Solved

Group Polcy - Applying what where

Posted on 2007-03-20
5
180 Views
Last Modified: 2010-04-20
Would I be right in assuming
I can only apply the 'Computer Configuration' Settings to OU's containing computer objects.
AND
I can only apply the 'User Configuration' Settings to OU's containing users.

I am applying a GPO to an OU containing computers and trying to invoke a user logon script from the GPO Tree > User Configuration > Windows Settings > Script > Logon. This doesn't seem to work for me but I don't know whether I am looking at a fault or a feature.

Cheers
Jo
0
Comment
Question by:jrb139
5 Comments
 
LVL 6

Expert Comment

by:trippleO7
ID: 18756486
Yes, Computer configuration will only apply to Computers in an OU, same goes for users and User Configuration.  Applying User Configuration settings for an OU with only computers won't work.

It all depends on what type of script you are running, but try using a Startup script for those machines...

Computer config > Windows Settings > Scripts (startup/shutdown)

What type of script is it?


0
 

Author Comment

by:jrb139
ID: 18757205
I guess I would like to run a script on an OU of computers that would only affect a subset of users.

But I get the impression the script applied to a Computer runs prior to a user logon which kind of scuppers my plan.

So I have kind of turned it on its head, so now I am applying the script to that group of users and testing to see if the Computer is in a certain OU, if so then apply the action.

Seems like the best way forward.
0
 
LVL 21

Expert Comment

by:mcsween
ID: 18759552
Yes, you are correct, a computer configuration Startup script runs as Administrator at comptuer startup (before you see a logon screen).  A user Logon script runs at logon (after you type your password).

Make sure wherever you are storing the script has the proper security set so the users have at least read on the share and NTFS permissions.  Also check to make sure the users can access this location, if not it could be a DNS issue or something.

Assign the GPO to an OU with the user's in it and make sure Authenticated Users have read and apply set on the GPO.  Alternatly you can link the GPO in the root of the domain and use security groups to filter.  Remove the Authenticated Users permission from the GPO and add the security group you want ot use to apply these settings.

Go to a user's computer that should get this GPO and while logged on as the user:
Start --> Run --> rsop.msc
Check to see the policy is being applied.  You can RC User Config and select properties to see error information.  Also check the event logs to see if there was some error in group policy processing.
0
 
LVL 21

Expert Comment

by:mcsween
ID: 18759651
Just to be clear, you want the script to apply to only certian users on specific computers?

For example:
User1 logs onto Computer1 = Apply Policy
User1 logs onto Computer2 = Do not Apply Policy
User2 logs onto Computer1 = Do not Apply Policy

If you are using VBScript here is a nice quick query to find the full LDAP name of the computer (will show OU info too)

Set ADInfo = CreateObject("ADSystemInfo")
wscript.echo ADInfo.ComputerName

This is just an echo but you can set it to a variable and do what you want with it.
0
 
LVL 12

Accepted Solution

by:
StuFox100 earned 250 total points
ID: 18762894
If you want to use GPO without the extra scripting use loopback policy - http://support.microsoft.com/kb/231287
Using the merge option the OU where the machines are will apply the 'User Configuration' options when a user logs on.
Cheers
Stu
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now