Hi, You can definitely apply policies to OU's that only contain Computers. In fact that is the mechanism for applying Machine based policies. The machine receives all of the policies that are linked to the OU that the machine belongs to; the user receives all of the policies that are linked to the OU that the User belongs to. Loop back processing is used in the situation where you want the same user to get different User settings when they logon to different machines. For instance, if they log on to a normal workstation, you want the user to get a screen saver. However, when they log on to a Terminal server, you don't want them to get a screen saver. Loopback processing does this by having two different OU's, one that the computer belongs to and one that the User belongs to. In the computer OU you set the machine setting to enable Loop back, and you set the user setting to No screen saver. In the User OU' you set the user setting to use a screen saver. The way it works is that when the user logs on to a normal machine (no loop back processing) he just gets the user profile ( i.e. screen saver). When he logs on to the Terminal server, since loopback is enabled on that machine, he gets his normal User settings applied, then he gets the user policies connected to the Machine OU. This means that the winning setting will be "no Screensaver". This is also commonly used on "kiosk" terminals. You may want the user settings to be much tougher when the user logs on to a kiosk machine than when they log on to a normal machine. Note: Loopback processing has two options "Merge" and "Replace". Merge is what I have described above. Replace is when the user ONLY gets the settings that exist in the User part of the Policies connected to the Machine OU's Note: Security filtering based on the User's groups still operates. You can say Normal users get the restrictive policies on the terminal server, but Administrators do not. Alan Cuthbertson Policy Management Software (Now with ADMX and Preference support):- http://www.sysprosoft.com/index.php?ref=activedir <http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml> &f=pol_summary.shtml ADM Template Editor(Now with ADMX support):- http://www.sysprosoft.com/index.php?ref=activedir <http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml> &f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir <http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml> &f=policyreporter.shtml _____ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Harry Singh Sent: Wednesday, 6 August 2008 9:26 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Bat File Not Executing. I'll be glad to elaborate. This is a lab environment and we've implemented a combination of mandatory profiles and GPO to control User configuration settings. Periodically, the profile experiences problems and just doesn't load properly. I've ran traces to see if any network connectivity issues exist between the workstation and the server where the profile resides and , although i see some collisions, i don't expect that to be the sole root cause. Instead of delving more time and resources, we've found by blowing the profile the issues resolve themselves --- and as i mentioned, this doesn't happen too frequently, only periodically. Now, the lab machines aren't rebooted or turned off nightly, so the deleting of profiles on reboot is really a way for us or the teacher on site to delete the profiles "on-demand". I'm sure there are alternate ways to get this done, and i'm all ears. So you're saying i can apply a GPO to an OU that just has computer accounts ? "To clarify, loopback policy is used when you want user configuration policies to apply based on where the computer object resides instead of the user object. " That's still a litte fuzzy to me, could you provide an example that could help me further put this confusion function to rest for me ? Thanks On Tue, Aug 5, 2008 at 5:27 PM, Nelson, Jamie <Jamie.Nelson@xxxxxxx> wrote: Delprof.exe can't delete a specific user profile, you generally tell it the max number of days old a profile can be (from last use) and it will delete anything older than that. I still don't understand why you want to delete it on every reboot though. Maybe you can be kind enough to elaborate? Actually, you were right the first time. For startup scripts to run they must be applied to OUs containing computer objects. You don't need loopback policy or security filtering for that. To clarify, loopback policy is used when you want user configuration policies to apply based on where the computer object resides instead of the user object. Hope that helps. :-) From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Harry Singh Sent: Tuesday, August 05, 2008 4:13 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Bat File Not Executing. Jamie, Yes, the script is deleting the documents and setting folder. I agree this isn't very clean, but I am having trouble in negotiating the delprof command line to delete the profile i want under my specific parameters. Specifically, i want the profile to be deleted upon every reboot, either during the shutdown or, preferably, during the startup of the machine. ? Secondly, i believe my problem was i was applying the GPO to an OU that just had the computer accounts. I realized this can't be done, i'd have to apply it to the OU containing the LAB user account ; since only the Computer Config is enabled, the script will execute on whatever machine that user logs into, correct ? That being said, what should the loopback processing setting be on this GPO, if there are no user configured settings on this GPO but others ? Just to clear up any confusion, if i want machine specific settings only to apply to computer accounts, i need to: * Configure the Computer Configuration portion of the GPO. * Create a Security Group and add the respective computer accounts to this group and add it to the permissions of the GPO with the "Apply" GPO permission ? * Never apply GPO's to OU's that just have computer accounts * Enable loopback processing on a computer oriented GPO if you have any USER Confiuration settings in that GPO, otherwise just leave it disabled or not configured ? On Tue, Aug 5, 2008 at 4:57 PM, Nelson, Jamie <Jamie.Nelson@xxxxxxx> wrote: When you say "delete the profile" are you just trying to delete the profile folder under C:\Documents and Settings? That doesn't truly dump the profile, as there are still some registry keys that have to be cleaned up. On that note, I don't think deleting the profiles on startup is a good practice, even if they are for what I assume are temporary lab user accounts. You're better off creating a scheduled task on the machine to run the delprof.exe utility (from the Server Resource Kit) which can delete all profiles that have not been used in a specified number of days. Just my opinion though. You may have valid reason for doing it that way so please don't take offense. :-) As far as the script not executing is concerned, did you place it in the GPO's "machine\scripts\startup" folder in SYSVOL or somewhere else on your network? From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Harry Singh Sent: Tuesday, August 05, 2008 3:21 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Bat File Not Executing. All - I've added a bat file to the startup script inside of a GPO, the computer configuration part of the GPO. The script deletes any profile starting with lab* and is suppose to run when the computer is restarted so as to not run into any file locks by explorer. However, the folders are not being deleted and when i run a gpresult, the script indicates: " This script has not been executed" any ideas ? _____ Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.