You may have noticed the following policy settings in Group Policy and for a while confused about these policy settings for user.
There are three places in Group Policy where you can configure programs to run when a computer starts and after a user logon to the system. These three places are under the following container:
- User Configuration\Windows Settings\Scripts (Logon\Logoff)
- User Configuration\Administrative Templates\System\Logon
- Computer Configuration\Administrative Templates\System\Logon
In the last two, you will see the following policy settings:
- Run these programs at user logon
- Do not process the run once list
- Do not process the legacy run list
The above policy settings appear in both: User and Computer Configuration container.
For “Run these programs at user logon” policy setting, if this policy setting is configured in both the container (user and computer) the user policy setting will run just after computer policy setting.
For last two “Do not process the run once list” and “Do not process the legacy run list” policy settings, if this policy setting is configured in both the container (user and computer) the computer policy setting will take precedence over user policy setting.
Why so? The reason is very simple. The Run Once list is configured in Local Machine HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce only. The programs in this registry key are processed only after user has logged on to the system. There is no RunOnce key for user. That is why computer RunOnce will run after user RunOnce.
Now, you may ask that there is logon programs, login scripts and logon scripts but there is no Logoff Programs? It is because a program requires system resources when it runs whereas a logoff shuts down all the applications. While a windows is shutting down a program can not stay in memory.
There is a difference between running a program and a script. Please note the difference. A program is something which is installed on users computer and you configure in “Run these programs at user logon” by specifying the full path of that program. This program runs Locally. On other hand, a script is something which is run over the network. You need to specify a complete path of the program you wish to run when a user’s login script has finished.
So the point is very clear and the script or programs are run in the following order:
- Computer Startup / Script runs. Will be applicable to all the computers
- User Login script runs. Will be applicable to all the users.
- Computer logon programs run Will be applicable to all the computers.
- User logon programs run Will be applicable to all the users.
After user login script has finished, the Winlogon at workstation will retrieve a list of programs to run on local computer from GPO.
In above, there is no conflict in policy settings so all the program will run one by one.
Group Policy Key terms:
This means Policy setting is not configured and Winlogon service at client end,
While processing the Group Policy Objects from domain controller, will not process this policy
This means Policy setting is configured but Domain Controller will not publish it for
processing or Winlogon at workstation will not process this setting.
This means Policy setting is configured and will be processed by Winlogon service at
The Microsoft has designed two options for Group Policy for NOT processing Group Policy settings. The “Disabled” option in Policy settings are configured per policy setting whereas “Disable User or Computer Policy settings” in property of GPO is used to NOT to process any policy settings configured in the said container. The later option overrides settings configured in earlier option.
- Computer policy settings only run when computer starts just before user logon. Example, you have a network drive to map for all computers. This network drive mapping will be available for all the users who log on to that system.
- User policy settings only run after user log on to the system. In above example, the network drive mapping will be available to all users who logs on to the system.
- Third option is filtering Group Policy settings using groups. This option doesn’t necessarily defeat the above rule but is here to process the GPO for selected users or computers. In above example, if you create a Group called “ServiceComputers” and put 4 computers in that group and apply a policy setting to this group then only the computers will receive this policy.
Other options are “Block Policy Inheritance” and “No Override”. The first option can be set on a child policy meaning you can not set this option at site level or there is no use of this option at parent policies. This option, if enabled, forces child GPO not to accept any policy settings coming from Parent GPO. The “No Override” option, if enabled, forces child GPO not to block any policy setting coming from parent GPO. If there is a conflict in the policy, the Parent GPO settings will be applied provided “No Override” option is enabled.