Is it best practice to store logon scripts centrally in \\DOMAIN\Netlogon or in the policy folder they get put in by default, eg. \\DOMAIN\SysVol\DOMAIN\Policies\{DE22B6FB-315E-4C55-BF06-A7709913CD9E}\User\Scripts\Logon?
What are the implications (if any) of choosing one location over the other?
I'm inclined to just keep them all in Netlogon for ease of access /review...
The default location for user logon scripts is the NETLOGON share, which, by default, is replicated on all DC in your forest, and is physically located in:
%SystemRoot%\SYSVOL\sysvol\<domain DNS name>\scripts.or
%SystemRoot%\SYSVOL_DFSR\sysvol\<domain DNS name>\scripts(for DFS-Based FRS since this is recommended from Server 2012R2+)If you set a user logon script (ADUC > User > Properties > Logon > Logon-Script > hello.cmd), it is executed from NETLOGON.
"Official" best practice is:
Both location are sync'ed between domain controller, thus for me it's only a personal's choice.
My personal's opinion is that after over a certain numbers of GPO, having all in netlogon can be hard to manage. (as when you delete a GPO, the script would not be erased in example)
Not sure is this is "best practice", but I have seen a few blog post recommend this, and I prefer it:
We have a file share that contains all the supporting files for our GPOs, including scripts. The scripts are all checked into version control.
The file share is setup with DFS, so it is \domain.com\DFS\GPO-Files
The scripts are in a subdir \domain.com\DFS\GPO-Files\Scripts
In the GPO, you call the script "powershell.exe" and for the parameters you do -File PathToScript.
I like this approach because the GPO files and scripts are in a well known location, not buried in a folder with a GUID name.
It also allows more control over how powershell.exe is invoked, like ExecutionPolicy.