Domain Discovery – Finding Login Scripts
Background
With my current contract, I’m helping a company in the process of collapsing multiple domains into one new domain while also tidying up their OU structure, Group Policy Objects, and converting old login scripts to Group Policy Preferences. A quick query of the SYSVOL and NETLOGON folders show hundreds of login scripts, some dating back to the early 2000’s. Early on, I suspected that we weren’t actually using all of them, so here’s the process for discovering exactly what you need to concern yourself with.
The Tools
All you need to make this work is the ActiveDirectory module. Specifically, we can do almost all of this with the get-aduser command.
This command pulls a list of all users that are Enabled and have a login script specified. This can take quite a while to run if you have a large domain, but this gives us the data set we need to get started.
What this does is take just the ScriptPath value, convert it to uppercase (which is important later), and assign those to a new array.
Now what we’re doing is taking the $allScripts array and querying it for unique values. The ToUpper() from earlier is important here because “select -unique” is case sensitive. Had we not converted everything to uppercase, we’d get a ton more unique values because LoginScript.bat, LOGINSCRIPT.bat, and loginscript.bat would all have unique entries.
This isn’t necessary, but it lets you do a quick “does this sound right” check. In a healthy domain, your count of unique scripts should be very small compared to your amount of users with scripts.
This piece counts through every unique script we found and tallies up the number of users with that script applied. From there, you have options for how you want to output it. For example:
$all | sort -property Instances -descending | ft
Will output the array, sorted from highest to lowest number of instances. This gives you an immediate look at what your most common, and therefore most important, scripts are to migrate over. Alternatively, it can be extremely helpful to see what scripts only have one or two users assigned to them. In the case of my domain, most of those appear to be typos (i.e. LoginScirpt.bat).
If you need to present a report to your manager, it’s a nothing task to run
$all | export-csv -notypeinformation -path C:LoginScripts.csv
and fire that off in an email.
I hope this has been useful. Let me know if there’s anything else you’d like to see.