[gptalk] Re: Bat File Not Executing.

  • From: Darren Mar-Elia <darren@xxxxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Mon, 08 Sep 2008 13:43:00 -0800

The reason I questioned it is that LocalSystem does indeed have access to 
network resources (despite what that KB said) and I'm not sure why it would 
even matter, since all of the profile resources being managed are local.

Anyway, as long as it works :)


-----Original message-----
From: "Jeremy Saunders" Jeremy.Saunders@xxxxxxxxxxxxxx
Date: Mon,  8 Sep 2008 11:04:16 -0400
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Bat File Not Executing.

> Np Darrenâ?¦Same issue with Win2K and Win2K3. Trust meâ?¦> I do lots of 
> Citrix deployments, and up until recently ha> ve always used delprof.exe.





From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bo> unce@xxxxxxxxxxxxx] On 
Behalf Of Darren Mar-Elia
Sent: M> onday, 8 September 2008 9:39 PM
To: gptalk@xxxxxxxxxxxxx> 
Subject: [gptalk] Re: Bat File Not Executing.


T> hanks for the background Jeremy. Totally makes sense and > yes, a scheduled 
task is a good approach. As for that KB,>  it says it applies to NT 4 so I 
would be very surprised > if it really was a problem, but perhaps.



From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-b> ounce@xxxxxxxxxxxxx] On 
Behalf Of Jeremy Saunders
Sent: > Monday, September 08, 2008 1:12 AM
To: gptalk@freelists.> org
Subject: [gptalk] Re: Bat File Not Executing.

Hi Darren,


I guess there are two parts to this > and I probably should have been clearer 
with my answer. M> y answer was aimed at this specific task, not a general a> 


Personally I would always want to ensure t> hat these vbscripts run silently 
using cscript.exe, and o> utput to a log file for review as needed. In many 
environ> ment Cscript.exe is not always the default script host, a> nd running 
this script without parameters doesnâ??t give > you the logging you need.


You are correct. The Lo> cal System account may suffice for this script. As 
someon> e who has migrated from using delprof.exe to this new del> 
eteprofiles.vbs, I had just assumed that http://support.m> 
icrosoft.com/kb/262223 would still apply, so I have not c> hanged the way I am 
deploying it. Needs further testing t> hough.


However, as per my blog, my method of depl> oyment works 100%, and will process 
everyday regardless o> f a reboot. I believe the use of a scheduled task is 
more>  appropriate than a startup script in this case, unless H> arry is 
restarting his Citrix servers every day.


> Cheers.



From: gptalk-bounce@freelists.> org [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Dar> ren Mar-Elia
Sent: Monday, 8 September 2008 8:42 AM
To:>  gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Bat File Not>  Executing.



Actually, you can simply s> pecify a script like that and WSH will use the 
default sc> ript host (wscript or cscript) to run it. Curious why you>  say you 
canâ??t run it that way? Also, I think the only > successful way to run it is 
as local system. Or, at least> , that gives you the best chance for success.


Dar> ren


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gpt> alk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jeremy Saunders
S> ent: Saturday, September 06, 2008 7:56 PM
To: gptalk@fre> elists.org
Subject: [gptalk] Re: Bat File Not Executing.> 


Hi Harry,


You canâ??t just run the scrip> t like that. You need to ensure itâ??s launched 
with cscr> ipt, and use some parameters as well. And furthermore, th> e process 
of deleting profiles may not work by using the > Local System account, which is 
what I believe a Startup s> cript would run as.


om/index.php/blog/2008/07/30/script-to-replace-delprofexe> /


I hope that helps.





From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gpt> alk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Harry Singh
Sent:>  Saturday, 6 September 2008 2:30 AM
To: gptalk@freelists> .org
Subject: [gptalk] Re: Bat File Not Executing.


Thanks for the reply Darren, here goes.

I believe i>  came across a thread here or it could have been somewher> e else, 
that mentioned when applying a GPO to an OU that > consists of only computers, 
it would be best to remove "A> uthenticated Users" and add a Sec group that has 
all the > computers in it. If Authenticated Users is  recommended, > i'll 
gladly revert back.

I don't have fast logon optim> ization disabled -- where would i disable that ?

I'm c> alling the vbs script directly from within the GPO as i w> ould a batch 
file, as demonstrated by the screenshot. I'v> e also attached the script, i 
received courtesy of Joe Sh> onk on the Citrix thinlist.

remove the txt extension a> fter the vbs.

On Fri, Sep 5, 2008 at 2:15 PM, Darren M> ar-Elia <darren@xxxxxxxxxx> wrote:


Just out > of curiosity, if the computers are in their own OU, why a> re you 
using security filtering on top of that? Keep in m> ind that a computer won't 
pick up its new group membershi> p until a reboot, but since you're doing that 
anyway, I s> uspect that is not the issue.


With respect to the>  software installation, have you disabled fast logon opti> 
mization on these machines? If not, then the SI package c> ould take a couple 
of reboots to get picked up. If so, th> en I would check the application event 
log on the machine>  for a event of type "Application Management" as this wil> 
l indicate whether there is some error with the processin> g of the package.


Can you post your VBScript code>  here and also let us know how you're calling 
it? I think>  you said you were calling it from the parameters on a ba> tch 




From: gptalk-bounce@fre> elists.org [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf>  Of Harry Singh
Sent: Friday, September 05, 2008 10:47 A> M

To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Ba> t File Not Executing.


Hi All -

So, i finally h> ave been able to put this GPO into production and have so> 
mething interesting, albeit furstrating.

I placed the > the computers i want this GPO to run against within their>  own 
"Computers" OU. 

 I then created a security group>  and put all these computers within this 
security group
I then removed " Authenticated Users" from the security>  of the GPO and just 
put the above mentioned security gro> up.

I found that the policy does run, as noted in the > attached gpresult log ( 
delprof-test ) is the GPO in ques> tion, but the startup VBS script to delete 
profiles, does>  not run. I also assigned UPH clean but have noticed that>  
didn't install either. These are the only two machine ba> sed settings applied 
on this GPO and neither of them are > running, but the GPO is being executed on 
the machines.
any thoughts ? 

On Thu, Aug 7, 2008 at 5:27 AM, Hutc> hinson, Alan 
<Alan.Hutchinson@xxxxxxxxxxxxxxxxxx> wrote:


As I said I haven't yet tried it (probably s> ometime next week).


As for your second paragraph > - no need to block inheritance; this is exactly 
what loop> back processing  in replace mode achieves.


REgard> s,





From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-boun> ce@xxxxxxxxxxxxx] On 
Behalf Of Harry Singh
Sent: 06 Augu> st 2008 18:40

To: gptalk@xxxxxxxxxxxxx
Subject: [gp> talk] Re: Bat File Not Executing.



i was > just about to post that, since i subscribe to the THIN li> st and came 
across that.

Since it's a VBS script, i un> derstand when you add it to the startup of a 
GPO, there a> re "Script Parameters". I've never leveraged this because> , 
truthfully, i really don't know what would be placed in>  here ? could someone 
provide some insight as to how to p> roperly use that field ?

A&M - as far as loopback proc> essing goes, that makes it much clearer, but i 
still need>  to re-read and implement to fully comprehend. I currentl> y have a 
TS/Citrix environment and am trying to wrap my h> ead around understanding 
applying user settings to the sa> me user but different policies. I suppose if 
i block poli> cy inheritance on the GPO that's assigned to the TS serve> rs ou 
and configure machine and user based settings this > will only apply to users 
who are logging into that server> . 

On Wed, Aug 6, 2008 at 1:12 PM, Hutchinson, Alan <A> 
lan.Hutchinson@xxxxxxxxxxxxxxxxxx> wrote:

I haven't tr> ied it yet but came across this from another freelist whi> ch may 
do what you want when you've sorted script executi> on :





Re> gards,




____________________________> ____

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-> bounce@xxxxxxxxxxxxx] On 
Behalf Of Nelson, Jamie
Sent: 0> 6 August 2008 16:27 

To: gptalk@xxxxxxxxxxxxx
Subje> ct: [gptalk] Re: Bat File Not Executing.


Hmm, yea> h I can see how that is helpful from the teacher's perspe> ctive. If 
I were you I would definitely spend some time t> roubleshooting why the 
profiles are getting corrupted in > the first place. That shouldn't be 


As > far as your script not executing, I recommend starting it>  off with 
something basic just to make sure it is actuall> y executing. A good example 
would be piping the contents > of ipconfig out to a text file on the C: drive 
or somethi> ng.


                ipconfig >%SYSTEMDRIVE%\ipcon> fig.txt


Then go back and verify the file is creat> ed after a reboot. That way you can 
be certain the script>  is actually running. If it is, but the profile is not 
ge> tting deleted, you know you have some kind of logic error>  in the part of 
the script.


From: gptalk-bounce@f> reelists.org [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Beha> lf Of Harry Singh
Sent: Tuesday, August 05, 2008 6:26 PM> 
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Bat Fil> e Not Executing.


I'll be glad to elaborate.

Th> is is a lab environment and we've implemented a combinati> on of mandatory 
profiles and GPO to control User configur> ation settings. Periodically, the 
profile experiences pro> blems and just doesn't load properly. I've ran traces 
to > see if any network connectivity issues exist between the > workstation and 
the server where the profile resides and > , although i see some collisions, i 
don't expect that to > be the sole root cause. Instead of delving more time and 
> resources, we've found by blowing the profile the issues > resolve themselves 
--- and as i mentioned, this doesn't h> appen too frequently, only 
periodically. Now, the lab mac> hines aren't rebooted or turned off nightly, so 
the delet> ing of profiles on reboot is really a way for us or the t> eacher on 
site to delete the profiles "on-demand". I'm su> re there are alternate ways to 
get this done, and i'm all>  ears.

So you're saying i can apply a GPO to an OU tha> t just has computer accounts ?

"To clarify, loopback p> olicy is used when you want user configuration 
policies t> o apply based on where the computer object resides instea> d of the 
user object. " That's still a litte fuzzy to me,>  could you provide an example 
that could help me further > put this confusion function to rest for me ?


On Tue, Aug 5, 2008 at 5:27 PM, Nelson, Jamie <Jamie.Nel> son@xxxxxxx> wrote:

Delprof.exe can't delete a specifi> c user profile, you generally tell it the 
max number of d> ays old a profile can be (from last use) and it will dele> te 
anything older than that. I still don't understand why>  you want to delete it 
on every reboot though. Maybe you > can be kind enough to elaborate?


Actually, you we> re right the first time. For startup scripts to run they > 
must be applied to OUs containing computer objects. You d> on't need loopback 
policy or security filtering for that.>  To clarify, loopback policy is used 
when you want user c> onfiguration policies to apply based on where the 
compute> r object resides instead of the user object.


Hope>  that helps. J


From: gptalk-bounce@xxxxxxxxxxxxx > [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Harry S> ingh
Sent: Tuesday, August 05, 2008 4:13 PM
To: gptalk@> freelists.org
Subject: [gptalk] Re: Bat File Not Executi> ng.



Yes, the script is deleting the doc> uments and setting folder. I agree this 
isn't very clean,>  but  I am having trouble in negotiating the delprof comm> 
and line to delete the profile i want under my specific p> arameters. 
Specifically, i want the profile to be deleted>  upon every reboot, either 
during the shutdown or, prefer> ably, during the startup of the machine. ?

Secondly, i>  believe my problem was i  was applying the GPO to an OU > that 
just had the computer accounts. I realized this can'> t be done, i'd have to 
apply it to the OU containing the > LAB user account ; since only the Computer 
Config is enab> led, the script will execute on whatever machine that use> r 
logs into, correct ? That being said, what should the l> oopback processing 
setting be on this GPO, if there are n> o user configured settings on this GPO 
but others ?

Ju> st to clear up any confusion, if i want machine specific > settings only to 
apply to computer accounts, i need to:
*       Configure the Computer Configuration portion of the G> PO. 
*       Create a Security Group and add the respective co> mputer accounts to 
this group and add it to the permissio> ns of the GPO with the "Apply" GPO 
permission ? 
*       Never>  apply GPO's to OU's that just have computer accounts 
*>      Enable loopback processing on a computer oriented GPO if>  you have any 
USER Confiuration settings in that GPO, oth> erwise just leave it disabled or 
not configured ? 

On Tue, Aug 5, 2008 at 4:57 PM, Nelson, Jamie <Jamie.Ne> lson@xxxxxxx> wrote:

When you say "delete the profile">  are you just trying to delete the profile 
folder under C> :\Documents and Settings? That doesn't truly dump the pro> 
file, as there are still some registry keys that have to > be cleaned up.


On that note, I don't think deleti> ng the profiles on startup is a good 
practice, even if th> ey are for what I assume are temporary lab user 
accounts.>  You're better off creating a scheduled task on the machi> ne to run 
the delprof.exe utility (from the Server Resour> ce Kit) which can delete all 
profiles that have not been > used in a specified number of days. Just my 
opinion thoug> h. You may have valid reason for doing it that way so ple> ase 
don't take offense. J


As far as the script no> t executing is concerned, did you place it in the 
GPO's "> machine\scripts\startup" folder in SYSVOL or somewhere el> se on your 


From: gptalk-bounce@freelists> .org [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Ha> rry Singh
Sent: Tuesday, August 05, 2008 3:21 PM
To: gp> talk@xxxxxxxxxxxxx
Subject: [gptalk] Bat File Not Execut> ing.


All -

I've added a bat file to the startu> p script inside of a GPO, the computer 
configuration part>  of the GPO. The script deletes any profile starting with>  
lab* and is suppose to run when the computer is restarte> d so as to not run 
into any file locks by explorer. Howev> er, the folders are not being deleted 
and when i run a gp> result, the script indicates: " This script has not been > 

any ideas ?

_____________________________> ___

Confidentiality Warning: This message and any atta> chments are intended only 
for the use of the intended rec> ipient(s), are confidential, and may be 
privileged. If yo> u are not the intended recipient, you are hereby notified>  
that any review, retransmission, conversion to hard copy> , copying, 
circulation or other use of all or any portion>  of this message and any 
attachments is strictly prohibit> ed. If you are not the intended recipient, 
please notify > the sender immediately by return e-mail, and delete this > 
message and any attachments from your system. 







Con> fidentiality and Privilege Notice 
This document is inte> nded solely for the named addressee.  The information 
con> tained in the pages is confidential and contains legally > privileged 
information. If you are not the addressee indi> cated in this message (or 
responsible for delivery of the>  message to such person), you may not copy or 
deliver thi> s message to anyone, and you should destroy this message > and 
kindly notify the sender by reply email. Confidential> ity and legal privilege 
are not waived or lost by reason > of mistaken delivery to you.

_________________________> _______


Confidenti> ality and Privilege Notice 
This document is intended so> lely for the named addressee.  The information 
contained > in the pages is confidential and contains legally privile> ged 
information. If you are not the addressee indicated i> n this message (or 
responsible for delivery of the messag> e to such person), you may not copy or 
deliver this messa> ge to anyone, and you should destroy this message and kin> 
dly notify the sender by reply email. Confidentiality and>  legal privilege are 
not waived or lost by reason of mist> aken delivery to you.


Confidentiality and P> rivilege Notice 
This document is intended solely for th> e named addressee.  The information 
contained in the page> s is confidential and contains legally privileged 
informa> tion. If you are not the addressee indicated in this mess> age (or 
responsible for delivery of the message to such p> erson), you may not copy or 
deliver this message to anyon> e, and you should destroy this message and 
kindly notify > the sender by reply email. Confidentiality and legal priv> 
ilege are not waived or lost by reason of mistaken delive> ry to you.
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/

Other related posts: