Improve company productivity with a Business Account.Sign Up


How to configure GPOS to only run when logging into remote desktop

Posted on 2009-05-13
Medium Priority
Last Modified: 2012-05-06
I know there is a setting for this but cannot recall what it is. I have several GPOS that I only want to execute for users logging into Remote Desktop, and not whenn they first login to their desktop. I am having a problem where some execute for users logging in on there 2000 or XP machines, and it is causing problems.
Question by:tamray_tech

Expert Comment

ID: 24380646
unless they're run manually, Group Policy applies on machine startup, *some* parts run on user logon, and otherwise GPO refreshes every 90 minutes with a 30 minute offset to ensure randomization of host synchronization if my memory serves me correctly..  what specifically are you having problems with and we might be able to off better assistance.

Author Comment

ID: 24380787
We run a Terminal Server environment. Almost all GPOs in Active Directory are geared with that in mind. In particular Usrlogon.cmd has a line in it that calls userlogn2.cmd (these only exist on the RD servers). Usrlogn2.cmd copies down all reg files from the users H: drive for IE, Office, and Outlook. That is fine, since the .cmd files only exist on each Terminal Server. The problem I am having is the GPO for our staff that governss folder redirection, etc, also has a logoff script named logoff.cmd. This script copies up current reg files to the users H: drive. This causes a problem when the user logs off of their desktop. They do not have anything configured on their PC, so empty,or misconfigured reg files are being copied up to their H: drive. when they login to RD the empty or misconfigured reg files are copied down, so they lose their email settings, etc...

LVL 57

Expert Comment

by:Mike Kline
ID: 24380816
What you could do is use loopback processing.  GP MVP Darren Mar-Elia has a good blog entry on that here:
The the policy would be linked at the OU where the TS servers aer and since loopback would be enabled it would affect the users logging on to the TS boxes but won't apply to their desktops.
LVL 18

Accepted Solution

Americom earned 2000 total points
ID: 24381404
If you want user configuration to apply when they logon to server via RDP(to servers or terminal servers), then the GPO needs to link to the OU with the serves and enable loopback processing as Mike suggested above. But you may not want to have the usrlogn2.cmd apply to all users, may be you don't want it to apply to certain group of users like administrators etc. If that's the case you may want to take a look at this link
This thread shows you how loopback GPO being used with step-by-step example.

Expert Comment

ID: 24386065
It sounds like you're looking to only apply Usrlogn2.cmd (or any other terminal server specific scripts) when anyone logs in via terminal services only.  correct?  and if so, it seems like you just need to modify your scripts a bit...

are there any environemental changes between terminal service connections vs. normal logon?  like the profile path?

If so, then your fix is relatively easy:  only apply your TS scripts in your TS environment.  ergo. add something to your script like:

If %home_directory% = myTerminalSvcHome Then
    call TS_Specific_cmd_files
// Run your normal logon script files.
end if

i can provide code if this is something you'd like to do... however i need to know some absolute difference between your TS environment and your normal logon environment that can be tested for with a script.  also.. what language?   vbs, autoit, kix, batch, perl?   ...that's all i can offer (and batch might be more of a pain than it's worth)

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

584 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question