How to Set a User's Logon Script in Batch Script
A logon script is a batch file or other executable that runs automatically every time a user signs in to a Windows session. This is an incredibly powerful tool for administrators to automate the setup of a user's environment, such as mapping network drives, updating software, or setting registry keys. While this is often controlled by Group Policy in a large Active Directory environment, you can also set a logon script for a local user account directly from the command line.
This guide will teach you how to use the standard, built-in NET USER command to assign a specific script to a local user account. You will learn the correct syntax, the critical prerequisite of placing the script in the Netlogon share, and the importance of running this command as an administrator.
CRITICAL: The Netlogon Share Prerequisite
This is the most important and often misunderstood part of the process. You cannot point the logon script path to just any folder on your computer (like C:\MyScripts). Windows is designed to look for these scripts in a very specific, shared location.
- For Domain Controllers: This is the
NETLOGONshare, which physically points toC:\Windows\SYSVOL\sysvol\<domain>\scripts. - For Standalone/Workgroup Computers: You must manually create a
Netlogonshare. By default, Windows looks for the script inC:\Windows\System32\Repl\Import\Scripts. You must first create this folder structure and then share theScriptsfolder with the nameNetlogon.
Rule of Thumb: For this command to work, your script file (e.g., login.bat) must be placed in the C:\Windows\System32\Repl\Import\Scripts directory on the local machine before you can assign it.
The Core Command: NET USER ... /SCRIPTPATH
The NET USER command is the primary tool for modifying local user accounts. The /SCRIPTPATH switch is used to specify the name of the logon script.
Syntax: NET USER <username> /SCRIPTPATH:<ScriptName>
<username>: The name of the local user account you want to modify./SCRIPTPATH:: The switch to set the logon script.<ScriptName>: The name of the script file only (e.g.,login.bat). You do not provide the full path, as Windows will automatically look in theNetlogonshare location.
This command must be run with administrator privileges.
Basic Example: Setting a Logon Script for a User
This example assumes you have already created a script named StandardUserLogin.bat and placed it in the C:\Windows\System32\Repl\Import\Scripts folder.
@ECHO OFF
REM This script MUST be run as an Administrator.
SET "UserName=jdoe"
SET "LogonScriptName=StandardUserLogin.bat"
ECHO --- Setting a Logon Script for a Local User ---
ECHO.
ECHO Assigning '%LogonScriptName%' to user '%UserName%'...
NET USER %UserName% /SCRIPTPATH:%LogonScriptName%
IF %ERRORLEVEL% EQU 0 (
ECHO [SUCCESS] The logon script has been set successfully.
) ELSE (
ECHO [FAILURE] The command failed. See error message above.
)
The next time the user jdoe logs in, StandardUserLogin.bat will be executed automatically.
How to View or Remove a Logon Script
- To View: Simply run
NET USER <username>and look for the "Logon script" field in the output. - To Remove: Set the script path to an empty value.
NET USER <username> /SCRIPTPATH:
How the NET USER Command Works
The NET USER command with the /SCRIPTPATH switch modifies the user's account information in the local Security Account Manager (SAM) database. It sets the scriptPath attribute on the user's object. When that user logs on, the Netlogon service checks this attribute. If a script name is present, the service looks for that file in the standard Netlogon location and executes it as part of the logon process.
Common Pitfalls and How to Solve Them
Problem: "Access is denied." (Administrator Privileges)
This is the most common failure. Modifying a user account is a privileged operation.
Solution: The script must be run from an elevated command prompt. Right-click your .bat file or cmd.exe and select "Run as administrator."
Problem: The Script Does Not Run
You set the script path, the command succeeds, but the script never runs when the user logs in. There are two primary causes:
- The Script is in the Wrong Location: This is the most frequent issue. The logon script is not in the
C:\Windows\System32\Repl\Import\Scriptsfolder. Solution: You must create this folder and place your script file inside it. - The
NetlogonService is Not Running: This service is required to process logon scripts. Solution: Ensure the "Netlogon" service is set to "Automatic" startup type and is running in theservices.mscconsole.
Practical Example: A "First Time Setup" Script
This script creates a new user and assigns a one-time setup script that will run the first time they log in. This setup script will then remove itself from the user's profile so it doesn't run again.
Example of the admin script:
@ECHO OFF
REM Must be run as an Administrator.
REM --- Step 1: Create the logon script file in the correct location ---
SET "LogonScriptDir=C:\Windows\System32\Repl\Import\Scripts"
MKDIR "%LogonScriptDir%" 2> NUL
(
ECHO @ECHO OFF
ECHO Welcome! Performing first-time setup...
ECHO (Creating a Documents folder on the D: drive...)
MKDIR D:\Users\%USERNAME%\Documents 2> NUL
ECHO Setup complete.
ECHO Removing this one-time logon script...
NET USER %USERNAME% /SCRIPTPATH:
PAUSE
) > "%LogonScriptDir%\FirstLogon.bat"
REM --- Step 2: Create the user and assign the script ---
ECHO Creating user 'NewUser'...
NET USER NewUser MyP@ssw0rd123 /ADD /COMMENT:"New standard user"
NET USER NewUser /SCRIPTPATH:FirstLogon.bat
ECHO [SUCCESS] User 'NewUser' has been created with a one-time logon script.
Conclusion
Using NET USER /SCRIPTPATH is the standard, built-in method for assigning a logon script to a local user account.
Key takeaways for using it successfully:
- You must run the script as an Administrator.
- The logon script file must be placed in the
C:\Windows\System32\Repl\Import\Scriptsdirectory. - The
NET USERcommand only needs the filename of the script, not the full path. - To remove a logon script, set the path to be empty:
NET USER <user> /SCRIPTPATH:.