Store GPO Scripts in Netlogon or Policy Folder?

The default location for user logon scripts is the NETLOGON share, which, by default, is replicated on all DC in your forest, and is physically located in:

%SystemRoot%\SYSVOL\sysvol\<domain DNS name>\scripts.

or

%SystemRoot%\SYSVOL_DFSR\sysvol\<domain DNS name>\scripts (for DFS-Based FRS since this is recommended from Server 2012R2+)

If you set a user logon script (ADUC > User > Properties > Logon > Logon-Script > hello.cmd), it is executed from NETLOGON.

"Official" best practice is:

• store them along with the GPO, if you set it through GPO.
• store them in NETLOGON, if you set it as a user property in AD.

Both location are sync'ed between domain controller, thus for me it's only a personal's choice.

My personal's opinion is that after over a certain numbers of GPO, having all in netlogon can be hard to manage. (as when you delete a GPO, the script would not be erased in example)

Not sure is this is "best practice", but I have seen a few blog post recommend this, and I prefer it:

We have a file share that contains all the supporting files for our GPOs, including scripts. The scripts are all checked into version control.

The file share is setup with DFS, so it is \domain.com\DFS\GPO-Files

The scripts are in a subdir \domain.com\DFS\GPO-Files\Scripts

In the GPO, you call the script "powershell.exe" and for the parameters you do -File PathToScript.

I like this approach because the GPO files and scripts are in a well known location, not buried in a folder with a GUID name.

It also allows more control over how powershell.exe is invoked, like ExecutionPolicy.