• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 226
  • Last Modified:

Logon script for different locations using group policy on each site is not working.

I am trying to setup Group Policies for each of my locations to run the logon script for that location.  The problem I ran into is my administrator type accounts are running the logon script.  I do not want this to happen so with the help from the experts, I create an AD group called NO LOGON SCRIPT and put the administrator accounts in there and then added this group to the group policy delegation and denied all rights.  This kept the script from running, but keeps my admininstrator account from getting back in to modify the policy, cause i dont have rights.  So I thought I could just throw computer accounts in the NO LOGON SCRIPT group, but this does not seem to stop the script from running.   I want different logon scripts to run based on the users location.  The user works out of all locations, so switching the users OU or logon on the profile tab is a pain.   Any suggestions?
0
ohmErnie
Asked:
ohmErnie
  • 6
  • 2
  • 2
  • +1
1 Solution
 
MidnightOneCommented:
Set the logon script up in a GPO and link the GPO to the site?
0
 
ohmErnieAuthor Commented:
Read my whole question.  I'm already that far.  I do not want all users (admins) in the site to run the logon script.
0
 
MidnightOneCommented:
It's a little unclear; the admins already have denied access to read and apply the group policy?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Network_Data_SupportCommented:
logon scripts dont apply for computers they use startup scripts. cant you just create a security group aet up the GPO and apply it to that group and then add users to that
0
 
Network_Data_SupportCommented:
hNG ON I SEE WHAT YOU HAVE DONE you want to allow administrator delegation and you want to add the group to the security filter under scope options
0
 
Network_Data_SupportCommented:
make sure administrators are not part of the security group also
0
 
ohmErnieAuthor Commented:
The problem is domain admins has rights to this "site policy"  Therefore, if I take domain admin out, I have no way to modify the site policy or access it.
0
 
Network_Data_SupportCommented:
yeh add doamin admins to the delegates .    delegates let you modify the GPO secrity filter under scope is what applys the GPO to the group
0
 
Network_Data_SupportCommented:
so add the group to security filter and then add who you want to modify the policy  under delegates
0
 
Network_Data_SupportCommented:
by giving you administrator deny on the delegation that is whats stopping them from modifying
0
 
oBdACommented:
Don't deny *all* permissions on the GPO for the NO LOGON SCRIPT group; open the Advanced security settings of the GPO, and check the Deny *only* at the "Apply Group Policy" permission.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 6
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now