# Disable Logon Scripts

I have several people that need to logon to servers that have a logon script enabled on thier AD account.
I need to know if it is possible to disable the logon script via GPO or other means from running when these users logon to my servers.
###### Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Commented:
VERY IMPORTANT! The first step to this is to make sure that the GPO that runs the script doesn't do anything else.  If it does please create a GPO just for the script.  Make sure it has the same permissions as the original GPO.  (Don't forget to remove the script from the original GPO)

Second create a security group in Active Directory call it something like "ThoseDeniedLoginScript" and add the people to it that you don't want the script to run on.

Thirdly, back in Group Policies, in the security for the GPO that runs the script, Add the group "ThoseDeniedLoginScript" and then under permissions give [Read-Allow] and [Apply Group Policy - Deny]

The reason this will work is because in Windows "Deny" always wins over "Allow".  So while the people who are in both groups (one that allows and the other that denies) the scriot will not run.

Hope this is what you were looking for.  It sounded like you know at least a little bit about getting around in AD and Group Policies so I did not get too detailed about which buttons to push.  If you would like, just ask, and I can direct you through with more detail.
0
Commented:
If it were a logon script defined in a GPO, you could do this with a Loopback policy in Replace mode applied to your servers.
Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

But since the logon script is defined in the user's properties in AD (if I understood you correctly), you can't prevent this through a GPO.
You can fix this by changing the logon script, though, either by checking the computer name (if you have a naming scheme like srv-01, ws-01 or whatever), or by checking if the machine's role is "WORKSTATION".
You didn't specify what type of script you're using, in batch it would be a one-liner:
net accounts | find "WORKSTATION" || goto :eof

0
Author Commented:
thanks for both comments but it sounds easier to add the line to the logon script since it is only about 4 users and they all have the same logon script.
So the workstation entry in the script will check if the compter they are logging on to is a server or a PC?
0
Commented:
Yes (if you're actually using a batch script).
"net accounts" will display the machine's role, and if this doesn't return "WORKSTATION", the script will be left immediately.
0
Author Commented:
I put the line in at the top of my script but i got the error in the screen shot attached.
Below is also a snipit of my logon script.
Please tell me what i did wrong.
On Error Resume Next
Dim objFSO,objFILE,objFolder,objShell,objNetwork,strUser,strPath
set objFSO=CreateObject("Scripting.FileSystemObject")
set objShell=CreateObject("Wscript.Shell")
set objNetwork=CreateObject("Wscript.Network")

'MAP Splash Screen
objShell.run "\\njdc01\netlogon\splash.exe"

'Map network drives
MapIt "U:","\\HOMESERVER\USER\" & objNetwork.Username & ""
If IsAMemberOf(objNetwork.UserDomain,objNetwork.UserName,"Operations Managers") Then MapIt "O:","\\mapdpfs01\common\opsmgmt"

'Map printers

it-script-error.jpg
0
Commented:
Guess why I wanted to know what type of script you're using ...

Identifying Computer Roles
http://www.microsoft.com/technet/scriptcenter/guide/sas_srv_yzhs.mspx?mfr=true

Set objWMIService = GetObject ("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
Set colComputers = objWMIService.ExecQuery ("Select DomainRole from Win32_ComputerSystem")
For Each objComputer in colComputers
Select Case objComputer.DomainRole
Case 0, 1
strComputerRole = "WORKSTATION"
Case 2, 3, 4, 5
strComputerRole = "SERVER"
End Select
Next
If strComputerRole <> "WORKSTATION" Then
wscript.quit
End If

0

Experts Exchange Solution brought to you by