Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Prevent Logon Scripts on Server

Posted on 2004-08-25
2
Medium Priority
?
266 Views
Last Modified: 2010-04-14
I have applied logon scripts to be run across the domain through the "Default Domain Policy."  I want to prevent the logon scripts from running on the Domain Controllers.  I have unchecked "No Overide" on the Default Domain Policy, and blocked policy inheritance under the "Domain Controllers" OU, but the script still runs.
0
Comment
Question by:deriickmu
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
2 Comments
 
LVL 9

Accepted Solution

by:
jdeclue earned 375 total points
ID: 11893228
Remove the logon scripts from the Default Domain Policy. Do not make changes to the Policy or place any new ones in the ROOT. This can and most likely will cause serious issues in you AD environment. Create a New Policy on a Container such as "Corporation Users" Or "Corporation Computers", right click on the OU and create a GPO there.

Background. THere are two default GPO's Default Domain Policy at the root, and Default Domain Controller Policy on the Domain Controllers OU. Anything put in the ROOT will apply to all OU's including the Domain Controllers etc. You should not move the Domain Controllers from the default container, they need to be treated differently than all other computers and do not apply any GPO changes to the ROOT of the domain.

J
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11893681
P.S. One more thing, make sure you set the Domain Controller OU back to the way it was regarding Overrides and policy inheritance, after you remove the changes you made to the Default Domain Policy. THe domain controllers need the Default Domain Policy the way it was, they get that policy and the additional settings from the Default Domain Controllers Policy.

Very bad test... do not do this, unless it is a test lab. Bring up a domain, create a new OU and move the Domain Controllers to it. Usually within about 1 hour, you will begin to lose tha ability to log in to the domain. After a little while the Domain controllers will begin to fail. It is really nasty.

J
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question