isstechy
asked on
Prevent User Logon Script from running
Hello -
I have a domain group policy configured to run a script for an application. The script runs in the user configuration > Windows settings > scripts > logon parameter. The GPO is linked to the OU where the users accounts are located, and the security settings for the GPO is assigned to user AD group (not machine).
I have a training environment setup and I need to prevent the script above from executing on the training computers as I need another script to run only on the training machines. However, if a user logs on to one of the training machines and the user is part of the AD group tied to the GPO, as mentioned above, the logon script that I am preventing to run is going to execute, which can caused issues on the training machines. I need to prevent this from happening and at the same time I need the training script to execute instead.
Thank you.
I have a domain group policy configured to run a script for an application. The script runs in the user configuration > Windows settings > scripts > logon parameter. The GPO is linked to the OU where the users accounts are located, and the security settings for the GPO is assigned to user AD group (not machine).
I have a training environment setup and I need to prevent the script above from executing on the training computers as I need another script to run only on the training machines. However, if a user logs on to one of the training machines and the user is part of the AD group tied to the GPO, as mentioned above, the logon script that I am preventing to run is going to execute, which can caused issues on the training machines. I need to prevent this from happening and at the same time I need the training script to execute instead.
Thank you.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
People just mentioning Loopback, but no one is saying how to apply it.
You will need three separate OU's for your computer division (production & training)nand users Configure two GPO's for the computer ou with Loopback enable and user logon script configured with your script.
GPO Training: logon script A
GPO Production: logon script B
Remove all logon script from your Users OU
If you have the GPO 's all applied above the users and computer OU you will need to segment them or block inheridence.
This should get you the desired results that you are looking for.
You will need three separate OU's for your computer division (production & training)nand users Configure two GPO's for the computer ou with Loopback enable and user logon script configured with your script.
GPO Training: logon script A
GPO Production: logon script B
Remove all logon script from your Users OU
If you have the GPO 's all applied above the users and computer OU you will need to segment them or block inheridence.
This should get you the desired results that you are looking for.
yo_bee, I already mentioned that a separate OU is needed for the training computers, and that the GPOs would link to it. isstechy mentioned that the logon script meant for a specific group of users is already applied to a separate users OU, and is working as it should. I wouldn't complicate things by applying a separate policy with loopback processing meant for production, it just isn't necessary. With the loopback processing mode set to "replace", there is no need to block inheritance on the OU, as this would also complicate things, requiring GPOs with computer settings to be re-linked to this new "training" computer OU.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
yo_bee, we're on the same page about creating an additional OU and not reconfiguring any existing ones. And to be clear, it's not that I think your method will not work, but personally I wouldn't use loopback processing for the production OU, since to my mind this would involve reconfiguration.
No offense taken, we're both trying to provide a good resolution. I hope I didn't come across too strong. Cheers. :)
No offense taken, we're both trying to provide a good resolution. I hope I didn't come across too strong. Cheers. :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No, with the "replace" mode, only the user policies (and scripts contained within) that are linked to the specific OU (or child OU) with the loopback policy will be applied. What you're describing in both examples is how the "merge" mode functions.
Good to know.
Thanks
Footech
Thanks
Footech
@ isstechy - Are you needing any more assistance with this?
ASKER
Thank you all for your assistance on this. I may have found a simpler solution for what I need. I will just go with a script that checks for the hostname. So when the hostname matches it runs the script otherwise it will skip to EOF. Thanks.
You can also create a GPO with WMI filtering applied for Machine names similar to what you are doing with your script.
@ isstechy - And this is going to be a logon script applied via GPO (because earlier you mentioned needing to run based on user as well)? I think it will be a little less dynamic since you'll have to maintain the list of hostnames, but that may not be an issue for you. I don't know if it's simpler, just depends on what you're more comfortable with. Did you try setting up loopback processing and you couldn't get it to work, or do you just not want to go that route?
These are all good practices to apply and see what works for you.
The more you learn the workings of GP the more you can really control your setup.
I would give them all a try.
The more you learn the workings of GP the more you can really control your setup.
I would give them all a try.
http://msmvps.com/blogs/cgross/archive/2009/10/12/group-policy-loopback-processing.aspx
The actual loopback setting is under Computer Configuration | Administrative Templates | System | Group Policy | User Group Policy Loopback Processing Mode
It is helpful to pay attention to the precedence of GPO (i.e. the order in which they are processed) when using this, as you will want your GPO that contain user settings to be applied after the GPO that contains the loopback setting.