The reason I questioned it is that LocalSystem does indeed have access to network resources (despite what that KB said) and I'm not sure why it would even matter, since all of the profile resources being managed are local. Anyway, as long as it works :) Darren -----Original message----- From: "Jeremy Saunders" Jeremy.Saunders@xxxxxxxxxxxxxx Date: Mon, 8 Sep 2008 11:04:16 -0400 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Bat File Not Executing. > Np Darrenâ?¦Same issue with Win2K and Win2K3. Trust meâ?¦> I do lots of > Citrix deployments, and up until recently ha> ve always used delprof.exe. Cheers, Jeremy. > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bo> unce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: M> onday, 8 September 2008 9:39 PM To: gptalk@xxxxxxxxxxxxx> Subject: [gptalk] Re: Bat File Not Executing. T> hanks for the background Jeremy. Totally makes sense and > yes, a scheduled task is a good approach. As for that KB,> it says it applies to NT 4 so I would be very surprised > if it really was a problem, but perhaps. Darren > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-b> ounce@xxxxxxxxxxxxx] On Behalf Of Jeremy Saunders Sent: > Monday, September 08, 2008 1:12 AM To: gptalk@freelists.> org Subject: [gptalk] Re: Bat File Not Executing. > Hi Darren, I guess there are two parts to this > and I probably should have been clearer with my answer. M> y answer was aimed at this specific task, not a general a> nswer. Personally I would always want to ensure t> hat these vbscripts run silently using cscript.exe, and o> utput to a log file for review as needed. In many environ> ment Cscript.exe is not always the default script host, a> nd running this script without parameters doesnâ??t give > you the logging you need. You are correct. The Lo> cal System account may suffice for this script. As someon> e who has migrated from using delprof.exe to this new del> eteprofiles.vbs, I had just assumed that http://support.m> icrosoft.com/kb/262223 would still apply, so I have not c> hanged the way I am deploying it. Needs further testing t> hough. However, as per my blog, my method of depl> oyment works 100%, and will process everyday regardless o> f a reboot. I believe the use of a scheduled task is more> appropriate than a startup script in this case, unless H> arry is restarting his Citrix servers every day. > Cheers. Jeremy. From: gptalk-bounce@freelists.> org [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Dar> ren Mar-Elia Sent: Monday, 8 September 2008 8:42 AM To:> gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Bat File Not> Executing. Jeremy- Actually, you can simply s> pecify a script like that and WSH will use the default sc> ript host (wscript or cscript) to run it. Curious why you> say you canâ??t run it that way? Also, I think the only > successful way to run it is as local system. Or, at least> , that gives you the best chance for success. Dar> ren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gpt> alk-bounce@xxxxxxxxxxxxx] On Behalf Of Jeremy Saunders S> ent: Saturday, September 06, 2008 7:56 PM To: gptalk@fre> elists.org Subject: [gptalk] Re: Bat File Not Executing.> Hi Harry, You canâ??t just run the scrip> t like that. You need to ensure itâ??s launched with cscr> ipt, and use some parameters as well. And furthermore, th> e process of deleting profiles may not work by using the > Local System account, which is what I believe a Startup s> cript would run as. http://www.jhouseconsulting.c> om/index.php/blog/2008/07/30/script-to-replace-delprofexe> / I hope that helps. Cheers, Jeremy. > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gpt> alk-bounce@xxxxxxxxxxxxx] On Behalf Of Harry Singh Sent:> Saturday, 6 September 2008 2:30 AM To: gptalk@freelists> .org Subject: [gptalk] Re: Bat File Not Executing. > Thanks for the reply Darren, here goes. I believe i> came across a thread here or it could have been somewher> e else, that mentioned when applying a GPO to an OU that > consists of only computers, it would be best to remove "A> uthenticated Users" and add a Sec group that has all the > computers in it. If Authenticated Users is recommended, > i'll gladly revert back. I don't have fast logon optim> ization disabled -- where would i disable that ? I'm c> alling the vbs script directly from within the GPO as i w> ould a batch file, as demonstrated by the screenshot. I'v> e also attached the script, i received courtesy of Joe Sh> onk on the Citrix thinlist. remove the txt extension a> fter the vbs. On Fri, Sep 5, 2008 at 2:15 PM, Darren M> ar-Elia <darren@xxxxxxxxxx> wrote: Harry- Just out > of curiosity, if the computers are in their own OU, why a> re you using security filtering on top of that? Keep in m> ind that a computer won't pick up its new group membershi> p until a reboot, but since you're doing that anyway, I s> uspect that is not the issue. With respect to the> software installation, have you disabled fast logon opti> mization on these machines? If not, then the SI package c> ould take a couple of reboots to get picked up. If so, th> en I would check the application event log on the machine> for a event of type "Application Management" as this wil> l indicate whether there is some error with the processin> g of the package. Can you post your VBScript code> here and also let us know how you're calling it? I think> you said you were calling it from the parameters on a ba> tch file? Darren From: gptalk-bounce@fre> elists.org [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf> Of Harry Singh Sent: Friday, September 05, 2008 10:47 A> M To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Ba> t File Not Executing. Hi All - So, i finally h> ave been able to put this GPO into production and have so> mething interesting, albeit furstrating. I placed the > the computers i want this GPO to run against within their> own "Computers" OU. I then created a security group> and put all these computers within this security group > I then removed " Authenticated Users" from the security> of the GPO and just put the above mentioned security gro> up. I found that the policy does run, as noted in the > attached gpresult log ( delprof-test ) is the GPO in ques> tion, but the startup VBS script to delete profiles, does> not run. I also assigned UPH clean but have noticed that> didn't install either. These are the only two machine ba> sed settings applied on this GPO and neither of them are > running, but the GPO is being executed on the machines. > any thoughts ? On Thu, Aug 7, 2008 at 5:27 AM, Hutc> hinson, Alan <Alan.Hutchinson@xxxxxxxxxxxxxxxxxx> wrote: > Harry, As I said I haven't yet tried it (probably s> ometime next week). As for your second paragraph > - no need to block inheritance; this is exactly what loop> back processing in replace mode achieves. REgard> s, Alan. ________________________________> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-boun> ce@xxxxxxxxxxxxx] On Behalf Of Harry Singh Sent: 06 Augu> st 2008 18:40 To: gptalk@xxxxxxxxxxxxx Subject: [gp> talk] Re: Bat File Not Executing. Alan, i was > just about to post that, since i subscribe to the THIN li> st and came across that. Since it's a VBS script, i un> derstand when you add it to the startup of a GPO, there a> re "Script Parameters". I've never leveraged this because> , truthfully, i really don't know what would be placed in> here ? could someone provide some insight as to how to p> roperly use that field ? A&M - as far as loopback proc> essing goes, that makes it much clearer, but i still need> to re-read and implement to fully comprehend. I currentl> y have a TS/Citrix environment and am trying to wrap my h> ead around understanding applying user settings to the sa> me user but different policies. I suppose if i block poli> cy inheritance on the GPO that's assigned to the TS serve> rs ou and configure machine and user based settings this > will only apply to users who are logging into that server> . On Wed, Aug 6, 2008 at 1:12 PM, Hutchinson, Alan <A> lan.Hutchinson@xxxxxxxxxxxxxxxxxx> wrote: I haven't tr> ied it yet but came across this from another freelist whi> ch may do what you want when you've sorted script executi> on : http://www.theshonkproject.com/index.ph> p?option=com_content&task=view&id=27&Itemid=31 Re> gards, Alan. ____________________________> ____ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-> bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie Sent: 0> 6 August 2008 16:27 To: gptalk@xxxxxxxxxxxxx Subje> ct: [gptalk] Re: Bat File Not Executing. Hmm, yea> h I can see how that is helpful from the teacher's perspe> ctive. If I were you I would definitely spend some time t> roubleshooting why the profiles are getting corrupted in > the first place. That shouldn't be happening. As > far as your script not executing, I recommend starting it> off with something basic just to make sure it is actuall> y executing. A good example would be piping the contents > of ipconfig out to a text file on the C: drive or somethi> ng. ipconfig >%SYSTEMDRIVE%\ipcon> fig.txt Then go back and verify the file is creat> ed after a reboot. That way you can be certain the script> is actually running. If it is, but the profile is not ge> tting deleted, you know you have some kind of logic error> in the part of the script. From: gptalk-bounce@f> reelists.org [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Beha> lf Of Harry Singh Sent: Tuesday, August 05, 2008 6:26 PM> To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Bat Fil> e Not Executing. I'll be glad to elaborate. Th> is is a lab environment and we've implemented a combinati> on of mandatory profiles and GPO to control User configur> ation settings. Periodically, the profile experiences pro> blems and just doesn't load properly. I've ran traces to > see if any network connectivity issues exist between the > workstation and the server where the profile resides and > , although i see some collisions, i don't expect that to > be the sole root cause. Instead of delving more time and > resources, we've found by blowing the profile the issues > resolve themselves --- and as i mentioned, this doesn't h> appen too frequently, only periodically. Now, the lab mac> hines aren't rebooted or turned off nightly, so the delet> ing of profiles on reboot is really a way for us or the t> eacher on site to delete the profiles "on-demand". I'm su> re there are alternate ways to get this done, and i'm all> ears. So you're saying i can apply a GPO to an OU tha> t just has computer accounts ? "To clarify, loopback p> olicy is used when you want user configuration policies t> o apply based on where the computer object resides instea> d of the user object. " That's still a litte fuzzy to me,> could you provide an example that could help me further > put this confusion function to rest for me ? Thanks > On Tue, Aug 5, 2008 at 5:27 PM, Nelson, Jamie <Jamie.Nel> son@xxxxxxx> wrote: Delprof.exe can't delete a specifi> c user profile, you generally tell it the max number of d> ays old a profile can be (from last use) and it will dele> te anything older than that. I still don't understand why> you want to delete it on every reboot though. Maybe you > can be kind enough to elaborate? Actually, you we> re right the first time. For startup scripts to run they > must be applied to OUs containing computer objects. You d> on't need loopback policy or security filtering for that.> To clarify, loopback policy is used when you want user c> onfiguration policies to apply based on where the compute> r object resides instead of the user object. Hope> that helps. J From: gptalk-bounce@xxxxxxxxxxxxx > [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Harry S> ingh Sent: Tuesday, August 05, 2008 4:13 PM To: gptalk@> freelists.org Subject: [gptalk] Re: Bat File Not Executi> ng. Jamie, Yes, the script is deleting the doc> uments and setting folder. I agree this isn't very clean,> but I am having trouble in negotiating the delprof comm> and line to delete the profile i want under my specific p> arameters. Specifically, i want the profile to be deleted> upon every reboot, either during the shutdown or, prefer> ably, during the startup of the machine. ? Secondly, i> believe my problem was i was applying the GPO to an OU > that just had the computer accounts. I realized this can'> t be done, i'd have to apply it to the OU containing the > LAB user account ; since only the Computer Config is enab> led, the script will execute on whatever machine that use> r logs into, correct ? That being said, what should the l> oopback processing setting be on this GPO, if there are n> o user configured settings on this GPO but others ? Ju> st to clear up any confusion, if i want machine specific > settings only to apply to computer accounts, i need to: > * Configure the Computer Configuration portion of the G> PO. * Create a Security Group and add the respective co> mputer accounts to this group and add it to the permissio> ns of the GPO with the "Apply" GPO permission ? * Never> apply GPO's to OU's that just have computer accounts *> Enable loopback processing on a computer oriented GPO if> you have any USER Confiuration settings in that GPO, oth> erwise just leave it disabled or not configured ? > On Tue, Aug 5, 2008 at 4:57 PM, Nelson, Jamie <Jamie.Ne> lson@xxxxxxx> wrote: When you say "delete the profile"> are you just trying to delete the profile folder under C> :\Documents and Settings? That doesn't truly dump the pro> file, as there are still some registry keys that have to > be cleaned up. On that note, I don't think deleti> ng the profiles on startup is a good practice, even if th> ey are for what I assume are temporary lab user accounts.> You're better off creating a scheduled task on the machi> ne to run the delprof.exe utility (from the Server Resour> ce Kit) which can delete all profiles that have not been > used in a specified number of days. Just my opinion thoug> h. You may have valid reason for doing it that way so ple> ase don't take offense. J As far as the script no> t executing is concerned, did you place it in the GPO's "> machine\scripts\startup" folder in SYSVOL or somewhere el> se on your network? From: gptalk-bounce@freelists> .org [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Ha> rry Singh Sent: Tuesday, August 05, 2008 3:21 PM To: gp> talk@xxxxxxxxxxxxx Subject: [gptalk] Bat File Not Execut> ing. All - I've added a bat file to the startu> p script inside of a GPO, the computer configuration part> of the GPO. The script deletes any profile starting with> lab* and is suppose to run when the computer is restarte> d so as to not run into any file locks by explorer. Howev> er, the folders are not being deleted and when i run a gp> result, the script indicates: " This script has not been > executed" any ideas ? _____________________________> ___ Confidentiality Warning: This message and any atta> chments are intended only for the use of the intended rec> ipient(s), are confidential, and may be privileged. If yo> u are not the intended recipient, you are hereby notified> that any review, retransmission, conversion to hard copy> , copying, circulation or other use of all or any portion> of this message and any attachments is strictly prohibit> ed. If you are not the intended recipient, please notify > the sender immediately by return e-mail, and delete this > message and any attachments from your system. > ________________________________ Con> fidentiality and Privilege Notice This document is inte> nded solely for the named addressee. The information con> tained in the pages is confidential and contains legally > privileged information. If you are not the addressee indi> cated in this message (or responsible for delivery of the> message to such person), you may not copy or deliver thi> s message to anyone, and you should destroy this message > and kindly notify the sender by reply email. Confidential> ity and legal privilege are not waived or lost by reason > of mistaken delivery to you. _________________________> _______ ________________________________ Confidenti> ality and Privilege Notice This document is intended so> lely for the named addressee. The information contained > in the pages is confidential and contains legally privile> ged information. If you are not the addressee indicated i> n this message (or responsible for delivery of the messag> e to such person), you may not copy or deliver this messa> ge to anyone, and you should destroy this message and kin> dly notify the sender by reply email. Confidentiality and> legal privilege are not waived or lost by reason of mist> aken delivery to you. ________________________________> ###################################################> ################################## Confidentiality and P> rivilege Notice This document is intended solely for th> e named addressee. The information contained in the page> s is confidential and contains legally privileged informa> tion. If you are not the addressee indicated in this mess> age (or responsible for delivery of the message to such p> erson), you may not copy or deliver this message to anyon> e, and you should destroy this message and kindly notify > the sender by reply email. Confidentiality and legal priv> ilege are not waived or lost by reason of mistaken delive> ry to you. #############################################> ######################################## > *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************