Store GPO Scripts in Netlogon or Policy Folder?

The default location for user logon scripts is the NETLOGON share, which, by default, is replicated on all DC in your forest, and is physically located in:

%SystemRoot%\SYSVOL\sysvol\<domain DNS name>\scripts.

or

%SystemRoot%\SYSVOL_DFSR\sysvol\<domain DNS name>\scripts (for DFS-Based FRS since this is recommended from Server 2012R2+)

If you set a user logon script (ADUC > User > Properties > Logon > Logon-Script > hello.cmd), it is executed from NETLOGON.

"Official" best practice is:

  • store them along with the GPO, if you set it through GPO.
  • store them in NETLOGON, if you set it as a user property in AD.

Both location are sync'ed between domain controller, thus for me it's only a personal's choice.

My personal's opinion is that after over a certain numbers of GPO, having all in netlogon can be hard to manage. (as when you delete a GPO, the script would not be erased in example)