Logon script for different locations using group policy on each site is not working.

I am trying to setup Group Policies for each of my locations to run the logon script for that location.  The problem I ran into is my administrator type accounts are running the logon script.  I do not want this to happen so with the help from the experts, I create an AD group called NO LOGON SCRIPT and put the administrator accounts in there and then added this group to the group policy delegation and denied all rights.  This kept the script from running, but keeps my admininstrator account from getting back in to modify the policy, cause i dont have rights.  So I thought I could just throw computer accounts in the NO LOGON SCRIPT group, but this does not seem to stop the script from running.   I want different logon scripts to run based on the users location.  The user works out of all locations, so switching the users OU or logon on the profile tab is a pain.   Any suggestions?
LVL 1
ohmErnieAsked:
Who is Participating?
 
oBdAConnect With a Mentor Commented:
Don't deny *all* permissions on the GPO for the NO LOGON SCRIPT group; open the Advanced security settings of the GPO, and check the Deny *only* at the "Apply Group Policy" permission.
0
 
MidnightOneCommented:
Set the logon script up in a GPO and link the GPO to the site?
0
 
ohmErnieAuthor Commented:
Read my whole question.  I'm already that far.  I do not want all users (admins) in the site to run the logon script.
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
MidnightOneCommented:
It's a little unclear; the admins already have denied access to read and apply the group policy?
0
 
Network_Data_SupportCommented:
logon scripts dont apply for computers they use startup scripts. cant you just create a security group aet up the GPO and apply it to that group and then add users to that
0
 
Network_Data_SupportCommented:
hNG ON I SEE WHAT YOU HAVE DONE you want to allow administrator delegation and you want to add the group to the security filter under scope options
0
 
Network_Data_SupportCommented:
make sure administrators are not part of the security group also
0
 
ohmErnieAuthor Commented:
The problem is domain admins has rights to this "site policy"  Therefore, if I take domain admin out, I have no way to modify the site policy or access it.
0
 
Network_Data_SupportCommented:
yeh add doamin admins to the delegates .    delegates let you modify the GPO secrity filter under scope is what applys the GPO to the group
0
 
Network_Data_SupportCommented:
so add the group to security filter and then add who you want to modify the policy  under delegates
0
 
Network_Data_SupportCommented:
by giving you administrator deny on the delegation that is whats stopping them from modifying
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.