reply »
      Gustav Brock —

      Yes, there is that very good reason that being a part time sysadmin I didn’t know of adm files.

      But I grabbed the adm file posted later, added it, and marked enabled:

      Setting State
      Remove Win8.1 Logon Script Execution Delay Enabled

      CLASS MACHINE

      CATEGORY “Custom”

      KEYNAME “Software\Policies\Microsoft\Windows\System”
      POLICY “Remove Win8.1 Logon Script Execution Delay”

      EXPLAIN “Enabled will remove the logon script execution delay present in Windows 8.1. Disabled will reintroduce the delay.”

      ACTIONLISTON
      KEYNAME “Software\Policies\Microsoft\Windows\System”
      VALUENAME “AsyncScriptDelay”
      VALUE NUMERIC 1
      KEYNAME “Software\Policies\Microsoft\Windows\System”
      VALUENAME “EnableLogonScriptDelay”
      VALUE NUMERIC 0
      END ACTIONLISTON

      ACTIONLISTOFF
      KEYNAME “Software\Policies\Microsoft\Windows\System”
      VALUENAME “AsyncScriptDelay”
      VALUE NUMERIC 300
      KEYNAME “Software\Policies\Microsoft\Windows\System”
      VALUENAME “EnableLogonScriptDelay”
      VALUE NUMERIC 1
      END ACTIONLISTOFF

      END POLICY

      END CATEGORY

      However, it didn.’t work. My DCs run at 2003 level so I cannot see why not. Anyway, I had to revert to my startup script which works well, though it takes 10-15 min. from it is activated before workstations “see” it.

      Reply »
Migz —

Hello Darren,

I could not see this setting “Configure Logon Script Delay” in the path that you mentioned.

I have installed the latest RSAT for Windows 8.1 x86 from MS on my Win 8.1 Enterprise which is joined to our corporate domain with DC of Server 2008R2, How could I see this option in MMC as it is missing inside a GPO? Please help thanks!

Reply »
    Darren Mar-Elia

    Are you sure you’re looking under Computer Configuration\Policies\Administrative Templates\System\Group Policy\Configure Logon Script Delay? If it’s not there, verify that you have, under c:\windows\policydefinitions, a file called grouppolicy.admx and that it’s from about 9-23-13
    Darren

    Reply »
      Migz —

      I forgot something. =) It showed up fine of course with Local Group Policy as its using the local policy store on my client (9-23-13), my bad.

      But what I really want is testing this policy in our domain with a test GPO and just want to verify if its ok to copy and paste the grouppolicy.admx/adml (the 9-23-13 in my 8.1 client) in our central store in SYSVOL, even though we have 2008R2? Should it work? Thanks Darren

      Reply »
Dan —

Does this Delay only work with Win8? I have a several minute delay with XP machines and 2008 AD.

Reply »
Adam —

This totally did not work, sorry. And I can’t delete it.

However, below is an ADM that does work:

CLASS MACHINE

CATEGORY “Custom”
KEYNAME “Software\Policies\Microsoft\Windows\System”
POLICY “Remove Win8.1 Login Script Execution Delay”
EXPLAIN “Enabled will remove the login script execution delay present in Windows 8.1. Disabled will reintroduce the login script execution delay in Windows 8.1.”
ACTIONLISTON
KEYNAME “Software\Policies\Microsoft\Windows\System”
VALUENAME “AsyncScriptDelay”
VALUE NUMERIC 1
KEYNAME “Software\Policies\Microsoft\Windows\System”
VALUENAME “EnableLogonScriptDelay”
VALUE NUMERIC 0
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME “Software\Policies\Microsoft\Windows\System”
VALUENAME “AsyncScriptDelay”
VALUE NUMERIC 300
KEYNAME “Software\Policies\Microsoft\Windows\System”
VALUENAME “EnableLogonScriptDelay”
VALUE NUMERIC 1
END ACTIONLISTOFF
END POLICY
END CATEGORY

Reply »

Share Your Thoughts!

Copyright ©2013 SDM Software, Inc.
Site design by Social Media Ninjas | Sitemap