We help IT Professionals succeed at work.

Prevent User Logon Script from running

3,218 Views
1 Endorsement
Last Modified: 2012-04-25
Hello -

I have a domain group policy configured to run a script for an application.  The script runs in the user configuration > Windows settings > scripts > logon parameter.  The GPO is linked to the OU where the users accounts are located, and the security settings for the GPO is assigned to user AD group (not machine).  

I have a training environment setup and I need to prevent the script above from executing on the training computers as I need another script to run only on the training machines.  However, if a user logs on to one of the training machines and the user is part of the AD group tied to the GPO, as mentioned above, the logon script that I am preventing to run is going to execute, which can caused issues on the training machines.  I need to prevent this from happening and at the same time I need the training script to execute instead.

Thank you.
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2014
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT
Top Expert 2014

Commented:
Another link that provides a good description and guidance.
http://msmvps.com/blogs/cgross/archive/2009/10/12/group-policy-loopback-processing.aspx

The actual loopback setting is under Computer Configuration | Administrative Templates | System | Group Policy | User Group Policy Loopback Processing Mode
It is helpful to pay attention to the precedence of GPO (i.e. the order in which they are processed) when using this, as you will want your GPO that contain user settings to be applied after the GPO that contains the loopback setting.
yo_beeDirector of Information Technology
CERTIFIED EXPERT

Commented:
People just mentioning Loopback, but no one is saying how to apply it.

You will need three separate OU's for your computer division (production & training)nand users  Configure two GPO's  for the computer ou with Loopback enable and user logon script configured with your script.
GPO Training: logon script A
GPO Production: logon script B

Remove all logon script from your Users OU

If you have the GPO 's all applied above the users and computer OU you will need to segment them or block inheridence.  

This should get you the desired results that you are looking for.
CERTIFIED EXPERT
Top Expert 2014

Commented:
yo_bee, I already mentioned that a separate OU is needed for the training computers, and that the GPOs would link to it.  isstechy mentioned that the logon script meant for a specific group of users is already applied to a separate users OU, and is working as it should.  I wouldn't complicate things by applying a separate policy with loopback processing meant for production, it just isn't necessary.  With the loopback processing mode set to "replace",  there is no need to block inheritance on the OU, as this would also complicate things, requiring GPOs with computer settings to be re-linked to this new "training" computer OU.
yo_beeDirector of Information Technology
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT
Top Expert 2014

Commented:
yo_bee, we're on the same page about creating an additional OU and not reconfiguring any existing ones.  And to be clear, it's not that I think your method will not work, but personally I wouldn't use loopback processing for the production OU, since to my mind this would involve reconfiguration.

No offense taken, we're both trying to provide a good resolution.  I hope I didn't come across too strong.  Cheers.  :)
Director of Information Technology
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT
Top Expert 2014

Commented:
No, with the "replace" mode, only the user policies (and scripts contained within) that are linked to the specific OU (or child OU) with the loopback policy will be applied.  What you're describing in both examples is how the "merge" mode functions.
yo_beeDirector of Information Technology
CERTIFIED EXPERT

Commented:
Good to know.

Thanks
Footech
CERTIFIED EXPERT
Top Expert 2014

Commented:
@ isstechy - Are you needing any more assistance with this?

Author

Commented:
Thank you all for your assistance on this.  I may have found a simpler solution for what I need.  I will just go with a script that checks for the hostname.  So when the hostname matches it runs the script otherwise it will skip to EOF.  Thanks.
yo_beeDirector of Information Technology
CERTIFIED EXPERT

Commented:
You can also create a GPO with  WMI filtering applied for Machine names similar to what you are doing with your script.
CERTIFIED EXPERT
Top Expert 2014

Commented:
@ isstechy - And this is going to be a logon script applied via GPO (because earlier you mentioned needing to run based on user as well)?  I think it will be a little less dynamic since you'll have to maintain the list of hostnames, but that may not be an issue for you.  I don't know if it's simpler, just depends on what you're more comfortable with.  Did you try setting up loopback processing and you couldn't get it to work, or do you just not want to go that route?
yo_beeDirector of Information Technology
CERTIFIED EXPERT

Commented:
These are all good practices to apply and see what works for you.
The more you learn the workings of GP the more you can really control your setup.

I  would give them all a try.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.