Warning!!!–Group Policy Logon Scripts Delays in Windows 8.1
Last month, I wrote an article on the Petri.co.il website, reviewing the new features around Group Policy in Windows 8.1. Buried in that list of new stuff was a feature that was perhaps a little unheralded and under-advertised, but one that may cause administrators a world of hurt if they are not expecting it. Specifically, I’m referring to the change in Group Policy-based logon script behavior for Windows 8.1 clients. If you are using Group Policy-based logon scripts today to map drives or printers, set up registry or environment variables, etc., when you migrate your client machines to Windows 8.1, those logon scripts won’t run until FIVE MINUTES after logon has started. For some users, this could mean broken environments as processes or environmental setup steps that are expected to kick off at logon don’t.
If you’re reading this and thinking “WTF!! Why did Microsoft do that?”, then you are probably not alone. Recently I had a conversation about this with several unsuspecting admins and once they discovered this default behavior, they were not happy. The reason this was done was to reduce the inevitable contention that can occur when logon scripts are running while lots of other stuff is going on, at user logon time. Ultimately logon scripts can be the biggest culprit of slow user logons in many environments, so what Microsoft attempted to do here is reduce that contention by delaying the running of logon scripts. This is a good idea in practice. What was not a good idea was to make it the DEFAULT behavior and force admins to have to react to it via the inevitable flurry of help desk calls, especially if they did not know about it ahead of time.
So, what do you do about it? Well the good news is that this behavior can be disabled or modified through Group Policy, using the policy under Computer Configuration\Policies\Administrative Templates\System\Group Policy\Configure Logon Script Delay, as shown here:
In this dialog you can configure logon script delay in increments of one minute, all the way down to zero, which disables the feature completely and reverts logon script processing behavior back to the way it was in prior versions of Windows.
If you are planning a deployment to Windows 8.1, I would make sure you incorporate this setting into your base image, or your base policies, to ensure that you get the behavior you want, and aren’t surprised about the behavior you don’t want!!