Harry, As I said I haven't yet tried it (probably sometime next week). As for your second paragraph - no need to block inheritance; this is exactly what loopback processing in replace mode achieves. REgards, Alan. ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Harry Singh Sent: 06 August 2008 18:40 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Bat File Not Executing. Alan, i was just about to post that, since i subscribe to the THIN list and came across that. Since it's a VBS script, i understand when you add it to the startup of a GPO, there are "Script Parameters". I've never leveraged this because, truthfully, i really don't know what would be placed in here ? could someone provide some insight as to how to properly use that field ? A&M - as far as loopback processing goes, that makes it much clearer, but i still need to re-read and implement to fully comprehend. I currently have a TS/Citrix environment and am trying to wrap my head around understanding applying user settings to the same user but different policies. I suppose if i block policy inheritance on the GPO that's assigned to the TS servers ou and configure machine and user based settings this will only apply to users who are logging into that server. On Wed, Aug 6, 2008 at 1:12 PM, Hutchinson, Alan <Alan.Hutchinson@xxxxxxxxxxxxxxxxxx> wrote: I haven't tried it yet but came across this from another freelist which may do what you want when you've sorted script execution : http://www.theshonkproject.com/index.php?option=com_content&task=view&id =27&Itemid=31 <http://www.theshonkproject.com/index.php?option=com_content&task=view&i d=27&Itemid=31> Regards, Alan. ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie Sent: 06 August 2008 16:27 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Bat File Not Executing. Hmm, yeah I can see how that is helpful from the teacher's perspective. If I were you I would definitely spend some time troubleshooting why the profiles are getting corrupted in the first place. That shouldn't be happening. As far as your script not executing, I recommend starting it off with something basic just to make sure it is actually executing. A good example would be piping the contents of ipconfig out to a text file on the C: drive or something. ipconfig >%SYSTEMDRIVE%\ipconfig.txt Then go back and verify the file is created after a reboot. That way you can be certain the script is actually running. If it is, but the profile is not getting deleted, you know you have some kind of logic error in the part of the script. From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Harry Singh Sent: Tuesday, August 05, 2008 6:26 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Bat File Not Executing. I'll be glad to elaborate. This is a lab environment and we've implemented a combination of mandatory profiles and GPO to control User configuration settings. Periodically, the profile experiences problems and just doesn't load properly. I've ran traces to see if any network connectivity issues exist between the workstation and the server where the profile resides and , although i see some collisions, i don't expect that to be the sole root cause. Instead of delving more time and resources, we've found by blowing the profile the issues resolve themselves --- and as i mentioned, this doesn't happen too frequently, only periodically. Now, the lab machines aren't rebooted or turned off nightly, so the deleting of profiles on reboot is really a way for us or the teacher on site to delete the profiles "on-demand". I'm sure there are alternate ways to get this done, and i'm all ears. So you're saying i can apply a GPO to an OU that just has computer accounts ? "To clarify, loopback policy is used when you want user configuration policies to apply based on where the computer object resides instead of the user object. " That's still a litte fuzzy to me, could you provide an example that could help me further put this confusion function to rest for me ? Thanks On Tue, Aug 5, 2008 at 5:27 PM, Nelson, Jamie <Jamie.Nelson@xxxxxxx> wrote: Delprof.exe can't delete a specific user profile, you generally tell it the max number of days old a profile can be (from last use) and it will delete anything older than that. I still don't understand why you want to delete it on every reboot though. Maybe you can be kind enough to elaborate? Actually, you were right the first time. For startup scripts to run they must be applied to OUs containing computer objects. You don't need loopback policy or security filtering for that. To clarify, loopback policy is used when you want user configuration policies to apply based on where the computer object resides instead of the user object. Hope that helps. J From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Harry Singh Sent: Tuesday, August 05, 2008 4:13 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Bat File Not Executing. Jamie, Yes, the script is deleting the documents and setting folder. I agree this isn't very clean, but I am having trouble in negotiating the delprof command line to delete the profile i want under my specific parameters. Specifically, i want the profile to be deleted upon every reboot, either during the shutdown or, preferably, during the startup of the machine. ? Secondly, i believe my problem was i was applying the GPO to an OU that just had the computer accounts. I realized this can't be done, i'd have to apply it to the OU containing the LAB user account ; since only the Computer Config is enabled, the script will execute on whatever machine that user logs into, correct ? That being said, what should the loopback processing setting be on this GPO, if there are no user configured settings on this GPO but others ? Just to clear up any confusion, if i want machine specific settings only to apply to computer accounts, i need to: * Configure the Computer Configuration portion of the GPO. * Create a Security Group and add the respective computer accounts to this group and add it to the permissions of the GPO with the "Apply" GPO permission ? * Never apply GPO's to OU's that just have computer accounts * Enable loopback processing on a computer oriented GPO if you have any USER Confiuration settings in that GPO, otherwise just leave it disabled or not configured ? On Tue, Aug 5, 2008 at 4:57 PM, Nelson, Jamie <Jamie.Nelson@xxxxxxx> wrote: When you say "delete the profile" are you just trying to delete the profile folder under C:\Documents and Settings? That doesn't truly dump the profile, as there are still some registry keys that have to be cleaned up. On that note, I don't think deleting the profiles on startup is a good practice, even if they are for what I assume are temporary lab user accounts. You're better off creating a scheduled task on the machine to run the delprof.exe utility (from the Server Resource Kit) which can delete all profiles that have not been used in a specified number of days. Just my opinion though. You may have valid reason for doing it that way so please don't take offense. J As far as the script not executing is concerned, did you place it in the GPO's "machine\scripts\startup" folder in SYSVOL or somewhere else on your network? From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Harry Singh Sent: Tuesday, August 05, 2008 3:21 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Bat File Not Executing. All - I've added a bat file to the startup script inside of a GPO, the computer configuration part of the GPO. The script deletes any profile starting with lab* and is suppose to run when the computer is restarted so as to not run into any file locks by explorer. However, the folders are not being deleted and when i run a gpresult, the script indicates: " This script has not been executed" any ideas ? ________________________________ Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.