Login script
We use Trend Micro in our environment. Someone had created a login script that runs a batch file that installs the TM client. I need to exclude certain computers from this script. The script was added to the default domain policy . We run 2008 R2
Wayne88
You will need to create a group and a new GPO, then run the GPO only for that group of users or computers instead of the default domain policy because doing this will run it for everyone in the domain. I don't recommend changing the default domain policy it contains settings that, by default, apply to all computer and user accounts in the domain such as the domain password policy, parameters associated with user account lock-out, and password policy. Instead create a new GPO strictly for the TM install.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the info. For now It is easier to exclude the devices because the devices are in different locations and mobile. Can I specify a wild card for a group om devices that start with the same name but with different numbers?
ASKER
I found this solution to a previous EE post, 27438747, who was asking the same thing but for one computer. Is it possible to add a wild card to cover a range of computers?
IF "%COMPUTERNAME%"=="NameofC
IF "%COMPUTERNAME%"=="NameofC
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the info. The problem is I need to exclude many devices while including all others. The idea of the batch was to install Trend on new computers as they were joined to the domain. The batch checks see if it is already installed and if it is, it ends. But I see what you mean as far as always running before it aborts but it has to run anyway no matter what so it is easier for me just edit the batch. Unless there is a better way of accomplishing this without running the batch initially.
I know you said the login script run a batch, but what kind of login script is it?
CMD, VBS or PS? (powershell)
In vbs i have to code to check a AD group, where you could put all the users that do not need the software
CMD, VBS or PS? (powershell)
In vbs i have to code to check a AD group, where you could put all the users that do not need the software
The problem is I need to exclude many devices while including all othersExactly, the group will do just that
is you login script in vbscript (vbs, wsh), dos batch (.bat) command or powershell (ps1)?
No matter what the script is, filtering out computers inside the script will require it to execute unnecessary on computers that do not require it to run.
True, and since you posted nice screens shots, i support your solution :)
ASKER
OK. Let me take a closer look here and see. I can see Shaun's point. Can I target an OU instead of a computername?
Can I target an OU instead of a computername?Yes, any filtering will work
ASKER
Trying different combinations to create this but not sure of my choices. Lets say I want this script to run on all computers except for laptops for example. What would be my settings?
Use a WMI filter on the GPO
Type of RAM
Detect for battery
Type of RAM
Select * from Win32_PhysicalMemory WHERE (FormFactor = 12)Detect for battery
SELECT * FROM Win32_Battery WHERE (BatteryStatus <> 0)ASKER
What I tried was:
1. Created a GPO
2. Selected Preferences under Computer Configuration
3. Selected Files under Windows Settings and selected New
4. For Source File I selected the location of the Batch (I put in SYSVOL\domain\scripts)
5. For Destination File I selected CommonAppdataDir (For all users)
6. On the common tab I selected
a. Remove this item when it is no longer applied
b. Item-level targeting
7. For Targeting I have
"the computer's domain is" and "And the NETBIOS computer name is not "name-name"
I created test OU and attached the GPO to it.
I moved two computers into the test OU and restarted the computers. One should have run the batch and the other not.
None got it.
1. Created a GPO
2. Selected Preferences under Computer Configuration
3. Selected Files under Windows Settings and selected New
4. For Source File I selected the location of the Batch (I put in SYSVOL\domain\scripts)
5. For Destination File I selected CommonAppdataDir (For all users)
6. On the common tab I selected
a. Remove this item when it is no longer applied
b. Item-level targeting
7. For Targeting I have
"the computer's domain is" and "And the NETBIOS computer name is not "name-name"
I created test OU and attached the GPO to it.
I moved two computers into the test OU and restarted the computers. One should have run the batch and the other not.
None got it.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK i will try that. Doesn't a restart accomplish the same thing?
After 15 min the GP should apply
But with microsoft, we use the word "should"
:)
But with microsoft, we use the word "should"
:)
ASKER
That did not work.
Use this process to check if policy applied
https://www.experts-exchange.com/articles/29415/How-to-find-Active-Directory-Group-Policy-GPO-that-applies-a-particular-setting.html
https://www.experts-exchange.com/articles/29415/How-to-find-Active-Directory-Group-Policy-GPO-that-applies-a-particular-setting.html
ASKER
Not seeing it anywhere
ASKER
When I run gpresult /r I do not see the GPO I created.
do you have any error when you run:
cmd.exe
gpupdate /force
cmd.exe
gpupdate /force
ASKER
No.
ASKER
Does it make a difference where on the server I put the batch file I want computers to pull down and run? I don't want the batch to run on certain computers but I do want it to run on others.