What security context does the Group Policy engine run under on Windows?

More specifically…

I would like to create a policy that runs a login script to copy a file from a share to a local folder.

What account do I need to grant access to on the share in order for the logon script to get the file?


If you're applying the script as part of the computer startup, you need to grant access to the computer object on the share (you can add a computer to a group just like a user account, as they are both valid objects that can authenticate on the domain).

If you're running the script at user logon, it runs under the user's own security context, so you users will need to be able to access the remote location you host the file from, and have access to the local folder on the machine that you want to copy to.

If you can't grant your user access to both of those locations, it's usually preferable to run the copy from the machine startup script, instead of the user logon.


User logon scripts run under the user's context (the user logging on, to which the User Configuration settings (including the logon script) in the GPO are being applied).