How to hide running logon scripts from users (.vbs) without using a wrapper script?

windows active-directory group-policy windows-server-2012-r2 login-script

5,619

I figured out what's causing this, as my GPO settings are correct. The script that I need to run uses a function to force the 32bit version of the scripting host.

Function fncForce32bitCscript()
    Dim strCurrentScriptHost : strCurrentScriptHost  = lcase(wscript.fullname)
    dim strRequiredScriptHost: strRequiredScriptHost = "c:\windows\system32\cscript.exe"
    if fncCheckOS = "X64" Then
        strRequiredScriptHost = "c:\windows\syswow64\cscript.exe"
    end If  

    Dim objShell
    Set objShell = CreateObject("WScript.Shell")
    objShell.run "cscript //h:cscript",0,True

    If strCurrentScriptHost = strRequiredScriptHost Then
        'no switching to cscript required
    Else
      Dim strArgColl
          strArgColl = " "
          If WScript.Arguments.Count>0 Then
            Dim ArgCollect
            For ArgCollect = 0 To WScript.Arguments.Count-1
              strArgColl = strArgColl & chr(34) & (WScript.Arguments.Item(ArgCollect)) & chr(34) & " "
            Next
          End If
          'wscript.echo "script will be re-launched with the required script host " & strRequiredScriptHost
          objShell.Run  "cmd /C " & strRequiredScriptHost & " " & WScript.ScriptFullName & " " & strArgColl,1,false
          'Set objShell = Nothing
          'wscript.sleep 3000
          WScript.Quit  
    End If
End Function

So replacing this call to cmd.exe...

'objShell.Run "cmd /C " & strRequiredScriptHost & " " & WScript.ScriptFullName & " " & strArgColl, 0, false

...with this made it run hidden. Mission completed.

objShell.Run strRequiredScriptHost & " " & WScript.ScriptFullName & " " & strArgColl, 0, false

5,619

Matthias Güntert

Mixing technical obsession with dedication.

Updated on September 18, 2022

Comments

Matthias Güntert over 1 year
I have a GPO (configured with loopback replace) that runs a logon script (.vbs) and linked it to an OU containing a W2012R2 RDS host.

I have made these (question related) changes to the policy:
```
Computer Configuration -> Policies -> Administrative Templates -> System -> Group Policy -> Configure Logon Script Delay -> Enabled -> minute: 0 

User Configuration -> Policies -> Windows Settings -> Scripts (Logon/Logoff) -> MyScript.vbs 

User Configuration -> Policies -> Administrative Templates -> System -> Run legacy logon scripts hidden -> Enabled 

User Configuration -> Policies -> Administrative Templates -> System -> Display instructions in logon scripts as they run -> Disabled
```
When a user logs on, the script runs perfectly in the foreground, but according to the settings I have made, I would have expected the command prompt not to pop-up at all. So what am I doing wrong here, and what exactly is Microsoft's definition of a "legacy script"?

I am aware that I can write a small "wrapper-script" that calls cscript.exe with the hidden parameter, but I would like to keep this as clean as possible and would like to understand why my settings don't work.