Skip to main content

Report, export & manage user logon scriptpath

These script blocks must be run on a domain controller/domain computer and with permissions to read or modify domain users.

In the Active Directory, scripts can be set on user objects that are executed on logon. These scripts must be stored in "NETLOGON" so that they can be added with their file name.
Since these scripts somewhat restrict the visibility of functions and dynamics, it is better to use group policy objects (GPOs).

This guide is about how to evaluate and remove these scripts for all user objects. 

Get overview

The first query returns all the scripts used, so you can get an overview of which scripts are actually being used.

(Get-ADUser -Filter * -Property * | select ScriptPath).ScriptPath | Sort-Object | Get-Unique

Report user by script path

All users who use a specific script can be displayed using this query. This allows the individual objects to be adjusted after evaluation during a migration.

$ScriptPath = "<yourscriptpath>"
((Get-ADUser -Filter * -Property *) | where { $_.scriptpath -contains $ScriptPath}) | % {
    Write-Output "Path set for: $($_.UserPrincipalName)"
}

Remove specific entries

This PowerShell snippet can be used to remove the logon script on the user objects that have a special path set. In addition, the manipulated objects are output to the console.

$ScriptPaths = @(
  "<yourscriptpath1>",
  "<yourscriptpath2>"
)

foreach($ScriptPath in $ScriptPaths){
    # ((Get-ADUser -Filter * -Property *) | where { $_.scriptpath -contains $ScriptPath}).count
    ((Get-ADUser -Filter * -Property *) | where { $_.scriptpath -contains $ScriptPath}) | % {
        Set-ADUser $_.samaccountname  -Clear ScriptPath
        Write-Output "Cleared ScriptPath $ScriptPath for $($_.UserPrincipalName)"
    }
}