How to configure GPOS to only run when logging into remote desktop

Posted on 2009-05-13
Last Modified: 2012-05-06
I know there is a setting for this but cannot recall what it is. I have several GPOS that I only want to execute for users logging into Remote Desktop, and not whenn they first login to their desktop. I am having a problem where some execute for users logging in on there 2000 or XP machines, and it is causing problems.
Question by:tamray_tech

Expert Comment

ID: 24380646
unless they're run manually, Group Policy applies on machine startup, *some* parts run on user logon, and otherwise GPO refreshes every 90 minutes with a 30 minute offset to ensure randomization of host synchronization if my memory serves me correctly..  what specifically are you having problems with and we might be able to off better assistance.

Author Comment

ID: 24380787
We run a Terminal Server environment. Almost all GPOs in Active Directory are geared with that in mind. In particular Usrlogon.cmd has a line in it that calls userlogn2.cmd (these only exist on the RD servers). Usrlogn2.cmd copies down all reg files from the users H: drive for IE, Office, and Outlook. That is fine, since the .cmd files only exist on each Terminal Server. The problem I am having is the GPO for our staff that governss folder redirection, etc, also has a logoff script named logoff.cmd. This script copies up current reg files to the users H: drive. This causes a problem when the user logs off of their desktop. They do not have anything configured on their PC, so empty,or misconfigured reg files are being copied up to their H: drive. when they login to RD the empty or misconfigured reg files are copied down, so they lose their email settings, etc...

LVL 57

Expert Comment

by:Mike Kline
ID: 24380816
What you could do is use loopback processing.  GP MVP Darren Mar-Elia has a good blog entry on that here:
The the policy would be linked at the OU where the TS servers aer and since loopback would be enabled it would affect the users logging on to the TS boxes but won't apply to their desktops.
LVL 18

Accepted Solution

Americom earned 500 total points
ID: 24381404
If you want user configuration to apply when they logon to server via RDP(to servers or terminal servers), then the GPO needs to link to the OU with the serves and enable loopback processing as Mike suggested above. But you may not want to have the usrlogn2.cmd apply to all users, may be you don't want it to apply to certain group of users like administrators etc. If that's the case you may want to take a look at this link
This thread shows you how loopback GPO being used with step-by-step example.

Expert Comment

ID: 24386065
It sounds like you're looking to only apply Usrlogn2.cmd (or any other terminal server specific scripts) when anyone logs in via terminal services only.  correct?  and if so, it seems like you just need to modify your scripts a bit...

are there any environemental changes between terminal service connections vs. normal logon?  like the profile path?

If so, then your fix is relatively easy:  only apply your TS scripts in your TS environment.  ergo. add something to your script like:

If %home_directory% = myTerminalSvcHome Then
    call TS_Specific_cmd_files
// Run your normal logon script files.
end if

i can provide code if this is something you'd like to do... however i need to know some absolute difference between your TS environment and your normal logon environment that can be tested for with a script.  also.. what language?   vbs, autoit, kix, batch, perl?   ...that's all i can offer (and batch might be more of a pain than it's worth)

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

28 Experts available now in Live!

Get 1:1 Help Now