[gptalk] Re: Running a Batch file at user logon.

  • From: TAZAMAL HUSSAIN <tazamal_hussain@xxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 31 Jan 2008 13:47:03 +0000

Jakob,
 
Thanks for the quick reply and confirmation.Yes, I agree with you, as to why 
this need would arise. However, it certainly exists out there, for some reason 
or another! :) perhaps misunderstanding during implemetation phase...
 
Without taking this discussion off to another direction, a useful bit of 
knowledge would be the 'few other exceptions' If you have a link for reading, 
that would great...


From: jakob@xxxxxxxxxxxxxxxxx: gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: 
Running a Batch file at user logon.Date: Thu, 31 Jan 2008 14:36:20 +0100






Well, yes – that’s another story J
 
It’s correct that you can place account policies on other OUs - or filter them 
in other ways if you like – but the thing is, AD users will still have to 
comply with the policy set as the Highest Priority on the Domain Level 
(actually this is decided by the DCs - or forced on to the DCs - not the member 
computers). Not necessarily the Default Domain Policy – though IMHO it should 
be kept there! There are a few other exceptions where settings are taken from 
the GPO with the Highest Priority on the Domain Level only, but that a bit off 
topic.
 
Account policies in GPOs set on OUs will, as you say, apply to creation of 
Local Accounts on the computers in scope – but I’ve never seen an environment 
where this was important (can’t even imagine why this would be part of a 
design). Also, with third party utilities it is actually possible to have 
multiple account policies in a single AD – but, that doesn’t really count, 
we’re talking default functionality here.
 
As we all know multiple password policies will be available in WS 2008 domain 
environment “out of the box” – the Default Domain Policy (highest priority GPO  
in the domain) will still be “the last stop”, but  Global Security Groups can 
force other password policies on to the users.

 
Regards
/Jakob H. Heidelberg
 


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of TAZAMAL HUSSAINSent: 31. januar 2008 14:20To: 
gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: Running a Batch file at user logon.
 
Guys, I have actually come across multiple account/password policies in certain 
big AD implementations targeted to specific OUs... what happens here? I'm 
guessing they are all ignored and the one set on the defdompol overides, and 
have been told these extra policies targeted to specific OUs will apply to 
locally created user accounts on the machines in those OUs... if that makes 
sense?can anyone confirm this? never got round to testing it....



From: jakob@xxxxxxxxxxxxxxxxx: gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: 
Running a Batch file at user logon.Date: Thu, 31 Jan 2008 13:27:03 +0100

Hi Ananth,
 
I think you first need to accept and understand this:
 
1. The Computer Configuration part of a policy applies to Computers only
2. The User Configuration part of a policy applies to Users only
 
You do mention an “exception”, which is account/password policies – it does 
*seem* like that is a Computer Configuration that actually hits Users, but it’s 
not. You can have 1 account policy in a default AD (2000/2003) – it should be 
set in the Default Domain Policy (highest priority GPO on the Domain level) – 
and it can be set _nowhere_ else!!!
 
For your second question – if you have a GPO with BOTH Computer and User 
Configuration policy settings defined – you could apply that on the domain 
level. And, as it has been said previously, the policy setting will “flow down” 
the OU hierarchy in your domain. So, all Computer AND User objects below will 
take on their respective part of the GPO (Computers will take the Comp. Conf. 
and Users will take the User Conf.). Basically, it doesn’t matter how your OU 
structure is, you can have a single OU with all your Computer and User objects 
in it – and then link a single GPO with both Computer and Users settings in it, 
and it works.
 
However, GPO filtering is needed in most cases. You can filter on several 
levels – Site, Domain, Ou + WMI filters + Security filtering (AD security 
groups). You can choose one filtering method, or combine them all.
 
There are “advanced” policy processing options available, like Loopback 
processing etc. – but let’s keep that out of the picture so far ;-)
 
 
Did that help?
 
 
Regards
/Jakob H. Heidelberg
 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Ananth RajagopalSent: 31. januar 2008 11:29To: 
gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: Running a Batch file at user logon.
 
Two more queries, I seem to be confused here...Consider this scenario.....We 
have an Account lockout policy.. set at 5 invalid logons. This is in Computer 
configuration.What happens if I link this policy to the OU containing Users? If 
I give the Domain Computers in the scope will the policy work for only these 
users?orShould I create another OU of computers and link this policy and in the 
scope give the user group?For a set of "user and computer configurations" to 
work for a "set of users and computers" of a particular department should there 
be 2 OU's? one for users with user configuration policies linked and the other 
OU with Computers with computer configuration policies linked??hmm.... :-)

On Jan 31, 2008 3:45 PM, Ananth Rajagopal <ananth.rg@xxxxxxxxx> wrote:
Thanks again :-)


 

On Jan 31, 2008 3:42 PM, hans straat <hstraat@xxxxxxx> wrote:

if you have a OU structure and no block inheritance etc configured the policy 
will flow down. OU domain Computers (GPO computer policy apply desktop blabla)  
 OU Site Computers (will get the policy)     OU Site KioskComputers (will get 
the policy)as long as they are nested under the main OU :)But you can do a RSOP 
planning to see if the OU get's the policy (RSOP in GPMC)



Date: Thu, 31 Jan 2008 15:21:24 +0530


From: ananth.rg@xxxxxxxxxxx: gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: Running 
a Batch file at user logon.If the policies are linked at the domain level, 
irrespective of whether its a user configuration or computer configuration will 
it run?

On Jan 31, 2008 3:19 PM, Ananth Rajagopal <ananth.rg@xxxxxxxxx> wrote:
Thanks Hans! :-) 


 

On Jan 31, 2008 2:18 PM, hans straat <hstraat@xxxxxxx> wrote:

Anath, Computer configuration policies should be applied on the OU the 
computers you target are located in. Like User policies should be applied to 
the OU the targetted users reside in. regards,Hans Straatwww.datacrash.net 



Date: Thu, 31 Jan 2008 09:15:41 +0530From: ananth.rg@xxxxxxxxx 


To: gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: Running a Batch file at user 
logon.Hi Jacob,From the event viewer we got only the RSoP error, "RSoP could 
not be run" anyway we manually ran that script in some 50 systems and now its 
fine as internet explorer homepage was set to this mail server, so its coming 
fine now! We didn't get time to test further, sorry about that, the domain had 
to be up yesterday, its running fine now...Kindly send any more links of your 
articles! it was great reading....cleared a lot of things for us....One basic 
question.... Should Computer Configuration policies be applied on Domain 
Computers or OU of Computers? regardsAnanth :-)

On Jan 29, 2008 4:36 PM, Ananth Rajagopal <ananth.rg@xxxxxxxxx> wrote:
Hi Jacob,Thanks once again for your great support.We are actually testing this 
in a test environment of 6 systems. Except for this one script the rest all are 
working fine.We will do the Gpresult at the earliest and will let you know.I 
haven't checked the event viewer either, will do that right away.regardsAnanth. 


 

On Jan 29, 2008 2:07 PM, Jakob H. Heidelberg <jakob@xxxxxxxxxxxxxxx> wrote:


Hi, It does sound like you did everything needed to make this work – a restart 
is of course needed, but you took care of that you say. As this point it could 
be great if you checked the event viewer for any error on the clients that 
happens during startup. Later you might have to do advanced troubleshooting. 
You should perform the GPRESULT command to see if the computer "picked up" the 
policy at all. Note – you should probably test such a policy isolated the first 
time (limited to an OU with only one computer system within it or alike). 
/Jakob 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Ananth RajagopalSent: 29. januar 2008 09:17To: 
gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: Running a Batch file at user logon.


 
Hi Jacob,Thanks for the article. It cleared a lot of doubts.We did as you said, 
but we still couldn't make it work! This how we did it... please go through it 
and advice on where we went wrong!In the Group Policy Objects we created a new 
policy called " Intranet Mail Srv Route"We edited the policy, we set it as  
Computer Configuration>Windows Settings>scripts(Startup/Shutdown)>Startup> we 
showed the UNC path to the script.The scripts is stored in 
"\\Tai2D.ent\SysVol\Tai2D.ent\scripts\mailsrv_route.bat" this path and this 
share is accessible from all systems in the domain. The permission to this 
share is "Authenticated Users Read and Execute"Next, at the domain level we 
gave "Link an existing GPO" gave this GPO and enabled  enforced and link 
enabled.In the Security Filter windows we added "Authenticated Users" and 
"Domain Computers" Next we gave gpupdate /forceWe restarted the systems several 
times but still the new route is not getting added.Please analyze the steps and 
kindly inform us where we have gone wrong. Have we missed anything that you 
have told us? :-)Thanks for the help!regardsAnanth :-)

On Jan 25, 2008 3:49 PM, Jakob H. Heidelberg <jakob@xxxxxxxxxxxxxxx> wrote:


Hi again Ananth, As stated before it would, in most cases, be better to add the 
route once and for all on the clients default gateway. But, you probably have 
your reasons J I think there are some basic things about GP processing and 
filtering you should take a look at. Maybe this blog will help 
you:http://heidelbergit.blogspot.com/2008/01/yes-of-course-you-can-assign-group.html
 Earlier you told me you want to "hit" all systems in the domain – in that case 
all you have to do is: 
1.       Have the script file in a shared directory where Authenticated User or 
Domain Computers have Read access
2.       Create the GPO and point the Startup script to the shared script file 
(Computer Configuration part on the GPO)
3.       Link the GPO to the Domain Level (you don't have to change Permissions 
or anything in this case)
4.       Reboot all machines for the script to be executed (could take 2 
reboots)
 However – I must warn you a bit: this will execute the script during the next 
startup (or two) on ALL domain computers (including servers). Note to #3: If 
all of your computers are in the "My Computers OU" you could just link the GPO 
here (except computers in the Domain Controllers OU would not be hit – if they 
should be hit too you could link the policy to that OU too  and restart them 
one after the other perhaps). If this doesn't execute on the clients you must 
start troubleshooting. Look in the client eventlog to spot for any errors, use 
GPRESULT to be sure the GPO applies to the computers etc. However, I do expect 
this to work. Regards/Jakob 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Ananth RajagopalSent: 25. januar 2008 08:27To: 
gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Running a Batch file at user logon.


 Hi All,We want to add a persistent route to all systems in 192.168.2.x network 
to a server having IP 192.168.3.240.We created a route.bat batch file and 
copied this command Route Add 192.168.3.240 MASK 255.255.255.255 192.168.2.254 
-pThis batch file was copied to 
\\Server.com\SysVol\Server.com\scripts\route.bat folder.The batch file was 
placed in Computer Configuration/Windows Settings/ Scripts/StartupWe created a 
new group called Harmony_Sys in Builtin folder in that Domain. Created a new OU 
called Harmony Systems, moved systems on which this batch file has to be run to 
this OU. Made the computer a member of the group Harmony_Sys group. >From GPMC, 
We applied this route policy to this Harmony Systems OU. But the new route is 
not getting created. Where have we gone wrong, is the procedure 
correct.regardsAnanth.
 
 
 
 
 
 
 
 



Sounds like? How many syllables? Guess and win prizes with Search Charades!
_________________________________________________________________
Who's friends with who and co-starred in what?
http://www.searchgamesbox.com/celebrityseparation.shtml

Other related posts: