How to Limit Logon Script to Specific Machines Only via Group Policy?

Posted on 2006-05-09
Last Modified: 2007-12-19

There are several hundred computers spread out in groups of 20-30 in different classrooms.  There are nearly a thousand students and teachers.  The computers are organized by OU (classroom).  In each classroom there is typically a teacher's workstation, too, that has attached to it one or more printers which are shared so that everyone else in the classroom can use them.  Those definitions currently are being done manually and has gotten tiresome with all the turnover semester to semester and the number of students involved.

I want to connect a classroom's 2 printers to anyone who logs on to any student machine in that particular classroom, but nowhere else.  As an example, Little Johnny in the Chem Lab doesn't need printers from English Lit 201.  I wrote a VB Script that defines the network printers and sets one as default; it works well for all users security levels when I execute it manually off the desktop after I've logged on.  It's specific to the classroom.

Now I want to automate this process and make it a logon script so that anyone who logs onto any machine in that classroom gets ITS two printers and no others.  I created a group policy that defined my script in the user Windows scripts logon section.  I was careful to place it in the policy folder.  I attached that policy to the computer OU for that classroom.  I even did a gpudate.  But it never executes when I log onto a machine in that classroom.

Somebody told me that I can only associate a user policy with a user security group.  I don't understand that (since policies contain both a computer and user component) nor even how that is practical since I want ANY user who logs on in a specific location (a unique classroom) to have a particular logon script run (with its own unique printers).  I don't want printers being defined to a user for Classroom 4 when the user is logging onto a computer in Classroom 12.  And it's unwieldly to impossible to keep regrouping students based on their classroom assignments (which change during the day).  Intuitively, the logon script should be assigned/selected based on LOCATION (the computer by its membership in the OU) and NOT by who happens to be logging on.

But I haven't been able to figure it out yet.  Any ideas?
Question by:RG-MCSE
    LVL 10

    Expert Comment

    You have a few options:

    For all of these, you would place the script associated with the user account and not computer account:
    1) If you have static IPs set on the computers, you can check the IP address of the computer (i.e. set classroom 12 to be, classroom 13 to be, etc)
    2) You can add a system environment variable to each workstation called "Classroom" and give it a value of "12" then query the %classroom% variable in the logon script to see what classroom it's associated with.
    3) You can add the script to the HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce or HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce key (for the latter, you will have to copy the current profile over the Default User profile so it runs on all new users and delete all the current profiles on the machine)
    4) You can make each student a member of each of the classrooms they are assigned to and map all printers for all classrooms they go to by checking group membership (this may be risky since students are known to mess around and play pranks like printing something to another classroom)

    Remember that Computer policies get applied at startup and user policies get applied when the user logs on. There is no loopback for user policies to make them apply to computer objects.

    Expert Comment

    I believe i'm not understanding a part. But is there a reason you can't use a startup script instead?
    LVL 10

    Expert Comment

    Isn't per machine printer deployment only supported under Windows XP and not Windows 2000? I was assuming that he had a mixed environment.
    LVL 69

    Accepted Solution

    Hi RG-MCSE your the guru here, I am not, but I did see a few of these requests over time, I think you have to create a special folder and add the users to this folder.
    I saw this here at EE it is still currently open.
    Group Policy and Groups

    Have you tired changing the allow user passwords options in this classroom only and on this desktop.
    Bear with me, as I am not professional on this, but my line of thinking (you fill in the gaps)
    Lets say in the class rooms where a printer is needed do you have a virtual desktop assigned for that particular subject only in that class room?

    So on that idea if users access that particular computer they can only acces that program for that classroom subjects. Assign the printer as you said and then allow the users a free logon no passwords.
    Is this possible?
     Click Start, click Run, and type control userpasswords2.
     Clear the Users must enter a username and password to use this computer check box.
     Click Apply.
     Enter the user name and password you wish to automatically log on with, and then click OK.
     Click OK again

    Assigning a Logon Script to Student Accounts

    lol my first stab at it. There will be more.
    LVL 44

    Expert Comment

    "Intuitively, the logon script should be assigned/selected based on LOCATION (the computer by its membership in the OU) and NOT by who happens to be logging on."

    Intuitive for YOU, but NOT for microsoft.  They only think of a login as related to a user.  If you reorient your thinking to a USER-based scenario, maybe you understand that microsoft is not as smart as you are.

    Author Comment

    Well, this implementation of policies by Microsoft is abysmal, if indeed one cannot also enforce a policy based on a computer's membership in an OU and thus apply that policy to anyone who logs onto that machine.  I have difficulties imagining they can be that shortsighted, especially since A/D has been around since the late 1990's.  Sure, I can define a naming convention of the machines based on classroom then expand the VB script to test for a machine-name prefix or something else that effectively groups a set of machines into a physical location.  But then, what's the point of putting machines into their own OU as a grouping mechanism?  I'm (re)inventing my own grouping, just like I had to do prior to active directory.

    Yes, intuitively, I just can't get over how restrictive everyone thinks the implementation still is after all these years.  And it may be just that because, like everyone else who's responded, I haven't been able to figure it out yet either.  So I'm going to let this question simmer for a while just in case what unfortunately appears to be the "common knowledge" turns out to be just that--common.  (No insult meant, I include myself in that grouping.)

    I appreciate victornegri's post of circumventions; many of these I'd considered myself already.  However, Merete's response seemed to show the most promise and it was backed up with a specific example from UCAL that appears to be on point.  While I've not tried this implementation, the sentence that caught my eye reads from the summary:

    "Using a GPO linked to the computer OU, instead of the student account OU, and enabling loopback processing settings, activates processing of the user configuration settings of the computer GPO, which is normally ignored during user logon. By enabling loopback processing, any user setting available in the User Configuration node can be applied even if the GPO is linked to the computer OU."

    Thanks, Merete, I need to study this more.  I'll need a few days, maybe over the weekend.
    LVL 10

    Expert Comment

    ok. I'm a moron... I wrote "There is no loopback for user policies to make them apply to computer objects" in my previous post... LOL, that's the only form of loopback available. You can enable loopback processing on the GPO applied to the Computer OU and set it to "merge" the settings with the user's policies. This will allow you to set anything in the User Configuration section of the GPO and have it apply to those specific computers.

    Author Comment


    The article you cited was right on.

    A little more digging revealed this, too:

    Thank you very much, not only for the correct answer, and so quickly, but also taking the time to cite a working example from UCLA--another school with the identical problem (solved) that I was wrestling with.

    And humble, too... "My first stab at it..."  lol

    If there was a score higher than "A" I'd surely give it to you; you've earned it.  Full points awarded.

    LVL 69

    Expert Comment

    wow I am impressed, even though the jargon hurts my head, sometimes I have to use my own words. That was my pleasure indeed RG-MCSE . I'll keep this post of yours as a database.
    Thank you very much.
    Regards Merete :)

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Join & Write a Comment

    Suggested Solutions

    Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
    As the title indicates, I have done this before. It chills me everytime I update the OS on my phone, ( because one time I did this and I essentially had a bricked …
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now