How Bad Logon/Logoff Scripts Can Impact Performance

As a system administrator, the best way to make all the company hates you is to set a group policy with a bad written logon/logoff script ??

A few days ago, someone sent me an email with a Reboot trace link, asking for my help to fix his Windows 10 computer that takes 8 minutes to restart. Yes, 8 minutes!

He was so annoyed by this issue that he was willing to pay me for my assistance and asked me if I have a Fiverr account.

Out of curiosity, I looked at his trace, and I saw something interesting!

I saw this long delay caused by the GPClient subscriber, which means group policy.

I taught myself that it could be an interesting case to troubleshoot, and it's the occasion to resurrect my Fiverr account that I created a while ago and didn't have been serious about it.

But before I said ok to challenge, I asked this person if he is an IT person because the problem is related to group policy which means having domain admin rights to work on it. 

He said No!

I told him that it would be better to ask the system administrator to get the problem solved.

He said that their IT Guy was not supportive, but I have admin rights so I can do admin tasks!

What?!

Giving admin rights to domain users on their computers so that they can go on Fiverr and hire the first "IT expert" teenager to fiddle with their corporate computer!

On top of that, the company was a well-known name on the marketplace!

The IT department should be more careful about security, it can cost the company big losses and can cost them their job.

So, I said Ok to the job, created the Gig, and start working on the problem. Hopefully, for this person, I'm not an "IT Expert" teenager ??

Knowing that the problem is related to the group policy, I start exploring this way.

Digging in the call stacks, I saw the function call that gives me a clue:

gpsvc.dll!CGroupPolicySession::ExecuteGPOScriptsForThePrincipal

 Now I know that the GPO is running a script.

The next step consists of identifying this script.

I open the registry editor and open the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy

And start checking for policies that run a script. And I found two scripts;

The logon script is called "RemoveDomainAdmins.exe"

And The logoff script is called "rmdomnadm.exe"

From their names, you can easily guess what those scripts do. Or try to do; what made me laugh ??

Not only the scripts are not doing the job by removing admin domain rights, but they cause the users to wait 8 minutes for their computer to restart!

How did I fix the issue?

As I don't have access to script code to see what it does, neither to the GP editor to check the policy parameters, I asked the user to disable his WiFi access before restarting his computer to prevent the group policy to apply. And it worked!

This was just a workaround to make this user's life easy, and he was happy with that.

Takeaway:

1.     As an IT pro, be supportive to your users so they don't try to find help outside the company, leading to severe consequences.

2.     Take security seriously and do not give users administrator rights on their computers so that they can fiddle with them.

3.      Do not write dumb logon/logoff scripts and avoid them as much as possible.

4.     Don't hire "IT Expert" teenagers, and hire me ??