Before taking a look at how scripts are added to Group Policy Object settings, it is important to recall the order in which GPO settings are applied. The hierarchy will impact which settings will ultimately apply, based on the container that a GPO is linked to. The order of application is:
- Site
- Domain
- OU
- Sub-OUs
In this way, scripts assigned at the Site level are always applied first, followed by those associated with domains, and then OUs. As such, a setting that is applied at the Site level via a script may subsequently be overwritten by conflicting settings at the OU level. Just something to keep in mind before you decide to go crazy assigning scripts. Like with all GPOs, you can always use the No Override and Block Inheritance settings to control which settings will actually be applied to users.
In the same way, it is also possible that multiple GPOs may be applied to the same object, for example an OU. In this case, just remember that GPO settings are always applied beginning with the lowest GPO on the list, followed by the next-highest GPO. In that way, Policy 3 would be applied first, followed by Policy 2, and finally followed by Policy 1 in this example. Each successive policy will be overwritten by the one applied next in cases where conflicts exist.
Assigning a script to a GPO can be a little tricky, especially if you haven’t done it before. The reason is that the script needs to be stored not just anywhere, but in the Group Policy template associated with the GPO. This is a special folder that is named according to the GUID of the GPO. If you follow a few simple steps, however, assigning a script and placing it in the correct location is easy.
Start off by opening a new or existing GPO, as shown below. In my example, I am going to assign a login script to all domain users, so I’ve created a new GPO at the domain level. Browse to the User Configuration – Windows Settings – Scripts (Logon/Logoff) section.
Double-clicking on the Logon icon at right brings up the Logon Properties window.