Group Policy Blog

Group Policy Tips, Tricks, and News from Darren Mar-Elia

Warning!!!–Group Policy Logon Scripts Delays in Windows 8.1

Last month, I wrote an article on the Petri.co.il website, reviewing the new features around Group Policy in Windows 8.1. Buried in that list of new stuff was a feature that was perhaps a little unheralded and under-advertised, but one that may cause administrators a world of hurt if they are not expecting it. Specifically, I’m referring to the change in Group Policy-based logon script behavior for Windows 8.1 clients. If you are using Group Policy-based logon scripts today to map drives or printers, set up registry or environment variables, etc., when you migrate your client machines to Windows 8.1, those logon scripts won’t run until FIVE MINUTES after logon has started. For some users, this could mean broken environments as processes or environmental setup steps that are expected to kick off at logon don’t.

If you’re reading this and thinking “WTF!! Why did Microsoft do that?”, then you are probably not alone. Recently I had a conversation about this with several unsuspecting admins and once they discovered this default behavior, they were not happy. The reason this was done was to reduce the inevitable contention that can occur when logon scripts are running while lots of other stuff is going on, at user logon time. Ultimately logon scripts can be the biggest culprit of slow user logons in many environments, so what Microsoft attempted to do here is reduce that contention by delaying the running of logon scripts. This is a good idea in practice. What was not a good idea was to make it the DEFAULT behavior and force admins to have to react to it via the inevitable flurry of help desk calls, especially if they did not know about it ahead of time.

So, what do you do about it? Well the good news is that this behavior can be disabled or modified through Group Policy, using the policy under Computer Configuration\Policies\Administrative Templates\System\Group Policy\Configure Logon Script Delay, as shown here:

Configuring Logon Script Delay Behavior

Configuring Logon Script Delay Behavior

In this dialog you can configure logon script delay in increments of one minute, all the way down to zero, which disables the feature completely and reverts logon script processing behavior back to the way it was in prior versions of Windows.

If you are planning a deployment to Windows 8.1, I would make sure you incorporate this setting into your base image, or your base policies, to ensure that you get the behavior you want, and aren’t surprised about the behavior you don’t want!!

 

Darren

There are 22 comments .

Sander Berkouwer

Great info, Darren!

I was wondering…

Would you rather set the setting to Disabled or configure it as Enabled but set it to 0? Is there any difference in the two settings? It seems odd to me there’s two ways to disable it…

Also, if I have the Run Logon Scripts Synchronously setting configured as Enabled (in User Configuration\Administrative Templates\System\Logon), would a user really have to wait another five minutes before his/her desktop appears, or does the group policy client detect these two settings and not enable Logon Script Delay? Or does it only apply it in this case when you’ve modified it specifically?

Thanks!

Reply »
    Darren Mar-Elia

    Sander-
    Sorry, I just noticed this comment. I don’t think there is a preference one way or the other for setting this cache policy, but I would probably prefer setting it to 0–seems a bit more explicit :). In terms of the logon script synchronous setting, this is somewhat different and unrelated to this setting. Run logon scripts synchronously basically says, “once you start running logon scripts, don’t multi-thread them, but rather wait til script 1 finishes before running script 2″. So this behavior would not interact with the logon caching in any way (well, except to further elongate the time it takes for scripts to run completely to conclusion). Hope that helps!

    Darren

    Reply »
      James —

      Read the policy comments for ‘Run logon scripts synchronously’ . It does not say anything about this being a policy that causes scripts to run as a single thread, it very much says it causes Explorer (the shell) to wait for scripts to complete. Are you sure you are correct?

      Reply »
        Darren Mar-Elia

        James-
        Yes, the description in the policy is unfortunately wrong. Here’s a simple test you can do. Create 2 logon scripts using simple batch files. In the first one, start notepad.exe, then run pause:

        notepad.exe
        pause

        In the second logon script, run calc.exe, then pause as well:

        calc.exe
        pause

        link those to a GPO for a given user and then login as that user. Don’t enable synchronous logon scripts. What you’ll notice is that both logon scripts were executed when the desktop appears (both calc and notepad are up). They executed essentially simultaneously, on multiple threads. You can verify this because in Task Manager, you’ll still see two cmd.exe processes running, because of the pause. Next, logoff, enable synchronous logon scripts and then log back in. If what the policy description says is true, the desktop would not appear until the scripts timeout hit. But that’s not what happens. What happens is that the desktop appears and notepad is running. If I go into task manager I’ll see only one cmd.exe process. If I kill that, then calc.exe fires up, because it was waiting on the same thread as the notepad script. I agree that the description is awful, and MS has known about this for years, and hasn’t fixed it :)

        Darren

        Reply »
Gustav Brock —

Thank you Darren!
I spent two days debugging and packet sniffing this issue searching multiple times before hitting the right search sentence in Bing.

We have Win 2003 servers and for some reason Win8.1 has a little delay opening the Sysvol folder. Thus, it wouldn’t work with zero delay but 1 second does.
Here’s the script I call from GPO, Machine Startup:

Option Explicit

‘ Main script

Dim objShell

Dim strPath
Dim strKeyEnable
Dim strKeyDelay
Dim intValEnable
Dim intValDelay

strPath = “HKLM\SYSTEM\SOFTWARE\Policies\Microsoft\Windows\System\”
strKeyEnable = “EnableLogonScriptDelay”
strKeyDelay = “AsyncScriptDelay”
intValEnable = 1
intValDelay = 1

Set objShell = CreateObject(“WScript.Shell”)

objShell.RegWrite strPath & strKeyEnable, intValEnable, “REG_DWORD”
objShell.RegWrite strPath & strKeyDelay, intValDelay, “REG_DWORD”

Set objShell = Nothing

‘ End script
‘ —————————————————–

Reply »
    Darren Mar-Elia

    Cool. Is there any reason why you’re setting this from a startup script rather than using the Admin Template policy to control it? I’m not big on startup scripts that write the same reg value over and over again.

    Darren

    Reply »
      Gustav Brock —

      Yes, there is that very good reason that being a part time sysadmin I didn’t know of adm files.

      But I grabbed the adm file posted later, added it, and marked enabled:

      Setting State
      Remove Win8.1 Logon Script Execution Delay Enabled

      CLASS MACHINE

      CATEGORY “Custom”

      KEYNAME “Software\Policies\Microsoft\Windows\System”
      POLICY “Remove Win8.1 Logon Script Execution Delay”

      EXPLAIN “Enabled will remove the logon script execution delay present in Windows 8.1. Disabled will reintroduce the delay.”

      ACTIONLISTON
      KEYNAME “Software\Policies\Microsoft\Windows\System”
      VALUENAME “AsyncScriptDelay”
      VALUE NUMERIC 1
      KEYNAME “Software\Policies\Microsoft\Windows\System”
      VALUENAME “EnableLogonScriptDelay”
      VALUE NUMERIC 0
      END ACTIONLISTON

      ACTIONLISTOFF
      KEYNAME “Software\Policies\Microsoft\Windows\System”
      VALUENAME “AsyncScriptDelay”
      VALUE NUMERIC 300
      KEYNAME “Software\Policies\Microsoft\Windows\System”
      VALUENAME “EnableLogonScriptDelay”
      VALUE NUMERIC 1
      END ACTIONLISTOFF

      END POLICY

      END CATEGORY

      However, it didn.’t work. My DCs run at 2003 level so I cannot see why not. Anyway, I had to revert to my startup script which works well, though it takes 10-15 min. from it is activated before workstations “see” it.

      Reply »
Migz —

Hello Darren,

I could not see this setting “Configure Logon Script Delay” in the path that you mentioned.

I have installed the latest RSAT for Windows 8.1 x86 from MS on my Win 8.1 Enterprise which is joined to our corporate domain with DC of Server 2008R2, How could I see this option in MMC as it is missing inside a GPO? Please help thanks!

Reply »
    Darren Mar-Elia

    Are you sure you’re looking under Computer Configuration\Policies\Administrative Templates\System\Group Policy\Configure Logon Script Delay? If it’s not there, verify that you have, under c:\windows\policydefinitions, a file called grouppolicy.admx and that it’s from about 9-23-13
    Darren

    Reply »
      Migz —

      I forgot something. =) It showed up fine of course with Local Group Policy as its using the local policy store on my client (9-23-13), my bad.

      But what I really want is testing this policy in our domain with a test GPO and just want to verify if its ok to copy and paste the grouppolicy.admx/adml (the 9-23-13 in my 8.1 client) in our central store in SYSVOL, even though we have 2008R2? Should it work? Thanks Darren

      Reply »
Dan —

Does this Delay only work with Win8? I have a several minute delay with XP machines and 2008 AD.

Reply »
Adam —

This totally did not work, sorry. And I can’t delete it.

However, below is an ADM that does work:

CLASS MACHINE

CATEGORY “Custom”
KEYNAME “Software\Policies\Microsoft\Windows\System”
POLICY “Remove Win8.1 Login Script Execution Delay”
EXPLAIN “Enabled will remove the login script execution delay present in Windows 8.1. Disabled will reintroduce the login script execution delay in Windows 8.1.”
ACTIONLISTON
KEYNAME “Software\Policies\Microsoft\Windows\System”
VALUENAME “AsyncScriptDelay”
VALUE NUMERIC 1
KEYNAME “Software\Policies\Microsoft\Windows\System”
VALUENAME “EnableLogonScriptDelay”
VALUE NUMERIC 0
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME “Software\Policies\Microsoft\Windows\System”
VALUENAME “AsyncScriptDelay”
VALUE NUMERIC 300
KEYNAME “Software\Policies\Microsoft\Windows\System”
VALUENAME “EnableLogonScriptDelay”
VALUE NUMERIC 1
END ACTIONLISTOFF
END POLICY
END CATEGORY

Reply »
Johan —

Thanks! Great tip

Reply »
Sven —

Wow thanks!! I was just implementing a logonscript on a w8.1 environment for the first time and couldn’t figure this out. Thanks!!!

Reply »
Bill —

Thank you, thank you, thank you. A million times, thank you.

Reply »
Asela De Costa —

HI All,

I got few Windwos 7 PC’s and cannot see the logon script name in RSOP.MSC?

But GPO is applied to the PC. if i expand to script no script in their?

As

Reply »
Derk —

Thank you very much for this information!

Reply »

Share Your Thoughts!

 

Copyright © 2015 SDM Software, Inc.
Site design by Social Media Ninjas