Jeremy - That's a great idea and code..thank you very much. On Mon, Sep 8, 2008 at 12:34 PM, Nelson, Jamie <Jamie.Nelson@xxxxxxx> wrote: > …Or you can create the scheduled task with the GPP extensions… J > > > > *Jamie Nelson* | Operations Consultant | BI&T Infrastructure-Intel | *Devon > Energy Corporation* | Work: 405.552.8054 | Mobile: 405.200.8088 | > http://www.dvn.com > > > > *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Jeremy Saunders > *Sent:* Monday, September 08, 2008 10:22 AM > *To:* gptalk@xxxxxxxxxxxxx > *Subject:* [gptalk] Re: Bat File Not Executing. > > > > Hi Harry, > > > > Just use psexec to role it out across all machines. > > > > ---------start of script------------- > > set LISTFILE=computerlist.txt > > Set DRIVE=C > > for /F %%i in (%LISTFILE%) do ( > > copy /y "DeleteProfiles.cmd" "\\%%i\%DRIVE%$\Windows\DeleteProfiles.cmd" > > copy /y "DeleteProfiles.vbs" "\\%%i\%DRIVE%$\Windows\DeleteProfiles.vbs" > > psexec.exe \\%%i cmd.exe /c SCHTASKS /Create /TN "Delete inactive profiles" > /RU "NT AUTHORITY\SYSTEM" /ST 02:30 /SC Daily /F /TR > "%SystemRoot%\DeleteProfiles.cmd" > > ) > > Exit /b 0 > > ----------end of script----------- > > > > Note: You may need to modify this script for your environment. > > > > Create a computerlists.txt file that contains all 20 machines. > > Place the above batch script, computerlists.txt, DeleteProfiles.cmd, > DeleteProfiles.vbs, and psexec.exe in the same folder. > > Execute the batch script. > > > > It's that simple. > > > > Cheers, > > Jeremy. > > > > *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Harry Singh > *Sent:* Monday, 8 September 2008 9:33 PM > > *To:* gptalk@xxxxxxxxxxxxx > *Subject:* [gptalk] Re: Bat File Not Executing. > > > > Hey Guys, > > Thanks for the feedback. > > Jeremy -- I realized that cscript needed to be ran after you're > suggestion.. > > i created a batch file that calls this VBS script and I placed the VBS > script within the NETLOGON of the DC. So the batch file looks something like > this: > > @echo off > > cscript.exe \\domaincontroller\NETLOGON\deleteprofiles.vbs > > I haven't tested if this is working yet. > > I do agree and i might just have to use this as a scheduled task, but i'm > trying to have this script run on over 20 machines and was hoping not to > manually visit each machine to add this to scheduled task. > > On Mon, Sep 8, 2008 at 4:12 AM, Jeremy Saunders < > Jeremy.Saunders@xxxxxxxxxxxxxx> wrote: > > Hi Darren, > > > > I guess there are two parts to this and I probably should have been clearer > with my answer. My answer was aimed at this specific task, not a general > answer. > > > > Personally I would always want to ensure that these vbscripts run silently > using cscript.exe, and output to a log file for review as needed. In many > environment Cscript.exe is not always the default script host, and running > this script without parameters doesn't give you the logging you need. > > > > You are correct. The Local System account may suffice for this script. As > someone who has migrated from using delprof.exe to this new > deleteprofiles.vbs, I had just assumed that > http://support.microsoft.com/kb/262223 would still apply, so I have not > changed the way I am deploying it. Needs further testing though. > > > > However, as per my blog, my method of deployment works 100%, and will > process everyday regardless of a reboot. I believe the use of a scheduled > task is more appropriate than a startup script in this case, unless Harry is > restarting his Citrix servers every day. > > > > Cheers. > > Jeremy. > > > > *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Darren Mar-Elia > *Sent:* Monday, 8 September 2008 8:42 AM > > > *To:* gptalk@xxxxxxxxxxxxx > *Subject:* [gptalk] Re: Bat File Not Executing. > > > > Jeremy- > > Actually, you can simply specify a script like that and WSH will use the > default script host (wscript or cscript) to run it. Curious why you say you > can't run it that way? Also, I think the only successful way to run it is as > local system. Or, at least, that gives you the best chance for success. > > > > Darren > > > > *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Jeremy Saunders > *Sent:* Saturday, September 06, 2008 7:56 PM > *To:* gptalk@xxxxxxxxxxxxx > *Subject:* [gptalk] Re: Bat File Not Executing. > > > > Hi Harry, > > > > You can't just run the script like that. You need to ensure it's launched > with cscript, and use some parameters as well. And furthermore, the process > of deleting profiles may not work by using the Local System account, which > is what I believe a Startup script would run as. > > > > > http://www.jhouseconsulting.com/index.php/blog/2008/07/30/script-to-replace-delprofexe/ > > > > I hope that helps. > > > > Cheers, > > Jeremy. > > > > > > *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Harry Singh > *Sent:* Saturday, 6 September 2008 2:30 AM > *To:* gptalk@xxxxxxxxxxxxx > *Subject:* [gptalk] Re: Bat File Not Executing. > > > > Thanks for the reply Darren, here goes. > > I believe i came across a thread here or it could have been somewhere else, > that mentioned when applying a GPO to an OU that consists of only computers, > it would be best to remove "Authenticated Users" and add a Sec group that > has all the computers in it. If Authenticated Users is recommended, i'll > gladly revert back. > > I don't have fast logon optimization disabled -- where would i disable that > ? > > I'm calling the vbs script directly from within the GPO as i would a batch > file, as demonstrated by the screenshot. I've also attached the script, i > received courtesy of Joe Shonk on the Citrix thinlist. > > remove the txt extension after the vbs. > > On Fri, Sep 5, 2008 at 2:15 PM, Darren Mar-Elia <darren@xxxxxxxxxx> wrote: > > Harry- > > Just out of curiosity, if the computers are in their own OU, why are you > using security filtering on top of that? Keep in mind that a computer won't > pick up its new group membership until a reboot, but since you're doing that > anyway, I suspect that is not the issue. > > > > With respect to the software installation, have you disabled fast logon > optimization on these machines? If not, then the SI package could take a > couple of reboots to get picked up. If so, then I would check the > application event log on the machine for a event of type "Application > Management" as this will indicate whether there is some error with the > processing of the package. > > > > Can you post your VBScript code here and also let us know how you're > calling it? I think you said you were calling it from the parameters on a > batch file? > > > > Darren > > > > *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Harry Singh > *Sent:* Friday, September 05, 2008 10:47 AM > > > *To:* gptalk@xxxxxxxxxxxxx > *Subject:* [gptalk] Re: Bat File Not Executing. > > > > Hi All - > > So, i finally have been able to put this GPO into production and have > something interesting, albeit furstrating. > > I placed the the computers i want this GPO to run against within their own > "Computers" OU. > > I then created a security group and put all these computers within this > security group > > I then removed " Authenticated Users" from the security of the GPO and just > put the above mentioned security group. > > I found that the policy does run, as noted in the attached gpresult log ( > delprof-test ) is the GPO in question, but the startup VBS script to delete > profiles, does not run. I also assigned UPH clean but have noticed that > didn't install either. These are the only two machine based settings applied > on this GPO and neither of them are running, but the GPO is being executed > on the machines. > > any thoughts ? > > On Thu, Aug 7, 2008 at 5:27 AM, Hutchinson, Alan < > Alan.Hutchinson@xxxxxxxxxxxxxxxxxx> wrote: > > Harry, > > As I said I haven't yet tried it (probably sometime next week). > > > > As for your second paragraph - no need to block inheritance; this is > exactly what loopback processing in replace mode achieves. > > > > REgards, > > > > Alan. > > > ------------------------------ > > *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Harry Singh > *Sent:* 06 August 2008 18:40 > > > *To:* gptalk@xxxxxxxxxxxxx > *Subject:* [gptalk] Re: Bat File Not Executing. > > > > Alan, > > i was just about to post that, since i subscribe to the THIN list and came > across that. > > Since it's a VBS script, i understand when you add it to the startup of a > GPO, there are "Script Parameters". I've never leveraged this because, > truthfully, i really don't know what would be placed in here ? could someone > provide some insight as to how to properly use that field ? > > A&M - as far as loopback processing goes, that makes it much clearer, but i > still need to re-read and implement to fully comprehend. I currently have a > TS/Citrix environment and am trying to wrap my head around understanding > applying user settings to the same user but different policies. I suppose if > i block policy inheritance on the GPO that's assigned to the TS servers ou > and configure machine and user based settings this will only apply to users > who are logging into that server. > > On Wed, Aug 6, 2008 at 1:12 PM, Hutchinson, Alan < > Alan.Hutchinson@xxxxxxxxxxxxxxxxxx> wrote: > > I haven't tried it yet but came across this from another freelist which may > do what you want when you've sorted script execution : > > > > > > > http://www.theshonkproject.com/index.php?option=com_content&task=view&id=27&Itemid=31 > > > > Regards, > > > > Alan. > > > ------------------------------ > > *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Nelson, Jamie > *Sent:* 06 August 2008 16:27 > > > *To:* gptalk@xxxxxxxxxxxxx > *Subject:* [gptalk] Re: Bat File Not Executing. > > > > Hmm, yeah I can see how that is helpful from the teacher's perspective. If > I were you I would definitely spend some time troubleshooting why the > profiles are getting corrupted in the first place. That shouldn't be > happening. > > > > As far as your script not executing, I recommend starting it off with > something basic just to make sure it is actually executing. A good example > would be piping the contents of ipconfig out to a text file on the C: drive > or something. > > > > ipconfig >%SYSTEMDRIVE%\ipconfig.txt > > > > Then go back and verify the file is created after a reboot. That way you > can be certain the script is actually running. If it is, but the profile is > not getting deleted, you know you have some kind of logic error in the part > of the script. > > > > *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Harry Singh > *Sent:* Tuesday, August 05, 2008 6:26 PM > *To:* gptalk@xxxxxxxxxxxxx > *Subject:* [gptalk] Re: Bat File Not Executing. > > > > I'll be glad to elaborate. > > This is a lab environment and we've implemented a combination of mandatory > profiles and GPO to control User configuration settings. Periodically, the > profile experiences problems and just doesn't load properly. I've ran traces > to see if any network connectivity issues exist between the workstation and > the server where the profile resides and , although i see some collisions, i > don't expect that to be the sole root cause. Instead of delving more time > and resources, we've found by blowing the profile the issues resolve > themselves --- and as i mentioned, this doesn't happen too frequently, only > periodically. Now, the lab machines aren't rebooted or turned off nightly, > so the deleting of profiles on reboot is really a way for us or the teacher > on site to delete the profiles "on-demand". I'm sure there are alternate > ways to get this done, and i'm all ears. > > So you're saying i can apply a GPO to an OU that just has computer accounts > ? > > "To clarify, loopback policy is used when you want user configuration > policies to apply based on where the computer object resides instead of the > user object. " That's still a litte fuzzy to me, could you provide an > example that could help me further put this confusion function to rest for > me ? > > Thanks > > On Tue, Aug 5, 2008 at 5:27 PM, Nelson, Jamie <Jamie.Nelson@xxxxxxx> > wrote: > > Delprof.exe can't delete a specific user profile, you generally tell it the > max number of days old a profile can be (from last use) and it will delete > anything older than that. I still don't understand why you want to delete it > on every reboot though. Maybe you can be kind enough to elaborate? > > > > Actually, you were right the first time. For startup scripts to run they > must be applied to OUs containing computer objects. You don't need loopback > policy or security filtering for that. To clarify, loopback policy is used > when you want user configuration policies to apply based on where the > computer object resides instead of the user object. > > > > Hope that helps. J > > > > *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Harry Singh > *Sent:* Tuesday, August 05, 2008 4:13 PM > *To:* gptalk@xxxxxxxxxxxxx > *Subject:* [gptalk] Re: Bat File Not Executing. > > > > Jamie, > > Yes, the script is deleting the documents and setting folder. I agree this > isn't very clean, but I am having trouble in negotiating the delprof > command line to delete the profile i want under my specific parameters. > Specifically, i want the profile to be deleted upon every reboot, either > during the shutdown or, preferably, during the startup of the machine. ? > > Secondly, i believe my problem was i was applying the GPO to an OU that > just had the computer accounts. I realized this can't be done, i'd have to > apply it to the OU containing the LAB user account ; since only the Computer > Config is enabled, the script will execute on whatever machine that user > logs into, correct ? That being said, what should the loopback processing > setting be on this GPO, if there are no user configured settings on this GPO > but others ? > > Just to clear up any confusion, if i want machine specific settings only to > apply to computer accounts, i need to: > > - Configure the Computer Configuration portion of the GPO. > - Create a Security Group and add the respective computer accounts to > this group and add it to the permissions of the GPO with the "Apply" GPO > permission ? > - Never apply GPO's to OU's that just have computer accounts > - Enable loopback processing on a computer oriented GPO if you have any > USER Confiuration settings in that GPO, otherwise just leave it disabled or > not configured ? > > > > On Tue, Aug 5, 2008 at 4:57 PM, Nelson, Jamie <Jamie.Nelson@xxxxxxx> > wrote: > > When you say "delete the profile" are you just trying to delete the profile > folder under C:\Documents and Settings? That doesn't truly dump the profile, > as there are still some registry keys that have to be cleaned up. > > > > On that note, I don't think deleting the profiles on startup is a good > practice, even if they are for what I assume are temporary lab user > accounts. You're better off creating a scheduled task on the machine to run > the delprof.exe utility (from the Server Resource Kit) which can delete all > profiles that have not been used in a specified number of days. Just my > opinion though. You may have valid reason for doing it that way so please > don't take offense. J > > > > As far as the script not executing is concerned, did you place it in the > GPO's "machine\scripts\startup" folder in SYSVOL or somewhere else on your > network? > > > > *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Harry Singh > *Sent:* Tuesday, August 05, 2008 3:21 PM > *To:* gptalk@xxxxxxxxxxxxx > *Subject:* [gptalk] Bat File Not Executing. > > > > All - > > I've added a bat file to the startup script inside of a GPO, the computer > configuration part of the GPO. The script deletes any profile starting with > lab* and is suppose to run when the computer is restarted so as to not run > into any file locks by explorer. However, the folders are not being deleted > and when i run a gpresult, the script indicates: " This script has not been > executed" > > any ideas ? > * > ------------------------------ > * > > *Confidentiality Warning:* This message and any attachments are intended > only for the use of the intended recipient(s), are confidential, and may be > privileged. If you are not the intended recipient, you are hereby notified > that any review, retransmission, conversion to hard copy, copying, > circulation or other use of all or any portion of this message and any > attachments is strictly prohibited. If you are not the intended recipient, > please notify the sender immediately by return e-mail, and delete this > message and any attachments from your system. > > > > > > > > > > > ------------------------------ > > *Confidentiality and Privilege Notice > *This document is intended solely for the named addressee. The > information contained in the pages is confidential and contains legally > privileged information. If you are not the addressee indicated in this > message (or responsible for delivery of the message to such person), you may > not copy or deliver this message to anyone, and you should destroy this > message and kindly notify the sender by reply email. Confidentiality and > legal privilege are not waived or lost by reason of mistaken delivery to > you. > ------------------------------ > ------------------------------ > > *Confidentiality and Privilege Notice > *This document is intended solely for the named addressee. The > information contained in the pages is confidential and contains legally > privileged information. If you are not the addressee indicated in this > message (or responsible for delivery of the message to such person), you may > not copy or deliver this message to anyone, and you should destroy this > message and kindly notify the sender by reply email. Confidentiality and > legal privilege are not waived or lost by reason of mistaken delivery to > you. > ------------------------------ > > > ------------------------------ > > *Confidentiality and Privilege Notice ** > *This document is intended solely for the named addressee. The > information contained in the pages is confidential and contains legally > privileged information. If you are not the addressee indicated in this > message (or responsible for delivery of the message to such person), you may > not copy or deliver this message to anyone, and you should destroy this > message and kindly notify the sender by reply email. Confidentiality and > legal privilege are not waived or lost by reason of mistaken delivery to > you. > ------------------------------ >