GPO Links

Hi experts I have a network with 2003 server running, I have AD and have configured a number of OU's I have a student OU and in that OU I have All the Grades 8-9-10 etc
I have configured policies on the root student OU and individual policies on each grade as to programs and printers scripts etc. Is this the appropriate way to roll this out?  I cannot get the GPO to take effect. The password policy is set to not lock out users in the student policy but it is set in the default domain policy to lock users out. If I check enforced will the default policy take effect and only the changes on that OU policies take effect. thanks I will give good points for this as  will no doubt have to clarify this a bit.
fessiambreAsked:
Who is Participating?
 
Netman66Commented:
You should be placing the script in this location:

C:\WINDOWS\System32\GroupPolicy\User\Scripts\Logon

This should be called from Group Policy and I think you have the correct element:

User Configuration>Windows Settings>Scripts(Logon/Logoff)>Logon

...and this GPO should be linked only to the OU where the Users are located that will require this script.



0
 
mcsweenSr. Network AdministratorCommented:
You should check enforced on your OU level policy that prevents the lockout.  If you enforce the DDP which is set to lock people out then conflicting settings from other GPOs will not take affect.  Note that if you enforce both of these policies the DDP GPO will win.
0
 
TheCleanerCommented:
You set the "structure" right, but the Password policy ONLY takes effect at the domain level.  You cannot specify it differently for other OUs, etc.
0
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

 
Netman66Commented:
TheCleaner is correct here, just a little vague.

Account Policies are controlled exclusively from the Default Domain Policy and cannot be blocked or overridden.  Keep in mind that this policy controls Domain accounts only.  Any local account can be controlled independently of the domain policy since you are using the local SAM for authentication.



0
 
Netman66Commented:
I should add this :  you can only have one (1) Account policy in the domain.  If your Forest has multiple domains then each domain can have a different policy.


0
 
TheCleanerCommented:
Yep...like Netman66 says, I should be more concise on my answers.

Basically the password/account policies the author has set on the default domain policy will be used throughout the domain, you won't be able to change this for other computers/users in that domain.


As far as the actual structure is that you are using, looks good to me.

I usually set up GPOs so that common tasks/settings are associated to a single GPO, and that GPO is applied as needed.

I tend to create GPOs like this so that I can change just that GPO if something changes.  I don't like the idea of a default domain policy doing much of anything, and the only things I set in there are things I know will never change (or take an act of congress practically to get changed).
0
 
Netman66Commented:
Agreed.
0
 
fessiambreAuthor Commented:
I appreciate the prompt responses. I thank you for the clarity on the password problem. I still however have the script problem it a basic batch command script it just runs a net use for the printer and a net use for a shared file. the command runs on the client but it gives an error that says

'\\DomainSchool.local\SysVol\AspengroveSchool.local\Policies\{4E784B66-74BC-
4DDC-8403-55C25FFB16A3}\User\Scripts\Logon'
CMD.EXE was started with the above path as the current directory.
UNC paths are not supported.  Defaulting to Windows directory.

C:\WINDOWS>net use t: \\server.domainschool.local\student share
please help
0
 
Netman66Commented:
That's a normal error.

Where are you calling the script from?



0
 
Netman66Commented:
You can fix it here, but you shouldn't see it.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;156276

0
 
Netman66Commented:
Are you calling it here:?

User Configuration\Windows Settings\Scripts(Logon/Logoff)

0
 
fessiambreAuthor Commented:
I am assigning it from the logon in the student OU
 It is assigned from the group policy
user config-
                scripts
                          logon
 I then browsed for the script and clicked on it. printer.bat  
it is a two line net use command
net use g: \\server\share
net use lpt1: \\server\printer
0
 
fessiambreAuthor Commented:
Should I use the GPO or the standard script locals?
0
 
TheCleanerCommented:
Can you show us what the entire batch file you are trying to run is?
0
 
fessiambreAuthor Commented:
cleaner this is what I have
it says access denied,  all users have full control is it the legacy issues?
net use g: \\server\shared folder
net use LPT : \\server\printer
0
 
fessiambreAuthor Commented:
the policy is working but the script for the student is only partially working printer will not map or 1 of the shares
0
 
TheCleanerCommented:
1.  Do all users you are trying to run this against have rights to the share in question?
2.  Are they possibly already mapping G to something?

you may do something like:

net use g: /del
net use LPT1: /del


in the first part of your batch file to clear out any existing mappings to them.

Otherwise you can use vbscript instead:

Set objNetwork = CreateObject("WScript.Network")
objNetwork.MapNetworkDrive "G:", "\\SERVER\share"

Set objPrinter = CreateObject("WScript.Network")
objPrinter.AddWindowsPrinterConnection "\\server\printer."


0
 
Netman66Commented:

net use LPT : \\server\printer

Is this exactly right?  You are missing "1" from LPT
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.