[gptalk] Re: Bat File Not Executing.
- From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Fri, 5 Sep 2008 13:05:16 -0700
Couple things. First off, hopefully you didn’t hear it on this list, but if
you are using linking to control targeting of GPOs, then you do not also need
to use filtering by group. Its perfectly reasonable to keep Authenticated Users
in place if you are targeting, for example, all computers in OU X. IT only gets
to be trickly if the GPO is linked at a higher level in the hierarchy and you
need to control only a subset of the possible target audience.
Fast Logon Optimization – to disable it, deliver this policy to all machines :
Computer Config\Admin Templates\System\Logon\Always wait for the network at
computer startup and user logon = enabled
The only observations I can make about your script are, I’m not sure why its
using the WMI reg provider rather than just using the std vbscript Reg methods.
The WMI approach is useful if the script is running remotely but in this
instance, its not and it could add a lot of complexity.
The other thing I would do. Create an AT job that starts a cmd.exe shell. That
will be running in the context of localSystem—the same as when the script runs
during startup. Run the script in that elevated shell and see what it does
(i.e. if it works or throws errors). That might point the way here.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Harry Singh
Sent: Friday, September 05, 2008 11:30 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Bat File Not Executing.
Thanks for the reply Darren, here goes.
I believe i came across a thread here or it could have been somewhere else,
that mentioned when applying a GPO to an OU that consists of only computers, it
would be best to remove "Authenticated Users" and add a Sec group that has all
the computers in it. If Authenticated Users is recommended, i'll gladly revert
back.
I don't have fast logon optimization disabled -- where would i disable that ?
I'm calling the vbs script directly from within the GPO as i would a batch
file, as demonstrated by the screenshot. I've also attached the script, i
received courtesy of Joe Shonk on the Citrix thinlist.
remove the txt extension after the vbs.
On Fri, Sep 5, 2008 at 2:15 PM, Darren Mar-Elia <darren@xxxxxxxxxx> wrote:
Harry-
Just out of curiosity, if the computers are in their own OU, why are you using
security filtering on top of that? Keep in mind that a computer won't pick up
its new group membership until a reboot, but since you're doing that anyway, I
suspect that is not the issue.
With respect to the software installation, have you disabled fast logon
optimization on these machines? If not, then the SI package could take a couple
of reboots to get picked up. If so, then I would check the application event
log on the machine for a event of type "Application Management" as this will
indicate whether there is some error with the processing of the package.
Can you post your VBScript code here and also let us know how you're calling
it? I think you said you were calling it from the parameters on a batch file?
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Harry Singh
Sent: Friday, September 05, 2008 10:47 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Bat File Not Executing.
Hi All -
So, i finally have been able to put this GPO into production and have something
interesting, albeit furstrating.
I placed the the computers i want this GPO to run against within their own
"Computers" OU.
I then created a security group and put all these computers within this
security group
I then removed " Authenticated Users" from the security of the GPO and just put
the above mentioned security group.
I found that the policy does run, as noted in the attached gpresult log (
delprof-test ) is the GPO in question, but the startup VBS script to delete
profiles, does not run. I also assigned UPH clean but have noticed that didn't
install either. These are the only two machine based settings applied on this
GPO and neither of them are running, but the GPO is being executed on the
machines.
any thoughts ?
On Thu, Aug 7, 2008 at 5:27 AM, Hutchinson, Alan
<Alan.Hutchinson@xxxxxxxxxxxxxxxxxx> wrote:
Harry,
As I said I haven't yet tried it (probably sometime next week).
As for your second paragraph - no need to block inheritance; this is exactly
what loopback processing in replace mode achieves.
REgards,
Alan.
_____
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Harry Singh
Sent: 06 August 2008 18:40
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Bat File Not Executing.
Alan,
i was just about to post that, since i subscribe to the THIN list and came
across that.
Since it's a VBS script, i understand when you add it to the startup of a GPO,
there are "Script Parameters". I've never leveraged this because, truthfully, i
really don't know what would be placed in here ? could someone provide some
insight as to how to properly use that field ?
A&M - as far as loopback processing goes, that makes it much clearer, but i
still need to re-read and implement to fully comprehend. I currently have a
TS/Citrix environment and am trying to wrap my head around understanding
applying user settings to the same user but different policies. I suppose if i
block policy inheritance on the GPO that's assigned to the TS servers ou and
configure machine and user based settings this will only apply to users who are
logging into that server.
On Wed, Aug 6, 2008 at 1:12 PM, Hutchinson, Alan
<Alan.Hutchinson@xxxxxxxxxxxxxxxxxx> wrote:
I haven't tried it yet but came across this from another freelist which may do
what you want when you've sorted script execution :
http://www.theshonkproject.com/index.php?option=com_content
<http://www.theshonkproject.com/index.php?option=com_content&task=view&id=27&Itemid=31>
&task=view&id=27&Itemid=31
Regards,
Alan.
_____
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Nelson, Jamie
Sent: 06 August 2008 16:27
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Bat File Not Executing.
Hmm, yeah I can see how that is helpful from the teacher's perspective. If I
were you I would definitely spend some time troubleshooting why the profiles
are getting corrupted in the first place. That shouldn't be happening.
As far as your script not executing, I recommend starting it off with something
basic just to make sure it is actually executing. A good example would be
piping the contents of ipconfig out to a text file on the C: drive or something.
ipconfig >%SYSTEMDRIVE%\ipconfig.txt
Then go back and verify the file is created after a reboot. That way you can be
certain the script is actually running. If it is, but the profile is not
getting deleted, you know you have some kind of logic error in the part of the
script.
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Harry Singh
Sent: Tuesday, August 05, 2008 6:26 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Bat File Not Executing.
I'll be glad to elaborate.
This is a lab environment and we've implemented a combination of mandatory
profiles and GPO to control User configuration settings. Periodically, the
profile experiences problems and just doesn't load properly. I've ran traces to
see if any network connectivity issues exist between the workstation and the
server where the profile resides and , although i see some collisions, i don't
expect that to be the sole root cause. Instead of delving more time and
resources, we've found by blowing the profile the issues resolve themselves ---
and as i mentioned, this doesn't happen too frequently, only periodically. Now,
the lab machines aren't rebooted or turned off nightly, so the deleting of
profiles on reboot is really a way for us or the teacher on site to delete the
profiles "on-demand". I'm sure there are alternate ways to get this done, and
i'm all ears.
So you're saying i can apply a GPO to an OU that just has computer accounts ?
"To clarify, loopback policy is used when you want user configuration policies
to apply based on where the computer object resides instead of the user object.
" That's still a litte fuzzy to me, could you provide an example that could
help me further put this confusion function to rest for me ?
Thanks
On Tue, Aug 5, 2008 at 5:27 PM, Nelson, Jamie <Jamie.Nelson@xxxxxxx> wrote:
Delprof.exe can't delete a specific user profile, you generally tell it the max
number of days old a profile can be (from last use) and it will delete anything
older than that. I still don't understand why you want to delete it on every
reboot though. Maybe you can be kind enough to elaborate?
Actually, you were right the first time. For startup scripts to run they must
be applied to OUs containing computer objects. You don't need loopback policy
or security filtering for that. To clarify, loopback policy is used when you
want user configuration policies to apply based on where the computer object
resides instead of the user object.
Hope that helps. J
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Harry Singh
Sent: Tuesday, August 05, 2008 4:13 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Bat File Not Executing.
Jamie,
Yes, the script is deleting the documents and setting folder. I agree this
isn't very clean, but I am having trouble in negotiating the delprof command
line to delete the profile i want under my specific parameters. Specifically, i
want the profile to be deleted upon every reboot, either during the shutdown
or, preferably, during the startup of the machine. ?
Secondly, i believe my problem was i was applying the GPO to an OU that just
had the computer accounts. I realized this can't be done, i'd have to apply it
to the OU containing the LAB user account ; since only the Computer Config is
enabled, the script will execute on whatever machine that user logs into,
correct ? That being said, what should the loopback processing setting be on
this GPO, if there are no user configured settings on this GPO but others ?
Just to clear up any confusion, if i want machine specific settings only to
apply to computer accounts, i need to:
* Configure the Computer Configuration portion of the GPO.
* Create a Security Group and add the respective computer accounts to
this group and add it to the permissions of the GPO with the "Apply" GPO
permission ?
* Never apply GPO's to OU's that just have computer accounts
* Enable loopback processing on a computer oriented GPO if you have any
USER Confiuration settings in that GPO, otherwise just leave it disabled or not
configured ?
On Tue, Aug 5, 2008 at 4:57 PM, Nelson, Jamie <Jamie.Nelson@xxxxxxx> wrote:
When you say "delete the profile" are you just trying to delete the profile
folder under C:\Documents and Settings? That doesn't truly dump the profile, as
there are still some registry keys that have to be cleaned up.
On that note, I don't think deleting the profiles on startup is a good
practice, even if they are for what I assume are temporary lab user accounts.
You're better off creating a scheduled task on the machine to run the
delprof.exe utility (from the Server Resource Kit) which can delete all
profiles that have not been used in a specified number of days. Just my opinion
though. You may have valid reason for doing it that way so please don't take
offense. J
As far as the script not executing is concerned, did you place it in the GPO's
"machine\scripts\startup" folder in SYSVOL or somewhere else on your network?
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Harry Singh
Sent: Tuesday, August 05, 2008 3:21 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Bat File Not Executing.
All -
I've added a bat file to the startup script inside of a GPO, the computer
configuration part of the GPO. The script deletes any profile starting with
lab* and is suppose to run when the computer is restarted so as to not run into
any file locks by explorer. However, the folders are not being deleted and when
i run a gpresult, the script indicates: " This script has not been executed"
any ideas ?
_____
Confidentiality Warning: This message and any attachments are intended only for
the use of the intended recipient(s), are confidential, and may be privileged.
If you are not the intended recipient, you are hereby notified that any review,
retransmission, conversion to hard copy, copying, circulation or other use of
all or any portion of this message and any attachments is strictly prohibited.
If you are not the intended recipient, please notify the sender immediately by
return e-mail, and delete this message and any attachments from your system.
Other related posts:
