Solved

How to configure GPOS to only run when logging into remote desktop

Posted on 2009-05-13
5
335 Views
Last Modified: 2012-05-06
I know there is a setting for this but cannot recall what it is. I have several GPOS that I only want to execute for users logging into Remote Desktop, and not whenn they first login to their desktop. I am having a problem where some execute for users logging in on there 2000 or XP machines, and it is causing problems.
0
Comment
Question by:tamray_tech
5 Comments
 
LVL 4

Expert Comment

by:internetsavant
ID: 24380646
unless they're run manually, Group Policy applies on machine startup, *some* parts run on user logon, and otherwise GPO refreshes every 90 minutes with a 30 minute offset to ensure randomization of host synchronization if my memory serves me correctly..  what specifically are you having problems with and we might be able to off better assistance.
0
 

Author Comment

by:tamray_tech
ID: 24380787
We run a Terminal Server environment. Almost all GPOs in Active Directory are geared with that in mind. In particular Usrlogon.cmd has a line in it that calls userlogn2.cmd (these only exist on the RD servers). Usrlogn2.cmd copies down all reg files from the users H: drive for IE, Office, and Outlook. That is fine, since the .cmd files only exist on each Terminal Server. The problem I am having is the GPO for our staff that governss folder redirection, etc, also has a logoff script named logoff.cmd. This script copies up current reg files to the users H: drive. This causes a problem when the user logs off of their desktop. They do not have anything configured on their PC, so empty,or misconfigured reg files are being copied up to their H: drive. when they login to RD the empty or misconfigured reg files are copied down, so they lose their email settings, etc...

0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24380816
What you could do is use loopback processing.  GP MVP Darren Mar-Elia has a good blog entry on that here:
http://sdmsoftware.com/blog/2009/01/please_explain_loopback_proces.html
The the policy would be linked at the OU where the TS servers aer and since loopback would be enabled it would affect the users logging on to the TS boxes but won't apply to their desktops.
Thanks
Mike
0
 
LVL 18

Accepted Solution

by:
Americom earned 500 total points
ID: 24381404
If you want user configuration to apply when they logon to server via RDP(to servers or terminal servers), then the GPO needs to link to the OU with the serves and enable loopback processing as Mike suggested above. But you may not want to have the usrlogn2.cmd apply to all users, may be you don't want it to apply to certain group of users like administrators etc. If that's the case you may want to take a look at this link http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_24170112.html
This thread shows you how loopback GPO being used with step-by-step example.
0
 
LVL 4

Expert Comment

by:internetsavant
ID: 24386065
It sounds like you're looking to only apply Usrlogn2.cmd (or any other terminal server specific scripts) when anyone logs in via terminal services only.  correct?  and if so, it seems like you just need to modify your scripts a bit...

are there any environemental changes between terminal service connections vs. normal logon?  like the profile path?  http://support.microsoft.com/kb/246132

If so, then your fix is relatively easy:  only apply your TS scripts in your TS environment.  ergo. add something to your script like:

If %home_directory% = myTerminalSvcHome Then
    call TS_Specific_cmd_files
else
// Run your normal logon script files.
end if

i can provide code if this is something you'd like to do... however i need to know some absolute difference between your TS environment and your normal logon environment that can be tested for with a script.  also.. what language?   vbs, autoit, kix, batch, perl?   ...that's all i can offer (and batch might be more of a pain than it's worth)
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now