Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

How to configure GPOS to only run when logging into remote desktop

Posted on 2009-05-13
Last Modified: 2012-05-06
I know there is a setting for this but cannot recall what it is. I have several GPOS that I only want to execute for users logging into Remote Desktop, and not whenn they first login to their desktop. I am having a problem where some execute for users logging in on there 2000 or XP machines, and it is causing problems.
Question by:tamray_tech

Expert Comment

ID: 24380646
unless they're run manually, Group Policy applies on machine startup, *some* parts run on user logon, and otherwise GPO refreshes every 90 minutes with a 30 minute offset to ensure randomization of host synchronization if my memory serves me correctly..  what specifically are you having problems with and we might be able to off better assistance.

Author Comment

ID: 24380787
We run a Terminal Server environment. Almost all GPOs in Active Directory are geared with that in mind. In particular Usrlogon.cmd has a line in it that calls userlogn2.cmd (these only exist on the RD servers). Usrlogn2.cmd copies down all reg files from the users H: drive for IE, Office, and Outlook. That is fine, since the .cmd files only exist on each Terminal Server. The problem I am having is the GPO for our staff that governss folder redirection, etc, also has a logoff script named logoff.cmd. This script copies up current reg files to the users H: drive. This causes a problem when the user logs off of their desktop. They do not have anything configured on their PC, so empty,or misconfigured reg files are being copied up to their H: drive. when they login to RD the empty or misconfigured reg files are copied down, so they lose their email settings, etc...

LVL 57

Expert Comment

by:Mike Kline
ID: 24380816
What you could do is use loopback processing.  GP MVP Darren Mar-Elia has a good blog entry on that here:
The the policy would be linked at the OU where the TS servers aer and since loopback would be enabled it would affect the users logging on to the TS boxes but won't apply to their desktops.
LVL 18

Accepted Solution

Americom earned 500 total points
ID: 24381404
If you want user configuration to apply when they logon to server via RDP(to servers or terminal servers), then the GPO needs to link to the OU with the serves and enable loopback processing as Mike suggested above. But you may not want to have the usrlogn2.cmd apply to all users, may be you don't want it to apply to certain group of users like administrators etc. If that's the case you may want to take a look at this link http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_24170112.html
This thread shows you how loopback GPO being used with step-by-step example.

Expert Comment

ID: 24386065
It sounds like you're looking to only apply Usrlogn2.cmd (or any other terminal server specific scripts) when anyone logs in via terminal services only.  correct?  and if so, it seems like you just need to modify your scripts a bit...

are there any environemental changes between terminal service connections vs. normal logon?  like the profile path?  http://support.microsoft.com/kb/246132

If so, then your fix is relatively easy:  only apply your TS scripts in your TS environment.  ergo. add something to your script like:

If %home_directory% = myTerminalSvcHome Then
    call TS_Specific_cmd_files
// Run your normal logon script files.
end if

i can provide code if this is something you'd like to do... however i need to know some absolute difference between your TS environment and your normal logon environment that can be tested for with a script.  also.. what language?   vbs, autoit, kix, batch, perl?   ...that's all i can offer (and batch might be more of a pain than it's worth)

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question