[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2493
  • Last Modified:

Disable Logon Scripts

I have several people that need to logon to servers that have a logon script enabled on thier AD account.
I need to know if it is possible to disable the logon script via GPO or other means from running when these users logon to my servers.
0
omen1280
Asked:
omen1280
  • 3
  • 2
1 Solution
 
computrexCommented:
VERY IMPORTANT! The first step to this is to make sure that the GPO that runs the script doesn't do anything else.  If it does please create a GPO just for the script.  Make sure it has the same permissions as the original GPO.  (Don't forget to remove the script from the original GPO)

Second create a security group in Active Directory call it something like "ThoseDeniedLoginScript" and add the people to it that you don't want the script to run on.

Thirdly, back in Group Policies, in the security for the GPO that runs the script, Add the group "ThoseDeniedLoginScript" and then under permissions give [Read-Allow] and [Apply Group Policy - Deny]

The reason this will work is because in Windows "Deny" always wins over "Allow".  So while the people who are in both groups (one that allows and the other that denies) the scriot will not run.

Hope this is what you were looking for.  It sounded like you know at least a little bit about getting around in AD and Group Policies so I did not get too detailed about which buttons to push.  If you would like, just ask, and I can direct you through with more detail.
0
 
oBdACommented:
If it were a logon script defined in a GPO, you could do this with a Loopback policy in Replace mode applied to your servers.
Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

But since the logon script is defined in the user's properties in AD (if I understood you correctly), you can't prevent this through a GPO.
You can fix this by changing the logon script, though, either by checking the computer name (if you have a naming scheme like srv-01, ws-01 or whatever), or by checking if the machine's role is "WORKSTATION".
You didn't specify what type of script you're using, in batch it would be a one-liner:
net accounts | find "WORKSTATION" || goto :eof

Open in new window

0
 
omen1280Author Commented:
thanks for both comments but it sounds easier to add the line to the logon script since it is only about 4 users and they all have the same logon script.
So the workstation entry in the script will check if the compter they are logging on to is a server or a PC?
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
oBdACommented:
Yes (if you're actually using a batch script).
"net accounts" will display the machine's role, and if this doesn't return "WORKSTATION", the script will be left immediately.
0
 
omen1280Author Commented:
I put the line in at the top of my script but i got the error in the screen shot attached.
Below is also a snipit of my logon script.
Please tell me what i did wrong.
On Error Resume Next
Dim objFSO,objFILE,objFolder,objShell,objNetwork,strUser,strPath
set objFSO=CreateObject("Scripting.FileSystemObject")
set objShell=CreateObject("Wscript.Shell")
set objNetwork=CreateObject("Wscript.Network")
 
'MAP Splash Screen
objShell.run "\\njdc01\netlogon\splash.exe"
 
'Map network drives
MapIt "U:","\\HOMESERVER\USER\" & objNetwork.Username & ""
If IsAMemberOf(objNetwork.UserDomain,objNetwork.UserName,"ITDepartment") Then MapIt "S:","\\mapdpfs01\departments\it"
If IsAMemberOf(objNetwork.UserDomain,objNetwork.UserName,"ITDepartment") Then MapIt "T:","\\nas\software"
If IsAMemberOf(objNetwork.UserDomain,objNetwork.UserName,"Operations Managers") Then MapIt "O:","\\mapdpfs01\common\opsmgmt"
If objNewtwork.Username("jchromcik") Then MapIt "h:","\\njresource\helpstar"
 
'Map printers
If IsAMemberOf(objNetwork.UserDomain,objNetwork.UserName,"ITDepartment") Then AddPrinterConnection "\\homeserver\IT4100N"
If IsAMemberOf(objNetwork.UserDomain,objNetwork.UserName,"ITDepartment") Then AddPrinterConnection "\\homeserver\HELPDESK"

Open in new window

it-script-error.jpg
0
 
oBdACommented:
Guess why I wanted to know what type of script you're using ...
Add the script below at the beginning of your script.

Identifying Computer Roles
http://www.microsoft.com/technet/scriptcenter/guide/sas_srv_yzhs.mspx?mfr=true

Set objWMIService = GetObject ("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
Set colComputers = objWMIService.ExecQuery ("Select DomainRole from Win32_ComputerSystem")
For Each objComputer in colComputers
  Select Case objComputer.DomainRole 
    Case 0, 1
      strComputerRole = "WORKSTATION"
    Case 2, 3, 4, 5
      strComputerRole = "SERVER"
  End Select
Next
If strComputerRole <> "WORKSTATION" Then 
  wscript.quit
End If

Open in new window

0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now