[gptalk] Re: Bat File Not Executing.
- From: Darren Mar-Elia <darren@xxxxxxxxxx>
- To: gptalk@xxxxxxxxxxxxx
- Date: Mon, 08 Sep 2008 13:43:00 -0800
The reason I questioned it is that LocalSystem does indeed have access to
network resources (despite what that KB said) and I'm not sure why it would
even matter, since all of the profile resources being managed are local.
Anyway, as long as it works :)
Darren
-----Original message-----
From: "Jeremy Saunders" Jeremy.Saunders@xxxxxxxxxxxxxx
Date: Mon, 8 Sep 2008 11:04:16 -0400
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Bat File Not Executing.
> Np Darrenâ?¦Same issue with Win2K and Win2K3. Trust meâ?¦> I do lots of
> Citrix deployments, and up until recently ha> ve always used delprof.exe.
Cheers,
Jeremy.
>
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bo> unce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: M> onday, 8 September 2008 9:39 PM
To: gptalk@xxxxxxxxxxxxx>
Subject: [gptalk] Re: Bat File Not Executing.
T> hanks for the background Jeremy. Totally makes sense and > yes, a scheduled
task is a good approach. As for that KB,> it says it applies to NT 4 so I
would be very surprised > if it really was a problem, but perhaps.
Darren
>
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-b> ounce@xxxxxxxxxxxxx] On
Behalf Of Jeremy Saunders
Sent: > Monday, September 08, 2008 1:12 AM
To: gptalk@freelists.> org
Subject: [gptalk] Re: Bat File Not Executing.
>
Hi Darren,
I guess there are two parts to this > and I probably should have been clearer
with my answer. M> y answer was aimed at this specific task, not a general a>
nswer.
Personally I would always want to ensure t> hat these vbscripts run silently
using cscript.exe, and o> utput to a log file for review as needed. In many
environ> ment Cscript.exe is not always the default script host, a> nd running
this script without parameters doesnâ??t give > you the logging you need.
You are correct. The Lo> cal System account may suffice for this script. As
someon> e who has migrated from using delprof.exe to this new del>
eteprofiles.vbs, I had just assumed that http://support.m>
icrosoft.com/kb/262223 would still apply, so I have not c> hanged the way I am
deploying it. Needs further testing t> hough.
However, as per my blog, my method of depl> oyment works 100%, and will process
everyday regardless o> f a reboot. I believe the use of a scheduled task is
more> appropriate than a startup script in this case, unless H> arry is
restarting his Citrix servers every day.
> Cheers.
Jeremy.
From: gptalk-bounce@freelists.> org [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Dar> ren Mar-Elia
Sent: Monday, 8 September 2008 8:42 AM
To:> gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Bat File Not> Executing.
Jeremy-
Actually, you can simply s> pecify a script like that and WSH will use the
default sc> ript host (wscript or cscript) to run it. Curious why you> say you
canâ??t run it that way? Also, I think the only > successful way to run it is
as local system. Or, at least> , that gives you the best chance for success.
Dar> ren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gpt> alk-bounce@xxxxxxxxxxxxx] On
Behalf Of Jeremy Saunders
S> ent: Saturday, September 06, 2008 7:56 PM
To: gptalk@fre> elists.org
Subject: [gptalk] Re: Bat File Not Executing.>
Hi Harry,
You canâ??t just run the scrip> t like that. You need to ensure itâ??s launched
with cscr> ipt, and use some parameters as well. And furthermore, th> e process
of deleting profiles may not work by using the > Local System account, which is
what I believe a Startup s> cript would run as.
http://www.jhouseconsulting.c>
om/index.php/blog/2008/07/30/script-to-replace-delprofexe> /
I hope that helps.
Cheers,
Jeremy.
>
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gpt> alk-bounce@xxxxxxxxxxxxx] On
Behalf Of Harry Singh
Sent:> Saturday, 6 September 2008 2:30 AM
To: gptalk@freelists> .org
Subject: [gptalk] Re: Bat File Not Executing.
>
Thanks for the reply Darren, here goes.
I believe i> came across a thread here or it could have been somewher> e else,
that mentioned when applying a GPO to an OU that > consists of only computers,
it would be best to remove "A> uthenticated Users" and add a Sec group that has
all the > computers in it. If Authenticated Users is recommended, > i'll
gladly revert back.
I don't have fast logon optim> ization disabled -- where would i disable that ?
I'm c> alling the vbs script directly from within the GPO as i w> ould a batch
file, as demonstrated by the screenshot. I'v> e also attached the script, i
received courtesy of Joe Sh> onk on the Citrix thinlist.
remove the txt extension a> fter the vbs.
On Fri, Sep 5, 2008 at 2:15 PM, Darren M> ar-Elia <darren@xxxxxxxxxx> wrote:
Harry-
Just out > of curiosity, if the computers are in their own OU, why a> re you
using security filtering on top of that? Keep in m> ind that a computer won't
pick up its new group membershi> p until a reboot, but since you're doing that
anyway, I s> uspect that is not the issue.
With respect to the> software installation, have you disabled fast logon opti>
mization on these machines? If not, then the SI package c> ould take a couple
of reboots to get picked up. If so, th> en I would check the application event
log on the machine> for a event of type "Application Management" as this wil>
l indicate whether there is some error with the processin> g of the package.
Can you post your VBScript code> here and also let us know how you're calling
it? I think> you said you were calling it from the parameters on a ba> tch
file?
Darren
From: gptalk-bounce@fre> elists.org [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf> Of Harry Singh
Sent: Friday, September 05, 2008 10:47 A> M
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Ba> t File Not Executing.
Hi All -
So, i finally h> ave been able to put this GPO into production and have so>
mething interesting, albeit furstrating.
I placed the > the computers i want this GPO to run against within their> own
"Computers" OU.
I then created a security group> and put all these computers within this
security group
>
I then removed " Authenticated Users" from the security> of the GPO and just
put the above mentioned security gro> up.
I found that the policy does run, as noted in the > attached gpresult log (
delprof-test ) is the GPO in ques> tion, but the startup VBS script to delete
profiles, does> not run. I also assigned UPH clean but have noticed that>
didn't install either. These are the only two machine ba> sed settings applied
on this GPO and neither of them are > running, but the GPO is being executed on
the machines.
>
any thoughts ?
On Thu, Aug 7, 2008 at 5:27 AM, Hutc> hinson, Alan
<Alan.Hutchinson@xxxxxxxxxxxxxxxxxx> wrote:
>
Harry,
As I said I haven't yet tried it (probably s> ometime next week).
As for your second paragraph > - no need to block inheritance; this is exactly
what loop> back processing in replace mode achieves.
REgard> s,
Alan.
________________________________>
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-boun> ce@xxxxxxxxxxxxx] On
Behalf Of Harry Singh
Sent: 06 Augu> st 2008 18:40
To: gptalk@xxxxxxxxxxxxx
Subject: [gp> talk] Re: Bat File Not Executing.
Alan,
i was > just about to post that, since i subscribe to the THIN li> st and came
across that.
Since it's a VBS script, i un> derstand when you add it to the startup of a
GPO, there a> re "Script Parameters". I've never leveraged this because> ,
truthfully, i really don't know what would be placed in> here ? could someone
provide some insight as to how to p> roperly use that field ?
A&M - as far as loopback proc> essing goes, that makes it much clearer, but i
still need> to re-read and implement to fully comprehend. I currentl> y have a
TS/Citrix environment and am trying to wrap my h> ead around understanding
applying user settings to the sa> me user but different policies. I suppose if
i block poli> cy inheritance on the GPO that's assigned to the TS serve> rs ou
and configure machine and user based settings this > will only apply to users
who are logging into that server> .
On Wed, Aug 6, 2008 at 1:12 PM, Hutchinson, Alan <A>
lan.Hutchinson@xxxxxxxxxxxxxxxxxx> wrote:
I haven't tr> ied it yet but came across this from another freelist whi> ch may
do what you want when you've sorted script executi> on :
http://www.theshonkproject.com/index.ph>
p?option=com_content&task=view&id=27&Itemid=31
Re> gards,
Alan.
____________________________> ____
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-> bounce@xxxxxxxxxxxxx] On
Behalf Of Nelson, Jamie
Sent: 0> 6 August 2008 16:27
To: gptalk@xxxxxxxxxxxxx
Subje> ct: [gptalk] Re: Bat File Not Executing.
Hmm, yea> h I can see how that is helpful from the teacher's perspe> ctive. If
I were you I would definitely spend some time t> roubleshooting why the
profiles are getting corrupted in > the first place. That shouldn't be
happening.
As > far as your script not executing, I recommend starting it> off with
something basic just to make sure it is actuall> y executing. A good example
would be piping the contents > of ipconfig out to a text file on the C: drive
or somethi> ng.
ipconfig >%SYSTEMDRIVE%\ipcon> fig.txt
Then go back and verify the file is creat> ed after a reboot. That way you can
be certain the script> is actually running. If it is, but the profile is not
ge> tting deleted, you know you have some kind of logic error> in the part of
the script.
From: gptalk-bounce@f> reelists.org [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Beha> lf Of Harry Singh
Sent: Tuesday, August 05, 2008 6:26 PM>
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Bat Fil> e Not Executing.
I'll be glad to elaborate.
Th> is is a lab environment and we've implemented a combinati> on of mandatory
profiles and GPO to control User configur> ation settings. Periodically, the
profile experiences pro> blems and just doesn't load properly. I've ran traces
to > see if any network connectivity issues exist between the > workstation and
the server where the profile resides and > , although i see some collisions, i
don't expect that to > be the sole root cause. Instead of delving more time and
> resources, we've found by blowing the profile the issues > resolve themselves
--- and as i mentioned, this doesn't h> appen too frequently, only
periodically. Now, the lab mac> hines aren't rebooted or turned off nightly, so
the delet> ing of profiles on reboot is really a way for us or the t> eacher on
site to delete the profiles "on-demand". I'm su> re there are alternate ways to
get this done, and i'm all> ears.
So you're saying i can apply a GPO to an OU tha> t just has computer accounts ?
"To clarify, loopback p> olicy is used when you want user configuration
policies t> o apply based on where the computer object resides instea> d of the
user object. " That's still a litte fuzzy to me,> could you provide an example
that could help me further > put this confusion function to rest for me ?
Thanks
>
On Tue, Aug 5, 2008 at 5:27 PM, Nelson, Jamie <Jamie.Nel> son@xxxxxxx> wrote:
Delprof.exe can't delete a specifi> c user profile, you generally tell it the
max number of d> ays old a profile can be (from last use) and it will dele> te
anything older than that. I still don't understand why> you want to delete it
on every reboot though. Maybe you > can be kind enough to elaborate?
Actually, you we> re right the first time. For startup scripts to run they >
must be applied to OUs containing computer objects. You d> on't need loopback
policy or security filtering for that.> To clarify, loopback policy is used
when you want user c> onfiguration policies to apply based on where the
compute> r object resides instead of the user object.
Hope> that helps. J
From: gptalk-bounce@xxxxxxxxxxxxx > [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Harry S> ingh
Sent: Tuesday, August 05, 2008 4:13 PM
To: gptalk@> freelists.org
Subject: [gptalk] Re: Bat File Not Executi> ng.
Jamie,
Yes, the script is deleting the doc> uments and setting folder. I agree this
isn't very clean,> but I am having trouble in negotiating the delprof comm>
and line to delete the profile i want under my specific p> arameters.
Specifically, i want the profile to be deleted> upon every reboot, either
during the shutdown or, prefer> ably, during the startup of the machine. ?
Secondly, i> believe my problem was i was applying the GPO to an OU > that
just had the computer accounts. I realized this can'> t be done, i'd have to
apply it to the OU containing the > LAB user account ; since only the Computer
Config is enab> led, the script will execute on whatever machine that use> r
logs into, correct ? That being said, what should the l> oopback processing
setting be on this GPO, if there are n> o user configured settings on this GPO
but others ?
Ju> st to clear up any confusion, if i want machine specific > settings only to
apply to computer accounts, i need to:
>
* Configure the Computer Configuration portion of the G> PO.
* Create a Security Group and add the respective co> mputer accounts to
this group and add it to the permissio> ns of the GPO with the "Apply" GPO
permission ?
* Never> apply GPO's to OU's that just have computer accounts
*> Enable loopback processing on a computer oriented GPO if> you have any
USER Confiuration settings in that GPO, oth> erwise just leave it disabled or
not configured ?
>
On Tue, Aug 5, 2008 at 4:57 PM, Nelson, Jamie <Jamie.Ne> lson@xxxxxxx> wrote:
When you say "delete the profile"> are you just trying to delete the profile
folder under C> :\Documents and Settings? That doesn't truly dump the pro>
file, as there are still some registry keys that have to > be cleaned up.
On that note, I don't think deleti> ng the profiles on startup is a good
practice, even if th> ey are for what I assume are temporary lab user
accounts.> You're better off creating a scheduled task on the machi> ne to run
the delprof.exe utility (from the Server Resour> ce Kit) which can delete all
profiles that have not been > used in a specified number of days. Just my
opinion thoug> h. You may have valid reason for doing it that way so ple> ase
don't take offense. J
As far as the script no> t executing is concerned, did you place it in the
GPO's "> machine\scripts\startup" folder in SYSVOL or somewhere el> se on your
network?
From: gptalk-bounce@freelists> .org [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Ha> rry Singh
Sent: Tuesday, August 05, 2008 3:21 PM
To: gp> talk@xxxxxxxxxxxxx
Subject: [gptalk] Bat File Not Execut> ing.
All -
I've added a bat file to the startu> p script inside of a GPO, the computer
configuration part> of the GPO. The script deletes any profile starting with>
lab* and is suppose to run when the computer is restarte> d so as to not run
into any file locks by explorer. Howev> er, the folders are not being deleted
and when i run a gp> result, the script indicates: " This script has not been >
executed"
any ideas ?
_____________________________> ___
Confidentiality Warning: This message and any atta> chments are intended only
for the use of the intended rec> ipient(s), are confidential, and may be
privileged. If yo> u are not the intended recipient, you are hereby notified>
that any review, retransmission, conversion to hard copy> , copying,
circulation or other use of all or any portion> of this message and any
attachments is strictly prohibit> ed. If you are not the intended recipient,
please notify > the sender immediately by return e-mail, and delete this >
message and any attachments from your system.
>
________________________________
Con> fidentiality and Privilege Notice
This document is inte> nded solely for the named addressee. The information
con> tained in the pages is confidential and contains legally > privileged
information. If you are not the addressee indi> cated in this message (or
responsible for delivery of the> message to such person), you may not copy or
deliver thi> s message to anyone, and you should destroy this message > and
kindly notify the sender by reply email. Confidential> ity and legal privilege
are not waived or lost by reason > of mistaken delivery to you.
_________________________> _______
________________________________
Confidenti> ality and Privilege Notice
This document is intended so> lely for the named addressee. The information
contained > in the pages is confidential and contains legally privile> ged
information. If you are not the addressee indicated i> n this message (or
responsible for delivery of the messag> e to such person), you may not copy or
deliver this messa> ge to anyone, and you should destroy this message and kin>
dly notify the sender by reply email. Confidentiality and> legal privilege are
not waived or lost by reason of mist> aken delivery to you.
________________________________>
###################################################>
##################################
Confidentiality and P> rivilege Notice
This document is intended solely for th> e named addressee. The information
contained in the page> s is confidential and contains legally privileged
informa> tion. If you are not the addressee indicated in this mess> age (or
responsible for delivery of the message to such p> erson), you may not copy or
deliver this message to anyon> e, and you should destroy this message and
kindly notify > the sender by reply email. Confidentiality and legal priv>
ilege are not waived or lost by reason of mistaken delive> ry to you.
#############################################>
########################################
>
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at //www.freelists.org/archives/gptalk/
************************
Other related posts:
