I’ve got a solution now.
What creates this behaviour of your logon script not wanting to map drives?
If you have Windows 10, you want to use Edge, Calculator and PDF App. Microsoft says you need UAC enabled for that, otherwise it won’t work. So you enable UAC by GPO (Reg. Key
BUT: if you’re deploying a logon script inside the GPO and your User is a local Admin on the Computer on which he’s logging on – which in my case is on every computer because I’m a Domain Admin – UAC will drop your account to a non privileged user, and as we know, if they’re not running in the same context, you won’t get your drives deployed in your admin account.
This is in fact by design, and it’s caused by the way UAC works. When you’re a member of the Administrators group and you log in, your account is busted down to a non-privileged user by UAC. This running context is completely separate from the context you get when you right-click Command Prompt and launch as an administrator. As you’ll probably have noticed, network drives connected in one context are not visible in the other. The problem is that GPO-based login scripts are being executed in the Administrator context – not the ordinary user context.
So you’re disabling UAC and your GPO-Logon-Script will work. You’re happy for a moment but then you realize you can’t use edge anymore.
So how can we enable UAC and have our Logon Script working?
I did it with this by Microsoft not supported Registry Hack. I guess it’s a vulnerability to your system security, keep that in mind if you’re doing this the same way as I do:
<span class="pln">HKLM</span><span class="pun">:</span><span class="pln">\Software\Microsoft\Windows\CurrentVersion\Policies\System
</span><span class="typ">New</span> <span class="typ">Entry</span><span class="pun">:</span> <span class="typ">Type</span><span class="pun">:</span><span class="pln"> DWORD </span><span class="typ">Name</span><span class="pun">:</span> <span class="str">"EnableLinkedConnections"</span> <span class="typ">Value</span><span class="pun">:</span> <span class="lit">1</span>
And BAM! you can use logon scripts, UAC, edge, whatsoever.
Other things you could try – I didn’t try any of those yet:
- Call your PS File in a batch script which is stored in GPO
- Set up your PS Script as a scheduled Task inside GPO
So hopefully this will be useful for other Administrators that have problems with their logon script.