[gptalk] Re: Running a Batch file at user logon.

  • From: "Jakob H. Heidelberg" <jakob@xxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 31 Jan 2008 15:15:56 +0100

Allright - I don't have a link right here, but I can list the 4
"exceptions". These are, like account/lockout settings, all taken from the
highest precedence GPO linked to the domain (typically "Default Domain
Policy").

 

Computer Configuration | Windows Settings | Security Settings | Local
Policies | Security Options:

 

1.       Accounts: Rename Administrator Account
Renames all built-in Administrator accounts in the domain (logon name)

 

2.       Accounts: Rename Guest Account
Renames all built-in Administrator accounts in the domain (logon name)

 

3.       Network Security: Force Logoff When Logon Hours Expire
Force logoff from the domain when logon hours are expired

 

4.       Network Access: Allow Anonymous SID/Name Translation
Main reason why this is enabled is when old Windows systems needs to
communicate with AD.

 

These are what you could call "domain wide security settings".

 

Best regards

/Jakob H. Heidelberg

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of TAZAMAL HUSSAIN
Sent: 31. januar 2008 14:47
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Running a Batch file at user logon.

 

Jakob,
 
Thanks for the quick reply and confirmation.Yes, I agree with you, as to why
this need would arise. However, it certainly exists out there, for some
reason or another! :) perhaps misunderstanding during implemetation phase...
 
Without taking this discussion off to another direction, a useful bit of
knowledge would be the 'few other exceptions' If you have a link for
reading, that would great...

  _____  

From: jakob@xxxxxxxxxxxxxxx
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Running a Batch file at user logon.
Date: Thu, 31 Jan 2008 14:36:20 +0100

Well, yes - that's another story J

 

It's correct that you can place account policies on other OUs - or filter
them in other ways if you like - but the thing is, AD users will still have
to comply with the policy set as the Highest Priority on the Domain Level
(actually this is decided by the DCs - or forced on to the DCs - not the
member computers). Not necessarily the Default Domain Policy - though IMHO
it should be kept there! There are a few other exceptions where settings are
taken from the GPO with the Highest Priority on the Domain Level only, but
that a bit off topic.

 

Account policies in GPOs set on OUs will, as you say, apply to creation of
Local Accounts on the computers in scope - but I've never seen an
environment where this was important (can't even imagine why this would be
part of a design). Also, with third party utilities it is actually possible
to have multiple account policies in a single AD - but, that doesn't really
count, we're talking default functionality here.

 

As we all know multiple password policies will be available in WS 2008
domain environment "out of the box" - the Default Domain Policy (highest
priority GPO  in the domain) will still be "the last stop", but  Global
Security Groups can force other password policies on to the users.

 

Regards

/Jakob H. Heidelberg

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of TAZAMAL HUSSAIN
Sent: 31. januar 2008 14:20
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Running a Batch file at user logon.

 

Guys,
 
I have actually come across multiple account/password policies in certain
big AD implementations targeted to specific OUs... what happens here? I'm
guessing they are all ignored and the one set on the defdompol overides, and
have been told these extra policies targeted to specific OUs will apply to
locally created user accounts on the machines in those OUs... if that makes
sense?can anyone confirm this? never got round to testing it....

  _____  

From: jakob@xxxxxxxxxxxxxxx
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Running a Batch file at user logon.
Date: Thu, 31 Jan 2008 13:27:03 +0100

Hi Ananth,

 

I think you first need to accept and understand this:

 

1. The Computer Configuration part of a policy applies to Computers only

2. The User Configuration part of a policy applies to Users only

 

You do mention an "exception", which is account/password policies - it does
*seem* like that is a Computer Configuration that actually hits Users, but
it's not. You can have 1 account policy in a default AD (2000/2003) - it
should be set in the Default Domain Policy (highest priority GPO on the
Domain level) - and it can be set _nowhere_ else!!!

 

For your second question - if you have a GPO with BOTH Computer and User
Configuration policy settings defined - you could apply that on the domain
level. And, as it has been said previously, the policy setting will "flow
down" the OU hierarchy in your domain. So, all Computer AND User objects
below will take on their respective part of the GPO (Computers will take the
Comp. Conf. and Users will take the User Conf.). Basically, it doesn't
matter how your OU structure is, you can have a single OU with all your
Computer and User objects in it - and then link a single GPO with both
Computer and Users settings in it, and it works.

 

However, GPO filtering is needed in most cases. You can filter on several
levels - Site, Domain, Ou + WMI filters + Security filtering (AD security
groups). You can choose one filtering method, or combine them all.

 

There are "advanced" policy processing options available, like Loopback
processing etc. - but let's keep that out of the picture so far ;-)

 

 

Did that help?

 

 

Regards

/Jakob H. Heidelberg

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Ananth Rajagopal
Sent: 31. januar 2008 11:29
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Running a Batch file at user logon.

 

Two more queries, I seem to be confused here...

Consider this scenario.....

We have an Account lockout policy.. set at 5 invalid logons. This is in
Computer configuration.

What happens if I link this policy to the OU containing Users? If I give the
Domain Computers in the scope will the policy work for only these users?

or

Should I create another OU of computers and link this policy and in the
scope give the user group?

For a set of "user and computer configurations" to work for a "set of users
and computers" of a particular department should there be 2 OU's? one for
users with user configuration policies linked and the other OU with
Computers with computer configuration policies linked??

hmm.... :-)




On Jan 31, 2008 3:45 PM, Ananth Rajagopal <ananth.rg@xxxxxxxxx> wrote:

Thanks again :-)

 

On Jan 31, 2008 3:42 PM, hans straat <hstraat@xxxxxxx> wrote:

if you have a OU structure and no block inheritance etc configured the
policy will flow down.
 
OU domain Computers (GPO computer policy apply desktop blabla)
   OU Site Computers (will get the policy)
     OU Site KioskComputers (will get the policy)

as long as they are nested under the main OU :)
But you can do a RSOP planning to see if the OU get's the policy (RSOP in
GPMC)

  _____  

Date: Thu, 31 Jan 2008 15:21:24 +0530


From: ananth.rg@xxxxxxxxx
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Running a Batch file at user logon.

If the policies are linked at the domain level, irrespective of whether its
a user configuration or computer configuration will it run?

On Jan 31, 2008 3:19 PM, Ananth Rajagopal <ananth.rg@xxxxxxxxx> wrote:

Thanks Hans! :-) 

 

On Jan 31, 2008 2:18 PM, hans straat <hstraat@xxxxxxx> wrote:

Anath,
 
Computer configuration policies should be applied on the OU the computers
you target are located in.
 
Like User policies should be applied to the OU the targetted users reside
in.
 
regards,
Hans Straat
www.datacrash.net <http://www.datacrash.net/>  



  _____  

Date: Thu, 31 Jan 2008 09:15:41 +0530
From: ananth.rg@xxxxxxxxx 


To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Running a Batch file at user logon.

Hi Jacob,

From the event viewer we got only the RSoP error, "RSoP could not be run"
anyway we manually ran that script in some 50 systems and now its fine as
internet explorer homepage was set to this mail server, so its coming fine
now! We didn't get time to test further, sorry about that, the domain had to
be up yesterday, its running fine now...

Kindly send any more links of your articles! it was great reading....cleared
a lot of things for us....

One basic question.... Should Computer Configuration policies be applied on
Domain Computers or OU of Computers? 

regards
Ananth :-)




On Jan 29, 2008 4:36 PM, Ananth Rajagopal <ananth.rg@xxxxxxxxx> wrote:

Hi Jacob,

Thanks once again for your great support.

We are actually testing this in a test environment of 6 systems. Except for
this one script the rest all are working fine.

We will do the Gpresult at the earliest and will let you know.

I haven't checked the event viewer either, will do that right away.

regards
Ananth. 

 

On Jan 29, 2008 2:07 PM, Jakob H. Heidelberg <jakob@xxxxxxxxxxxxxxx> wrote:

Hi,
 
It does sound like you did everything needed to make this work - a restart
is of course needed, but you took care of that you say.
 
As this point it could be great if you checked the event viewer for any
error on the clients that happens during startup. Later you might have to do
advanced troubleshooting.
 
You should perform the GPRESULT command to see if the computer "picked up"
the policy at all.
 
Note - you should probably test such a policy isolated the first time
(limited to an OU with only one computer system within it or alike).
 
/Jakob
 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Ananth Rajagopal
Sent: 29. januar 2008 09:17
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Running a Batch file at user logon.

 

Hi Jacob,

Thanks for the article. It cleared a lot of doubts.

We did as you said, but we still couldn't make it work! This how we did
it... please go through it and advice on where we went wrong!

In the Group Policy Objects we created a new policy called " Intranet Mail
Srv Route"
We edited the policy, we set it as  Computer Configuration>Windows
Settings>scripts(Startup/Shutdown)>Startup> we showed the UNC path to the
script.

The scripts is stored in
"\\Tai2D.ent\SysVol\Tai2D.ent\scripts\mailsrv_route.bat" this path and this
share is accessible from all systems in the domain. The permission to this
share is "Authenticated Users Read and Execute"

Next, at the domain level we gave "Link an existing GPO" gave this GPO and
enabled  enforced and link enabled.

In the Security Filter windows we added "Authenticated Users" and "Domain
Computers" 

Next we gave gpupdate /force

We restarted the systems several times but still the new route is not
getting added.

Please analyze the steps and kindly inform us where we have gone wrong. Have
we missed anything that you have told us? :-)

Thanks for the help!
regards
Ananth :-)

On Jan 25, 2008 3:49 PM, Jakob H. Heidelberg <jakob@xxxxxxxxxxxxxxx> wrote:

Hi again Ananth,
 
As stated before it would, in most cases, be better to add the route once
and for all on the clients default gateway. But, you probably have your
reasons J
 
I think there are some basic things about GP processing and filtering you
should take a look at. Maybe this blog will help you:
http://heidelbergit.blogspot.com/2008/01/yes-of-course-you-can-assign-group.
html
 
Earlier you told me you want to "hit" all systems in the domain - in that
case all you have to do is:
 

1.       Have the script file in a shared directory where Authenticated User
or Domain Computers have Read access

2.       Create the GPO and point the Startup script to the shared script
file (Computer Configuration part on the GPO)

3.       Link the GPO to the Domain Level (you don't have to change
Permissions or anything in this case)

4.       Reboot all machines for the script to be executed (could take 2
reboots)

 
However - I must warn you a bit: this will execute the script during the
next startup (or two) on ALL domain computers (including servers).
 
Note to #3: If all of your computers are in the "My Computers OU" you could
just link the GPO here (except computers in the Domain Controllers OU would
not be hit - if they should be hit too you could link the policy to that OU
too  and restart them one after the other perhaps).
 
If this doesn't execute on the clients you must start troubleshooting. Look
in the client eventlog to spot for any errors, use GPRESULT to be sure the
GPO applies to the computers etc. However, I do expect this to work.
 
Regards
/Jakob
 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Ananth Rajagopal
Sent: 25. januar 2008 08:27
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Running a Batch file at user logon.

 
Hi All,

We want to add a persistent route to all systems in 192.168.2.x network to a
server having IP 192.168.3.240 <http://192.168.3.240/> .

We created a route.bat batch file and copied this command 

Route Add 192.168.3.240 <http://192.168.3.240/>  MASK 255.255.255.255
<http://255.255.255.255/>  192.168.2.254 <http://192.168.2.254/>  -p

This batch file was copied to
\\Server.com\SysVol\Server.com\scripts\route.bat folder.

The batch file was placed in Computer Configuration/Windows Settings/
Scripts/Startup

We created a new group called Harmony_Sys in Builtin folder in that Domain.
Created a new OU called Harmony Systems, moved systems on which this batch
file has to be run to this OU. Made the computer a member of the group
Harmony_Sys group. 

>From GPMC, We applied this route policy to this Harmony Systems OU. 

But the new route is not getting created. Where have we gone wrong, is the
procedure correct.

regards
Ananth.

 

 

 

 

 

 

 

 

  _____  

Sounds like? How many syllables? Guess and win prizes with Search Charades!
<http://www.searchcharades.com/> 

 

  _____  

Sounds like? How many syllables? Guess <http://www.searchcharades.com>  and
win prizes with Search Charades!

Other related posts: