Disable Logon Scripts

I have several people that need to logon to servers that have a logon script enabled on thier AD account.
I need to know if it is possible to disable the logon script via GPO or other means from running when these users logon to my servers.
omen1280Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

computrexCommented:
VERY IMPORTANT! The first step to this is to make sure that the GPO that runs the script doesn't do anything else.  If it does please create a GPO just for the script.  Make sure it has the same permissions as the original GPO.  (Don't forget to remove the script from the original GPO)

Second create a security group in Active Directory call it something like "ThoseDeniedLoginScript" and add the people to it that you don't want the script to run on.

Thirdly, back in Group Policies, in the security for the GPO that runs the script, Add the group "ThoseDeniedLoginScript" and then under permissions give [Read-Allow] and [Apply Group Policy - Deny]

The reason this will work is because in Windows "Deny" always wins over "Allow".  So while the people who are in both groups (one that allows and the other that denies) the scriot will not run.

Hope this is what you were looking for.  It sounded like you know at least a little bit about getting around in AD and Group Policies so I did not get too detailed about which buttons to push.  If you would like, just ask, and I can direct you through with more detail.
0
oBdACommented:
If it were a logon script defined in a GPO, you could do this with a Loopback policy in Replace mode applied to your servers.
Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

But since the logon script is defined in the user's properties in AD (if I understood you correctly), you can't prevent this through a GPO.
You can fix this by changing the logon script, though, either by checking the computer name (if you have a naming scheme like srv-01, ws-01 or whatever), or by checking if the machine's role is "WORKSTATION".
You didn't specify what type of script you're using, in batch it would be a one-liner:
net accounts | find "WORKSTATION" || goto :eof

Open in new window

0
omen1280Author Commented:
thanks for both comments but it sounds easier to add the line to the logon script since it is only about 4 users and they all have the same logon script.
So the workstation entry in the script will check if the compter they are logging on to is a server or a PC?
0
Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

oBdACommented:
Yes (if you're actually using a batch script).
"net accounts" will display the machine's role, and if this doesn't return "WORKSTATION", the script will be left immediately.
0
omen1280Author Commented:
I put the line in at the top of my script but i got the error in the screen shot attached.
Below is also a snipit of my logon script.
Please tell me what i did wrong.
On Error Resume Next
Dim objFSO,objFILE,objFolder,objShell,objNetwork,strUser,strPath
set objFSO=CreateObject("Scripting.FileSystemObject")
set objShell=CreateObject("Wscript.Shell")
set objNetwork=CreateObject("Wscript.Network")
 
'MAP Splash Screen
objShell.run "\\njdc01\netlogon\splash.exe"
 
'Map network drives
MapIt "U:","\\HOMESERVER\USER\" & objNetwork.Username & ""
If IsAMemberOf(objNetwork.UserDomain,objNetwork.UserName,"ITDepartment") Then MapIt "S:","\\mapdpfs01\departments\it"
If IsAMemberOf(objNetwork.UserDomain,objNetwork.UserName,"ITDepartment") Then MapIt "T:","\\nas\software"
If IsAMemberOf(objNetwork.UserDomain,objNetwork.UserName,"Operations Managers") Then MapIt "O:","\\mapdpfs01\common\opsmgmt"
If objNewtwork.Username("jchromcik") Then MapIt "h:","\\njresource\helpstar"
 
'Map printers
If IsAMemberOf(objNetwork.UserDomain,objNetwork.UserName,"ITDepartment") Then AddPrinterConnection "\\homeserver\IT4100N"
If IsAMemberOf(objNetwork.UserDomain,objNetwork.UserName,"ITDepartment") Then AddPrinterConnection "\\homeserver\HELPDESK"

Open in new window

it-script-error.jpg
0
oBdACommented:
Guess why I wanted to know what type of script you're using ...
Add the script below at the beginning of your script.

Identifying Computer Roles
http://www.microsoft.com/technet/scriptcenter/guide/sas_srv_yzhs.mspx?mfr=true

Set objWMIService = GetObject ("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
Set colComputers = objWMIService.ExecQuery ("Select DomainRole from Win32_ComputerSystem")
For Each objComputer in colComputers
  Select Case objComputer.DomainRole 
    Case 0, 1
      strComputerRole = "WORKSTATION"
    Case 2, 3, 4, 5
      strComputerRole = "SERVER"
  End Select
Next
If strComputerRole <> "WORKSTATION" Then 
  wscript.quit
End If

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.