I'll try like that. We actually want to do hit all systems and users in the Domain. Thanks Jacob. On Jan 25, 2008 3:22 AM, Jakob H. Heidelberg <jakob@xxxxxxxxxxxxxxx> wrote: > Well, > > > > Isn't it possible to "hit" the computers instead? As you are trying to add > Persistent rules I guess these Users have their own computers - or else > every other user will be hit by the persistent rule. > > > > Computer Startup scripts are running in SYSTEM context – they will be able > to process the ROUTE ADD command successfully. > > > > > > Side note: You only need to use one type of filtering (in most cases) – a) > OU filtering or B) Security filtering. But, for now I think the most > important thing is to get the command up and running… > > > > /Jakob > > > > *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Ananth Rajagopal > *Sent:* 24. januar 2008 05:16 > *To:* gptalk@xxxxxxxxxxxxx > *Subject:* [gptalk] Re: adding persistent route > > > > Thanks Jacob, That cleared a lot of doubts! > > What we have done so far is created an OU called Harmony Users, moves some > 120 users to this OU and linked some 16 GPO's which we have created in Group > Policy Objects, only the Domain Password Policy has been set at the Domain > level. > > I think, as you pointed out, we need to remove the "authenticated users" > from delegation. We will do that. All policies are set to hit Harmony Users > only. > > What we are trying to achieve is run a batch file which creates a > persistent route. in the batch file the command is "Route add > 192.168.3.240 MASK 255.255.255.255 192.168.2.254. -p" > As you said it needs administrator privileges! > > Intranet Mail Server Route > > Domain Tai2D.ent > Owner TAI2D\Domain Admins > User Revisions 2 (AD), 2 (sysvol) > Computer Revisions 2 (AD), 2 (sysvol) > Unique ID {BD281E8F-6A17-4F05-8022-3015166E4011} > GPO Status Enabled > > Location Enforced Link Status Path > Harmony Users Yes Enabled Tai2D.ent/Harmony Users > > This list only includes links in the domain of the GPO. > Security Filteringhide > The settings in this GPO can only apply to the following groups, users, > and computers:Name > TAI2D\Harmony Users > > Delegationhide > These groups and users have the specified permission for this GPOName > Allowed Permissions Inherited > NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No > NT AUTHORITY\SYSTEM Edit settings, delete, modify security No > TAI2D\Domain Admins Edit settings, delete, modify security No > TAI2D\Enterprise Admins Edit settings, delete, modify security No > TAI2D\Harmony Users Read (from Security Filtering) No > > Computer Configuration (Enabled)hide > Windows Settingshide > Scriptshide > Startuphide > Name Parameters > > \\Tai2D.ent\SysVol\Tai2D.ent\Policies\{BD281E8F-6A17-4F05-8022-3015166E4011}\Machine\Scripts\mailsrv_route.bat > > Thanks for writing :-) > regards > Ananth. > > On Jan 23, 2008 7:47 PM, Jakob H. Heidelberg <jakob@xxxxxxxxxxxxxxx> > wrote: > > Well, Ananth, > > > > Actually I think the answer is pretty straight forward: Startup (and > Shutdown) scripts can be setup for Computer objects – for User objects you > can choose Login or Logoff scripts. > > > > I'm not sure if a regular user is able to define a route (with ROUTE ADD) > – definitely not a persistent route? – but that can be tested by running the > script you have in regular user context. I (or better yet "we") might be > able to come up another solution for this (maybe by using GP Preference > which is soon to arrive) – but first let us know whether or not it's correct > what I think you are trying to do. > > > > BTW – the security permissions (delegation) set on the "Internal Mail > Server Rout" GPO is set to apply to both "Authenticated Users" and > "TAI2D\Harmony Users" – I believe you might want to remove "Authenticated > Users". But if you are "hitting" an OU with only the right users, then you > wouldn't need the "Harmony Users" group anyway. Well, just a side note – > only relevant if you have to "hit" user objects. > > > > Regards > > /Jakob > > > > *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Ananth Rajagopal > *Sent:* 23. januar 2008 12:20 > *To:* gptalk@xxxxxxxxxxxxx > *Subject:* [gptalk] adding persistent route > > > > Hi All, > > We are setting up a new domain and have added some policies and scripts. > For a particular group of users, we want to add a persistent route to a > server in another subnet. we created a bat file but the bat file is not > running! Everything seeme to be ok, but still... > > The file is set in this groups OU. The bat file is copied to the Scripts > folder in SYSVOL. The starup script is set in...... > > Intranet Mail Server Route > > Domain Tai2D.ent > Owner TAI2D\Domain Admins > User Revisions 2 (AD), 2 (sysvol) > Computer Revisions 2 (AD), 2 (sysvol) > Unique ID {BD281E8F-6A17-4F05-8022-3015166E4011} > GPO Status Enabled > > Linkshide > Location Enforced Link Status Path > Harmony Users Yes Enabled Tai2D.ent/Harmony Users > > This list only includes links in the domain of the GPO. > Security Filteringhide > The settings in this GPO can only apply to the following groups, users, > and computers:Name > NT AUTHORITY\Authenticated Users > TAI2D\Harmony Users > > Computer Configuration (Enabled)hide > Windows Settingshide > Scriptshide > Startuphide > Name Parameters > \\Tai2D.ent\SysVol\Tai2D.ent\Policies\{BD281E8F-6A17-4F05-8022-3015166E4011}\Machine\Scripts\mailsrv_route.bat > > > Please advice.... > > regards > Ananth :-) > > >