[gptalk] Re: Bat File Not Executing.
- From: "Alan & Margaret" <syspro@xxxxxxxxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Wed, 6 Aug 2008 16:24:28 +1000
Hi,
You can definitely apply policies to OU's that only contain Computers. In
fact that is the mechanism for applying Machine based policies. The machine
receives all of the policies that are linked to the OU that the machine
belongs to; the user receives all of the policies that are linked to the OU
that the User belongs to.
Loop back processing is used in the situation where you want the same user
to get different User settings when they logon to different machines.
For instance, if they log on to a normal workstation, you want the user to
get a screen saver. However, when they log on to a Terminal server, you
don't want them to get a screen saver. Loopback processing does this by
having two different OU's, one that the computer belongs to and one that the
User belongs to. In the computer OU you set the machine setting to enable
Loop back, and you set the user setting to No screen saver. In the User OU'
you set the user setting to use a screen saver.
The way it works is that when the user logs on to a normal machine (no loop
back processing) he just gets the user profile ( i.e. screen saver). When he
logs on to the Terminal server, since loopback is enabled on that machine,
he gets his normal User settings applied, then he gets the user policies
connected to the Machine OU. This means that the winning setting will be "no
Screensaver".
This is also commonly used on "kiosk" terminals. You may want the user
settings to be much tougher when the user logs on to a kiosk machine than
when they log on to a normal machine.
Note: Loopback processing has two options "Merge" and "Replace". Merge is
what I have described above. Replace is when the user ONLY gets the settings
that exist in the User part of the Policies connected to the Machine OU's
Note: Security filtering based on the User's groups still operates. You can
say Normal users get the restrictive policies on the terminal server, but
Administrators do not.
Alan Cuthbertson
Policy Management Software (Now with ADMX and Preference support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml
ADM Template Editor(Now with ADMX support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml
Policy Log Reporter(Free)
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml
_____
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Harry Singh
Sent: Wednesday, 6 August 2008 9:26 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Bat File Not Executing.
I'll be glad to elaborate.
This is a lab environment and we've implemented a combination of mandatory
profiles and GPO to control User configuration settings. Periodically, the
profile experiences problems and just doesn't load properly. I've ran traces
to see if any network connectivity issues exist between the workstation and
the server where the profile resides and , although i see some collisions, i
don't expect that to be the sole root cause. Instead of delving more time
and resources, we've found by blowing the profile the issues resolve
themselves --- and as i mentioned, this doesn't happen too frequently, only
periodically. Now, the lab machines aren't rebooted or turned off nightly,
so the deleting of profiles on reboot is really a way for us or the teacher
on site to delete the profiles "on-demand". I'm sure there are alternate
ways to get this done, and i'm all ears.
So you're saying i can apply a GPO to an OU that just has computer accounts
?
"To clarify, loopback policy is used when you want user configuration
policies to apply based on where the computer object resides instead of the
user object. " That's still a litte fuzzy to me, could you provide an
example that could help me further put this confusion function to rest for
me ?
Thanks
On Tue, Aug 5, 2008 at 5:27 PM, Nelson, Jamie <Jamie.Nelson@xxxxxxx> wrote:
Delprof.exe can't delete a specific user profile, you generally tell it the
max number of days old a profile can be (from last use) and it will delete
anything older than that. I still don't understand why you want to delete it
on every reboot though. Maybe you can be kind enough to elaborate?
Actually, you were right the first time. For startup scripts to run they
must be applied to OUs containing computer objects. You don't need loopback
policy or security filtering for that. To clarify, loopback policy is used
when you want user configuration policies to apply based on where the
computer object resides instead of the user object.
Hope that helps. :-)
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Harry Singh
Sent: Tuesday, August 05, 2008 4:13 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Bat File Not Executing.
Jamie,
Yes, the script is deleting the documents and setting folder. I agree this
isn't very clean, but I am having trouble in negotiating the delprof
command line to delete the profile i want under my specific parameters.
Specifically, i want the profile to be deleted upon every reboot, either
during the shutdown or, preferably, during the startup of the machine. ?
Secondly, i believe my problem was i was applying the GPO to an OU that
just had the computer accounts. I realized this can't be done, i'd have to
apply it to the OU containing the LAB user account ; since only the Computer
Config is enabled, the script will execute on whatever machine that user
logs into, correct ? That being said, what should the loopback processing
setting be on this GPO, if there are no user configured settings on this GPO
but others ?
Just to clear up any confusion, if i want machine specific settings only to
apply to computer accounts, i need to:
* Configure the Computer Configuration portion of the GPO.
* Create a Security Group and add the respective computer accounts to
this group and add it to the permissions of the GPO with the "Apply" GPO
permission ?
* Never apply GPO's to OU's that just have computer accounts
* Enable loopback processing on a computer oriented GPO if you have
any USER Confiuration settings in that GPO, otherwise just leave it disabled
or not configured ?
On Tue, Aug 5, 2008 at 4:57 PM, Nelson, Jamie <Jamie.Nelson@xxxxxxx> wrote:
When you say "delete the profile" are you just trying to delete the profile
folder under C:\Documents and Settings? That doesn't truly dump the profile,
as there are still some registry keys that have to be cleaned up.
On that note, I don't think deleting the profiles on startup is a good
practice, even if they are for what I assume are temporary lab user
accounts. You're better off creating a scheduled task on the machine to run
the delprof.exe utility (from the Server Resource Kit) which can delete all
profiles that have not been used in a specified number of days. Just my
opinion though. You may have valid reason for doing it that way so please
don't take offense. :-)
As far as the script not executing is concerned, did you place it in the
GPO's "machine\scripts\startup" folder in SYSVOL or somewhere else on your
network?
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Harry Singh
Sent: Tuesday, August 05, 2008 3:21 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Bat File Not Executing.
All -
I've added a bat file to the startup script inside of a GPO, the computer
configuration part of the GPO. The script deletes any profile starting with
lab* and is suppose to run when the computer is restarted so as to not run
into any file locks by explorer. However, the folders are not being deleted
and when i run a gpresult, the script indicates: " This script has not been
executed"
any ideas ?
_____
Confidentiality Warning: This message and any attachments are intended only
for the use of the intended recipient(s), are confidential, and may be
privileged. If you are not the intended recipient, you are hereby notified
that any review, retransmission, conversion to hard copy, copying,
circulation or other use of all or any portion of this message and any
attachments is strictly prohibited. If you are not the intended recipient,
please notify the sender immediately by return e-mail, and delete this
message and any attachments from your system.
Other related posts:
