Stop login scripts from running when logging in to a Terminal Server


We are trying to stop users running their login scripts when logging into our terminal servers.  

Whilst the users have a bit more freedom on their actual desktops, the terminal servers are locked down quite heavily with all desktop icons and IE settings delivered through GPO’s.  There are a heap of other security items also controlled through GPO's - all in all we have tried to use GPO's for as much as possible to minimise the individual terminal server config etc...

The users logging into the servers come from various parts of the business, and have different login scripts that perform a lot of unrequired tasks on the Terminal servers.  As a stop gap we have disabled access to cmd through GPO, which effectively stops the login script from running but there is another issue that comes from this.  An error message is displayed on login albeit minimised.  As a result the desktop stops loading until the user maximises the message and clicks OK before the desktop continues to load.

That said we would like a better method of disabling the login scripts from running on the terminal servers.  We’d like a method that is transparent to the end user with no error messages etc.  We also don’t want a solution that requires us to modify login scripts, as we can’t control the login scripts that may change and break things.

We’ve done some searching and can’t seem to locate a specific GPO setting, but would hope someone can make a suggestion that will cover this off.  Hope that makes sense, but if not let me know.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
I have set 'Prevent access to the command prompt' as enabled but have a sub-option asking 'Disable the command prompt script processing also?' - I have this set to NO.

Would this help?

Command Prompt
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
Logon scripts will still run but user will not be able to launch command prompt.
biggles70Author Commented:
Thanks for the feedback so far.

In regards to loopback processing of the GPO's we're already using this to apply the User Settings for users that login to the Terminal Servers.

We have also enabled 'Prevent access to the command prompt', but have selected Yes to "Disable the command prompt script processing also".  We selected Yes to stop the login scripts from running, but it does show the minimised error message that the user needs to acknowledge before the rest of the profile loads. Initially we need to work out how to stop the login scripts from running at all if possible.  

Just as an example some of the other sites have login scripts that add additional icons to the desktop, and some have roaming profiles, so allowing the login scripts to run does cause a mess on the desktop if enabled.

A couple of options we've thought of are as follows:
1. An additional user account without a login script set - not ideal given the user then need to remember details for 2 accounts.
2. We'd thought about adding if then statements to login scripts to exit when the machine name is the same as one of the terminal servers - again not ideal given these are maintained by admins at other sites and we don't want to decentralise things.

In case there's any confusion I've attached a picture to indicate the AD login script that I am refering to that we don't want to run.
biggles70Author Commented:
We ended up cheating in that we created everything on the TS, allowed for multiple screens, and just removed the login scripts altogether from the AD accounts.  We'd tried a few things along the way but without too much luck and given the time frames left accounts without a login scripts. We did desktop redirection and everything else required through GPO as opposed to login scripts.  

We did try a few things though:

Set Computer Config -> Policies -> Admin templates -> System/Scripts "Run startup scripts asynchronously to "enabled". This allowed the desktop to appear without having to clear the minimised message. (Still set)

We set "Prevent access to the command prompt" to enabled, but set "Disable the command prompt script processing also" to Yes as we didn't want any scripts to run. (Still Set)

We were using Loopback processing mode enabled when setting User options against the machines. (Still Set)

Apologies for leaving this as long as I did to close off etc..
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.