[gptalk] Re: Bat File Not Executing.

  • From: "Harry Singh" <hboogz@xxxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Fri, 5 Sep 2008 14:30:27 -0400

Thanks for the reply Darren, here goes.

I believe i came across a thread here or it could have been somewhere else,
that mentioned when applying a GPO to an OU that consists of only computers,
it would be best to remove "Authenticated Users" and add a Sec group that
has all the computers in it. If Authenticated Users is  recommended, i'll
gladly revert back.

I don't have fast logon optimization disabled -- where would i disable that
?

I'm calling the vbs script directly from within the GPO as i would a batch
file, as demonstrated by the screenshot. I've also attached the script, i
received courtesy of Joe Shonk on the Citrix thinlist.

remove the txt extension after the vbs.





On Fri, Sep 5, 2008 at 2:15 PM, Darren Mar-Elia <darren@xxxxxxxxxx> wrote:

>  Harry-
>
> Just out of curiosity, if the computers are in their own OU, why are you
> using security filtering on top of that? Keep in mind that a computer won't
> pick up its new group membership until a reboot, but since you're doing that
> anyway, I suspect that is not the issue.
>
>
>
> With respect to the software installation, have you disabled fast logon
> optimization on these machines? If not, then the SI package could take a
> couple of reboots to get picked up. If so, then I would check the
> application event log on the machine for a event of type "Application
> Management" as this will indicate whether there is some error with the
> processing of the package.
>
>
>
> Can you post your VBScript code here and also let us know how you're
> calling it? I think you said you were calling it from the parameters on a
> batch file?
>
>
>
> Darren
>
>
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Harry Singh
> *Sent:* Friday, September 05, 2008 10:47 AM
>
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Re: Bat File Not Executing.
>
>
>
> Hi All -
>
> So, i finally have been able to put this GPO into production and have
> something interesting, albeit furstrating.
>
> I placed the the computers i want this GPO to run against within their own
> "Computers" OU.
>
>  I then created a security group and put all these computers within this
> security group
>
> I then removed " Authenticated Users" from the security of the GPO and just
> put the above mentioned security group.
>
> I found that the policy does run, as noted in the attached gpresult log (
> delprof-test ) is the GPO in question, but the startup VBS script to delete
> profiles, does not run. I also assigned UPH clean but have noticed that
> didn't install either. These are the only two machine based settings applied
> on this GPO and neither of them are running, but the GPO is being executed
> on the machines.
>
> any thoughts ?
>
>
>  On Thu, Aug 7, 2008 at 5:27 AM, Hutchinson, Alan <
> Alan.Hutchinson@xxxxxxxxxxxxxxxxxx> wrote:
>
> Harry,
>
> As I said I haven't yet tried it (probably sometime next week).
>
>
>
> As for your second paragraph - no need to block inheritance; this is
> exactly what loopback processing  in replace mode achieves.
>
>
>
> REgards,
>
>
>
> Alan.
>
>
>  ------------------------------
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Harry Singh
> *Sent:* 06 August 2008 18:40
>
>
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Re: Bat File Not Executing.
>
>
>
> Alan,
>
> i was just about to post that, since i subscribe to the THIN list and came
> across that.
>
> Since it's a VBS script, i understand when you add it to the startup of a
> GPO, there are "Script Parameters". I've never leveraged this because,
> truthfully, i really don't know what would be placed in here ? could someone
> provide some insight as to how to properly use that field ?
>
> A&M - as far as loopback processing goes, that makes it much clearer, but i
> still need to re-read and implement to fully comprehend. I currently have a
> TS/Citrix environment and am trying to wrap my head around understanding
> applying user settings to the same user but different policies. I suppose if
> i block policy inheritance on the GPO that's assigned to the TS servers ou
> and configure machine and user based settings this will only apply to users
> who are logging into that server.
>
>
>  On Wed, Aug 6, 2008 at 1:12 PM, Hutchinson, Alan <
> Alan.Hutchinson@xxxxxxxxxxxxxxxxxx> wrote:
>
> I haven't tried it yet but came across this from another freelist which may
> do what you want when you've sorted script execution :
>
>
>
>
>
>
> http://www.theshonkproject.com/index.php?option=com_content&task=view&id=27&Itemid=31
>
>
>
> Regards,
>
>
>
> Alan.
>
>
>  ------------------------------
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Nelson, Jamie
> *Sent:* 06 August 2008 16:27
>
>
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Re: Bat File Not Executing.
>
>
>
> Hmm, yeah I can see how that is helpful from the teacher's perspective. If
> I were you I would definitely spend some time troubleshooting why the
> profiles are getting corrupted in the first place. That shouldn't be
> happening.
>
>
>
> As far as your script not executing, I recommend starting it off with
> something basic just to make sure it is actually executing. A good example
> would be piping the contents of ipconfig out to a text file on the C: drive
> or something.
>
>
>
>                 ipconfig >%SYSTEMDRIVE%\ipconfig.txt
>
>
>
> Then go back and verify the file is created after a reboot. That way you
> can be certain the script is actually running. If it is, but the profile is
> not getting deleted, you know you have some kind of logic error in the part
> of the script.
>
>
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Harry Singh
> *Sent:* Tuesday, August 05, 2008 6:26 PM
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Re: Bat File Not Executing.
>
>
>
> I'll be glad to elaborate.
>
> This is a lab environment and we've implemented a combination of mandatory
> profiles and GPO to control User configuration settings. Periodically, the
> profile experiences problems and just doesn't load properly. I've ran traces
> to see if any network connectivity issues exist between the workstation and
> the server where the profile resides and , although i see some collisions, i
> don't expect that to be the sole root cause. Instead of delving more time
> and resources, we've found by blowing the profile the issues resolve
> themselves --- and as i mentioned, this doesn't happen too frequently, only
> periodically. Now, the lab machines aren't rebooted or turned off nightly,
> so the deleting of profiles on reboot is really a way for us or the teacher
> on site to delete the profiles "on-demand". I'm sure there are alternate
> ways to get this done, and i'm all ears.
>
> So you're saying i can apply a GPO to an OU that just has computer accounts
> ?
>
> "To clarify, loopback policy is used when you want user configuration
> policies to apply based on where the computer object resides instead of the
> user object. " That's still a litte fuzzy to me, could you provide an
> example that could help me further put this confusion function to rest for
> me ?
>
> Thanks
>
>  On Tue, Aug 5, 2008 at 5:27 PM, Nelson, Jamie <Jamie.Nelson@xxxxxxx>
> wrote:
>
> Delprof.exe can't delete a specific user profile, you generally tell it the
> max number of days old a profile can be (from last use) and it will delete
> anything older than that. I still don't understand why you want to delete it
> on every reboot though. Maybe you can be kind enough to elaborate?
>
>
>
> Actually, you were right the first time. For startup scripts to run they
> must be applied to OUs containing computer objects. You don't need loopback
> policy or security filtering for that. To clarify, loopback policy is used
> when you want user configuration policies to apply based on where the
> computer object resides instead of the user object.
>
>
>
> Hope that helps. J
>
>
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Harry Singh
> *Sent:* Tuesday, August 05, 2008 4:13 PM
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Re: Bat File Not Executing.
>
>
>
> Jamie,
>
> Yes, the script is deleting the documents and setting folder. I agree this
> isn't very clean, but  I am having trouble in negotiating the delprof
> command line to delete the profile i want under my specific parameters.
> Specifically, i want the profile to be deleted upon every reboot, either
> during the shutdown or, preferably, during the startup of the machine. ?
>
> Secondly, i believe my problem was i  was applying the GPO to an OU that
> just had the computer accounts. I realized this can't be done, i'd have to
> apply it to the OU containing the LAB user account ; since only the Computer
> Config is enabled, the script will execute on whatever machine that user
> logs into, correct ? That being said, what should the loopback processing
> setting be on this GPO, if there are no user configured settings on this GPO
> but others ?
>
> Just to clear up any confusion, if i want machine specific settings only to
> apply to computer accounts, i need to:
>
>    - Configure the Computer Configuration portion of the GPO.
>    - Create a Security Group and add the respective computer accounts to
>    this group and add it to the permissions of the GPO with the "Apply" GPO
>    permission ?
>    - Never apply GPO's to OU's that just have computer accounts
>    - Enable loopback processing on a computer oriented GPO if you have any
>    USER Confiuration settings in that GPO, otherwise just leave it disabled or
>    not configured ?
>
>
>
> On Tue, Aug 5, 2008 at 4:57 PM, Nelson, Jamie <Jamie.Nelson@xxxxxxx>
> wrote:
>
> When you say "delete the profile" are you just trying to delete the profile
> folder under C:\Documents and Settings? That doesn't truly dump the profile,
> as there are still some registry keys that have to be cleaned up.
>
>
>
> On that note, I don't think deleting the profiles on startup is a good
> practice, even if they are for what I assume are temporary lab user
> accounts. You're better off creating a scheduled task on the machine to run
> the delprof.exe utility (from the Server Resource Kit) which can delete all
> profiles that have not been used in a specified number of days. Just my
> opinion though. You may have valid reason for doing it that way so please
> don't take offense. J
>
>
>
> As far as the script not executing is concerned, did you place it in the
> GPO's "machine\scripts\startup" folder in SYSVOL or somewhere else on your
> network?
>
>
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Harry Singh
> *Sent:* Tuesday, August 05, 2008 3:21 PM
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Bat File Not Executing.
>
>
>
> All -
>
> I've added a bat file to the startup script inside of a GPO, the computer
> configuration part of the GPO. The script deletes any profile starting with
> lab* and is suppose to run when the computer is restarted so as to not run
> into any file locks by explorer. However, the folders are not being deleted
> and when i run a gpresult, the script indicates: " This script has not been
> executed"
>
> any ideas ?
>   *
> ------------------------------
> *
>
> *Confidentiality Warning:* This message and any attachments are intended
> only for the use of the intended recipient(s), are confidential, and may be
> privileged. If you are not the intended recipient, you are hereby notified
> that any review, retransmission, conversion to hard copy, copying,
> circulation or other use of all or any portion of this message and any
> attachments is strictly prohibited. If you are not the intended recipient,
> please notify the sender immediately by return e-mail, and delete this
> message and any attachments from your system.
>
>
>
>
>
>
>
>
>
'***************************************************************************
'*
'*  Delete Profiles script written by Joe Shonk ( joe@xxxxxxxxxxxxxxxxxxx)
'*  This e-mail address is being protected from spam bots, you need JavaScript 
enabled to view it )
'*  Version 1.8
'*
'*  Syntax: cscript.exe DeleteProfiles.vbs [/H] [/C] [/L <FILENAME>] [/R] [/V]
'*
'*  This script is provided as-is, no warrenty is provided or implied
'*  The author is NOT responsible any damages or data loss that may occur
'*  through the use of this script.  Always test, test, test before
'*  rolling anything into a production environment
'*
'*  This script is free to use for both personal and business use, however,
'*  it may not be sold or included as part of a package that is for sale.
'*
'*  A Service Provider may include this script as part of their service
'*  offering/best practices provided they only charge for their time
'*  for implementation and support and not as a product item.
'*
'*  For distribution and updates go to: http://www.theshonkproject.com
'*
'***************************************************************************
On Error Resume Next

Const DeleteReadOnly = TRUE
Const HKEY_LOCAL_MACHINE = &H80000002
Const SIDExclusionList = "|S-1-5-18|S-1-5-19|S-1-5-20|"

'***************************************************************************
'*  To add your own profiles to the exclusion list simply add the
'*  account to the end of the ProfileExclusionList.  Note: Each account
'*  is delimited by a | (pipe) and is all lowercase
'*
Const ProfileExclusionList = "|administrator|all users|default 
user|localservice|networkservice|ctx_smauser|ctx_cpuuser|ctx_cpsvcuser|ctx_streamingsvc|ctx_configmgr|"

Dim strComputer, strLogFileName, strDocAndSettingsLocation
Dim strKeyPath, arrValueNames, arrValueTypes, arrSubKeys
Dim i, strHiveExclusionList, strHiveOpenSkipped, strHiveValue
Dim strSubKey, strGuid, strUserName, strProfileImagePath
Dim dwProfileExclusion, dwSIDExclusion, dwHiveOpenExclusion
Dim flgLogFile, flgWriteConsole, flgVerboseLog, flgAllowExecute, flgHelp
Dim dwArgCount, strNextArg, strCurrentArg

strComputer = "."

Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & 
strComputer & "\root\default:StdRegProv")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objArgs = WScript.Arguments

strLogFileName = ""
dwArgCount = 0
flgHelp = False
flgLogFile = Flase
flgWriteConsole = False
flgVerboseLog = False
flgAllowExecute = True

dwArgCount = objArgs.Count
for i = 0 to dwArgCount - 1
  strCurrentArg = lcase(objArgs(i))
  select case strCurrentArg
    case "-v", "-verbose", "/v", "/verbose"
      flgVerboseLog = True
    case "-c", "-console", "/c", "/console"
      flgWriteConsole = True
    case "-r", "-readonly", "-read", "/r", "/readonly", "/read"
      flgAllowExecute = False
      flgWriteConsole = True
    case "-l", "-log", "/l", "/log"
      if i < (dwArgCount - 1) then
        strNextArg = lcase(objArgs(i + 1))
        if (left(strNextArg, 1) <> "/") and (left(strNextArg, 1) <> "-") then
          flgLogFile = True
          strLogFileName = strNextArg
          i = i + 1
        else
          wscript.echo "Warning: Log Switch Used but No Log Filename Specified."
        end if
      else
        wscript.echo "Warning: Log Switch Used but No Log Filename Specified."
      end if
    case "-h", "-help", "/h", "/help", "-?", "/?"
      flgHelp = True
    case else
      wscript.echo "Unrecognized option: " & objArgs(i)
      flgHelp = True
  end select
next

if flgHelp then
  wscript.echo "Help"
  wscript.echo ""
  wscript.echo "DeleteProfiles.vbs - v1.8"
  wscript.echo "-------------------------"
  wscript.echo ""
  wscript.echo "cscript.exe DeleteProfiles.vbs [/H] [/C] [/L <FILENAME>] [/R] 
[/V]"
  wscript.echo ""
  wscript.echo "Command Line Options:"
  wscript.echo "  /C            : Write Log to the Console"
  wscript.echo "  /L <FileName> : Create Log File"
  wscript.echo "  /H            : Help (This Screen)"
  wscript.echo "  /R            : Run Script in Read Only Mode (No System 
Changes)"
  wscript.echo "  /V            : Verbose Logging"
  wscript.echo ""
  wscript.quit
end if

if flgLogFile then Set objLogFile = objFSO.CreateTextFile(strLogFileName)

WriteHeader

'**********************************************************************************
'*   Enumerate a list of loaded Registry Hives.  Delimited by the | character
strHiveExclusionList = "|"
strHiveOpenSkipped = "|"
strKeyPath = "SYSTEM\CurrentControlSet\Control\hivelist"
objReg.EnumValues HKEY_LOCAL_MACHINE, strKeyPath, arrValueNames, arrValueTypes
For i=0 To UBound(arrValueNames)
    strHiveValue = trim(arrValueNames(i))
    strHiveExclusionList = strHiveExclusionList & Right(strHiveValue, 
len(strHiveValue) - instrrev(strHiveValue, "\")) & "|"
Next

'**********************************************************************************
'*   Enumerate a list of known profiles from the registry
strKeyPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"
objReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys

'**********************************************************************************
'*   Parse through the Profile list and Delete the Registry entries and Files 
associated to the Profile
'*   Provided the profile is not listed in an Exclusion list
WriteLog "Checking Profile List"
WriteLog "---------------------"
If NOT flgAllowExecute then WriteLog "READ ONLY MODE. No changes made."

For Each subkey In arrSubKeys
    strSubKey = ""
    strGuid = ""
    strUserName = ""
    strProfileImagePath = ""
    strSubKey = trim(subkey)
    if (instr(SIDExclusionList, "|" & strSubKey & "|") = 0) and (strSubKey <> 
"") then
        strKeyPath = "SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\ProfileList\" & strSubKey
        objReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,"Guid", strGuid
        objReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,"ProfileImagePath", 
strProfileImagePath

        strUserName = Right(strProfileImagePath, len(strProfileImagePath) - 
instrrev(strProfileImagePath, "\"))
        WriteLog "Profile"
        If flgVerboseLog then WriteLog "  SID         : " & strSubKey
        If flgVerboseLog then WriteLog "  GUID        : " & strGuid
        WriteLog "  Profile Path: " & strProfileImagePath
        WriteLog "  UserName    : " & strUserName

        dwProfileExclusion = instr(ProfileExclusionList, "|" & 
trim(lcase(strUserName)) & "|")
        dwSIDExclusion = instr(strHiveExclusionList, "|" & strSubKey & "|")
        If (dwProfileExclusion = 0) and (dwSIDExclusion = 0) then
            WriteLog "  Profile OK to Delete"

            strKeyPath = "SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\ProfileList\" & strSubKey
            DeleteKey HKEY_LOCAL_MACHINE, strKeyPath

            strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Group 
Policy\" & strSubKey
            DeleteKey HKEY_LOCAL_MACHINE, strKeyPath

            strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Group 
Policy\State\" & strSubKey
            DeleteKey HKEY_LOCAL_MACHINE, strKeyPath

            strKeyPath = 
"SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\" & strSubKey
            DeleteKey HKEY_LOCAL_MACHINE, strKeyPath

            If strGuid <> "" then
                strKeyPath = "SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\PolicyGuid\" & strGuid
                DeleteKey HKEY_LOCAL_MACHINE, strKeyPath

                strKeyPath = "SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\ProfileGuid\" & strGuid
                DeleteKey HKEY_LOCAL_MACHINE, strKeyPath
            Else
                WriteLog "  Guid is Blank, Deleting Registry Keys based of Guid 
has been skipped."
            End if

            If objFSO.FolderExists(strProfileImagePath) then
            WriteLog "  Folder Exists - Deleting"
                If flgAllowExecute then 
objFSO.DeleteFolder(strProfileImagePath), DeleteReadOnly
            Else
                WriteLog "  Folder Does not Exist"
            End if
        Else
            If dwProfileExclusion then
                WriteLog "  Profile not Deleted --- Username in Profile 
Exclusion List"
            End if
            If dwSIDExclusion then
                WriteLog "  Profile not Deleted --- User Hive is currently 
loaded"
                strHiveOpenSkipped = strHiveOpenSkipped & 
trim(lcase(strUserName)) & "|"
            End if
        End if
    End if
Next

'**********************************************************************************
'*   Get Document and Settings Directory Location from the Registry
strKeyPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"
objReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,"ProfilesDirectory", 
strDocAndSettingsLocation
WriteLog ""
WriteLog "Documents and Settings Path: " & strDocAndSettingsLocation
WriteLog ""
WriteLog "Checking for Orphaned Profile Directories"
WriteLog "-----------------------------------------"
Set objFolder = objFSO.GetFolder(strDocAndSettingsLocation)
Set colSubfolders = objFolder.Subfolders

'**********************************************************************************
'*   Parse through the directory a check for orphaned profile folders and Delete
For Each objSubfolder in colSubfolders
    strUserName = lcase(Right(objSubfolder.Path, len(objSubfolder.Path) - 
instrrev(objSubfolder.Path, "\")))
    dwProfileExclusion = instr(ProfileExclusionList, "|" & 
trim(lcase(strUserName)) & "|")
    dwHiveOpenExclusion = instr(strHiveOpenSkipped, "|" & 
trim(lcase(strUserName)) & "|")
    If (dwProfileExclusion = 0) and (dwHiveOpenExclusion = 0) then
        WriteLog "Deleting Orphaned Profile Directory: " & objSubfolder.Path
        If flgAllowExecute then objFSO.DeleteFolder(objSubfolder.Path), 
DeleteReadOnly
    Else
        If dwHiveOpenExclusion then
            WriteLog "Hive Loaded      -- Skippped Delete: " & objSubfolder.Path
        End if
        If dwProfileExclusion then
            WriteLog "Profile Excluded -- Skippped Delete: " & objSubfolder.Path
        End if
    End if
Next

WriteFooter
if flgLogFile then objLogFile.Close
objReg = Nothing
objFSO = Nothing
objArgs = Nothing

'**********************************************************************************
'*   Deletes All Subkeys and Values within a Given Registry Key
Sub DeleteKey(dwHiveType, strDeleteKeyPath)
    Dim dwReturn, arrDeleteSubKeys, strDeleteSubKey
    dwReturn = objReg.EnumKey(dwHiveType, strDeleteKeyPath, arrDeleteSubKeys)
    If (dwReturn = 0) And IsArray(arrDeleteSubKeys) Then
        For Each strDeleteSubKey In arrDeleteSubKeys
            DeleteKey dwHiveType, strDeleteKeyPath & "\" & strDeleteSubKey
        Next
    End If
    If flgAllowExecute then objReg.DeleteKey dwHiveType, strDeleteKeyPath
    If flgVerboseLog then WriteLog "  Deleting: " & strDeleteKeyPath
End Sub

'**********************************************************************************
'*   Log Header
Sub WriteHeader
    WriteLog "---"
    WriteLog "-- Profile Deletion Script Executed: " & Now
    WriteLog "---"
    WriteLog ""
End Sub

'**********************************************************************************
'*   Log Footer
Sub WriteFooter
    WriteLog ""
    WriteLog "---"
    WriteLog "-- Profile Deletion Script Completed."
    WriteLog "---"
End Sub

'**********************************************************************************
'*   Write String to Log File
Sub WriteLog(strString)
    if flgLogFile then objLogFile.Writeline strString
    if flgWriteConsole then wscript.echo strString
End Sub

Attachment: del-prof-script.png
Description: PNG image

Other related posts: