Allright - I don't have a link right here, but I can list the 4 "exceptions". These are, like account/lockout settings, all taken from the highest precedence GPO linked to the domain (typically "Default Domain Policy"). Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options: 1. Accounts: Rename Administrator Account Renames all built-in Administrator accounts in the domain (logon name) 2. Accounts: Rename Guest Account Renames all built-in Administrator accounts in the domain (logon name) 3. Network Security: Force Logoff When Logon Hours Expire Force logoff from the domain when logon hours are expired 4. Network Access: Allow Anonymous SID/Name Translation Main reason why this is enabled is when old Windows systems needs to communicate with AD. These are what you could call "domain wide security settings". Best regards /Jakob H. Heidelberg From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of TAZAMAL HUSSAIN Sent: 31. januar 2008 14:47 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Running a Batch file at user logon. Jakob, Thanks for the quick reply and confirmation.Yes, I agree with you, as to why this need would arise. However, it certainly exists out there, for some reason or another! :) perhaps misunderstanding during implemetation phase... Without taking this discussion off to another direction, a useful bit of knowledge would be the 'few other exceptions' If you have a link for reading, that would great... _____ From: jakob@xxxxxxxxxxxxxxx To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Running a Batch file at user logon. Date: Thu, 31 Jan 2008 14:36:20 +0100 Well, yes - that's another story J It's correct that you can place account policies on other OUs - or filter them in other ways if you like - but the thing is, AD users will still have to comply with the policy set as the Highest Priority on the Domain Level (actually this is decided by the DCs - or forced on to the DCs - not the member computers). Not necessarily the Default Domain Policy - though IMHO it should be kept there! There are a few other exceptions where settings are taken from the GPO with the Highest Priority on the Domain Level only, but that a bit off topic. Account policies in GPOs set on OUs will, as you say, apply to creation of Local Accounts on the computers in scope - but I've never seen an environment where this was important (can't even imagine why this would be part of a design). Also, with third party utilities it is actually possible to have multiple account policies in a single AD - but, that doesn't really count, we're talking default functionality here. As we all know multiple password policies will be available in WS 2008 domain environment "out of the box" - the Default Domain Policy (highest priority GPO in the domain) will still be "the last stop", but Global Security Groups can force other password policies on to the users. Regards /Jakob H. Heidelberg From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of TAZAMAL HUSSAIN Sent: 31. januar 2008 14:20 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Running a Batch file at user logon. Guys, I have actually come across multiple account/password policies in certain big AD implementations targeted to specific OUs... what happens here? I'm guessing they are all ignored and the one set on the defdompol overides, and have been told these extra policies targeted to specific OUs will apply to locally created user accounts on the machines in those OUs... if that makes sense?can anyone confirm this? never got round to testing it.... _____ From: jakob@xxxxxxxxxxxxxxx To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Running a Batch file at user logon. Date: Thu, 31 Jan 2008 13:27:03 +0100 Hi Ananth, I think you first need to accept and understand this: 1. The Computer Configuration part of a policy applies to Computers only 2. The User Configuration part of a policy applies to Users only You do mention an "exception", which is account/password policies - it does *seem* like that is a Computer Configuration that actually hits Users, but it's not. You can have 1 account policy in a default AD (2000/2003) - it should be set in the Default Domain Policy (highest priority GPO on the Domain level) - and it can be set _nowhere_ else!!! For your second question - if you have a GPO with BOTH Computer and User Configuration policy settings defined - you could apply that on the domain level. And, as it has been said previously, the policy setting will "flow down" the OU hierarchy in your domain. So, all Computer AND User objects below will take on their respective part of the GPO (Computers will take the Comp. Conf. and Users will take the User Conf.). Basically, it doesn't matter how your OU structure is, you can have a single OU with all your Computer and User objects in it - and then link a single GPO with both Computer and Users settings in it, and it works. However, GPO filtering is needed in most cases. You can filter on several levels - Site, Domain, Ou + WMI filters + Security filtering (AD security groups). You can choose one filtering method, or combine them all. There are "advanced" policy processing options available, like Loopback processing etc. - but let's keep that out of the picture so far ;-) Did that help? Regards /Jakob H. Heidelberg From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Ananth Rajagopal Sent: 31. januar 2008 11:29 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Running a Batch file at user logon. Two more queries, I seem to be confused here... Consider this scenario..... We have an Account lockout policy.. set at 5 invalid logons. This is in Computer configuration. What happens if I link this policy to the OU containing Users? If I give the Domain Computers in the scope will the policy work for only these users? or Should I create another OU of computers and link this policy and in the scope give the user group? For a set of "user and computer configurations" to work for a "set of users and computers" of a particular department should there be 2 OU's? one for users with user configuration policies linked and the other OU with Computers with computer configuration policies linked?? hmm.... :-) On Jan 31, 2008 3:45 PM, Ananth Rajagopal <ananth.rg@xxxxxxxxx> wrote: Thanks again :-) On Jan 31, 2008 3:42 PM, hans straat <hstraat@xxxxxxx> wrote: if you have a OU structure and no block inheritance etc configured the policy will flow down. OU domain Computers (GPO computer policy apply desktop blabla) OU Site Computers (will get the policy) OU Site KioskComputers (will get the policy) as long as they are nested under the main OU :) But you can do a RSOP planning to see if the OU get's the policy (RSOP in GPMC) _____ Date: Thu, 31 Jan 2008 15:21:24 +0530 From: ananth.rg@xxxxxxxxx To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Running a Batch file at user logon. If the policies are linked at the domain level, irrespective of whether its a user configuration or computer configuration will it run? On Jan 31, 2008 3:19 PM, Ananth Rajagopal <ananth.rg@xxxxxxxxx> wrote: Thanks Hans! :-) On Jan 31, 2008 2:18 PM, hans straat <hstraat@xxxxxxx> wrote: Anath, Computer configuration policies should be applied on the OU the computers you target are located in. Like User policies should be applied to the OU the targetted users reside in. regards, Hans Straat www.datacrash.net <http://www.datacrash.net/> _____ Date: Thu, 31 Jan 2008 09:15:41 +0530 From: ananth.rg@xxxxxxxxx To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Running a Batch file at user logon. Hi Jacob, From the event viewer we got only the RSoP error, "RSoP could not be run" anyway we manually ran that script in some 50 systems and now its fine as internet explorer homepage was set to this mail server, so its coming fine now! We didn't get time to test further, sorry about that, the domain had to be up yesterday, its running fine now... Kindly send any more links of your articles! it was great reading....cleared a lot of things for us.... One basic question.... Should Computer Configuration policies be applied on Domain Computers or OU of Computers? regards Ananth :-) On Jan 29, 2008 4:36 PM, Ananth Rajagopal <ananth.rg@xxxxxxxxx> wrote: Hi Jacob, Thanks once again for your great support. We are actually testing this in a test environment of 6 systems. Except for this one script the rest all are working fine. We will do the Gpresult at the earliest and will let you know. I haven't checked the event viewer either, will do that right away. regards Ananth. On Jan 29, 2008 2:07 PM, Jakob H. Heidelberg <jakob@xxxxxxxxxxxxxxx> wrote: Hi, It does sound like you did everything needed to make this work - a restart is of course needed, but you took care of that you say. As this point it could be great if you checked the event viewer for any error on the clients that happens during startup. Later you might have to do advanced troubleshooting. You should perform the GPRESULT command to see if the computer "picked up" the policy at all. Note - you should probably test such a policy isolated the first time (limited to an OU with only one computer system within it or alike). /Jakob From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Ananth Rajagopal Sent: 29. januar 2008 09:17 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Running a Batch file at user logon. Hi Jacob, Thanks for the article. It cleared a lot of doubts. We did as you said, but we still couldn't make it work! This how we did it... please go through it and advice on where we went wrong! In the Group Policy Objects we created a new policy called " Intranet Mail Srv Route" We edited the policy, we set it as Computer Configuration>Windows Settings>scripts(Startup/Shutdown)>Startup> we showed the UNC path to the script. The scripts is stored in "\\Tai2D.ent\SysVol\Tai2D.ent\scripts\mailsrv_route.bat" this path and this share is accessible from all systems in the domain. The permission to this share is "Authenticated Users Read and Execute" Next, at the domain level we gave "Link an existing GPO" gave this GPO and enabled enforced and link enabled. In the Security Filter windows we added "Authenticated Users" and "Domain Computers" Next we gave gpupdate /force We restarted the systems several times but still the new route is not getting added. Please analyze the steps and kindly inform us where we have gone wrong. Have we missed anything that you have told us? :-) Thanks for the help! regards Ananth :-) On Jan 25, 2008 3:49 PM, Jakob H. Heidelberg <jakob@xxxxxxxxxxxxxxx> wrote: Hi again Ananth, As stated before it would, in most cases, be better to add the route once and for all on the clients default gateway. But, you probably have your reasons J I think there are some basic things about GP processing and filtering you should take a look at. Maybe this blog will help you: http://heidelbergit.blogspot.com/2008/01/yes-of-course-you-can-assign-group. html Earlier you told me you want to "hit" all systems in the domain - in that case all you have to do is: 1. Have the script file in a shared directory where Authenticated User or Domain Computers have Read access 2. Create the GPO and point the Startup script to the shared script file (Computer Configuration part on the GPO) 3. Link the GPO to the Domain Level (you don't have to change Permissions or anything in this case) 4. Reboot all machines for the script to be executed (could take 2 reboots) However - I must warn you a bit: this will execute the script during the next startup (or two) on ALL domain computers (including servers). Note to #3: If all of your computers are in the "My Computers OU" you could just link the GPO here (except computers in the Domain Controllers OU would not be hit - if they should be hit too you could link the policy to that OU too and restart them one after the other perhaps). If this doesn't execute on the clients you must start troubleshooting. Look in the client eventlog to spot for any errors, use GPRESULT to be sure the GPO applies to the computers etc. However, I do expect this to work. Regards /Jakob From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Ananth Rajagopal Sent: 25. januar 2008 08:27 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Running a Batch file at user logon. Hi All, We want to add a persistent route to all systems in 192.168.2.x network to a server having IP 192.168.3.240 <http://192.168.3.240/> . We created a route.bat batch file and copied this command Route Add 192.168.3.240 <http://192.168.3.240/> MASK 255.255.255.255 <http://255.255.255.255/> 192.168.2.254 <http://192.168.2.254/> -p This batch file was copied to \\Server.com\SysVol\Server.com\scripts\route.bat folder. The batch file was placed in Computer Configuration/Windows Settings/ Scripts/Startup We created a new group called Harmony_Sys in Builtin folder in that Domain. Created a new OU called Harmony Systems, moved systems on which this batch file has to be run to this OU. Made the computer a member of the group Harmony_Sys group. >From GPMC, We applied this route policy to this Harmony Systems OU. But the new route is not getting created. Where have we gone wrong, is the procedure correct. regards Ananth. _____ Sounds like? How many syllables? Guess and win prizes with Search Charades! <http://www.searchcharades.com/> _____ Sounds like? How many syllables? Guess <http://www.searchcharades.com> and win prizes with Search Charades!