[gptalk] Re: Running a Batch file at user logon.

  • From: "Ananth Rajagopal" <ananth.rg@xxxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Thu, 31 Jan 2008 20:02:43 +0530

Thanks Jacob! :-)

Will write once I'm back in office tomorrow. Thanks for clearing a lot of
things! Greatly appreciated.




On Jan 31, 2008 7:45 PM, Jakob H. Heidelberg <jakob@xxxxxxxxxxxxxxx> wrote:

>  Allright – I don't have a link right here, but I can list the 4
> "exceptions". These are, like account/lockout settings, all taken from the
> highest precedence GPO linked to the domain (typically "Default Domain
> Policy").
>
>
>
> Computer Configuration | Windows Settings | Security Settings | Local
> Policies | Security Options:
>
>
>
> 1.       Accounts: Rename Administrator Account
> Renames all built-in Administrator accounts in the domain (logon name)
>
>
>
> 2.       Accounts: Rename Guest Account
> Renames all built-in Administrator accounts in the domain (logon name)
>
>
>
> 3.       Network Security: Force Logoff When Logon Hours Expire
> Force logoff from the domain when logon hours are expired
>
>
>
> 4.       Network Access: Allow Anonymous SID/Name Translation
> Main reason why this is enabled is when old Windows systems needs to
> communicate with AD.
>
>
>
> These are what you could call "domain wide security settings".
>
>
>
> Best regards
>
> /Jakob H. Heidelberg
>
>
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *TAZAMAL HUSSAIN
> *Sent:* 31. januar 2008 14:47
>
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Re: Running a Batch file at user logon.
>
>
>
> Jakob,
>
> Thanks for the quick reply and confirmation.Yes, I agree with you, as to
> why this need would arise. However, it certainly exists out there, for some
> reason or another! :) perhaps misunderstanding during implemetation phase...
>
> Without taking this discussion off to another direction, a useful bit of
> knowledge would be the 'few other exceptions' If you have a link for
> reading, that would great...
>  ------------------------------
>
> From: jakob@xxxxxxxxxxxxxxx
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Re: Running a Batch file at user logon.
> Date: Thu, 31 Jan 2008 14:36:20 +0100
>
> Well, yes – that's another story J
>
>
>
> It's correct that you can place account policies on other OUs - or filter
> them in other ways if you like – but the thing is, AD users will still have
> to comply with the policy set as the Highest Priority on the Domain Level
> (actually this is decided by the DCs - or forced on to the DCs - not the
> member computers). Not necessarily the Default Domain Policy – though IMHO
> it should be kept there! There are a few other exceptions where settings are
> taken from the GPO with the Highest Priority on the Domain Level only, but
> that a bit off topic.
>
>
>
> Account policies in GPOs set on OUs will, as you say, apply to creation of
> Local Accounts on the computers in scope – but I've never seen an
> environment where this was important (can't even imagine why this would be
> part of a design). Also, with third party utilities it is actually possible
> to have multiple account policies in a single AD – but, that doesn't really
> count, we're talking default functionality here.
>
>
>
> As we all know multiple password policies will be available in WS 2008
> domain environment "out of the box" – the Default Domain Policy (highest
> priority GPO  in the domain) will still be "the last stop", but  Global
> Security Groups can force other password policies on to the users.
>
>
>
> Regards
>
> /Jakob H. Heidelberg
>
>
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *TAZAMAL HUSSAIN
> *Sent:* 31. januar 2008 14:20
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Re: Running a Batch file at user logon.
>
>
>
> Guys,
>
> I have actually come across multiple account/password policies in certain
> big AD implementations targeted to specific OUs... what happens here? I'm
> guessing they are all ignored and the one set on the defdompol overides, and
> have been told these extra policies targeted to specific OUs will apply
> to locally created user accounts on the machines in those OUs... if that
> makes sense?can anyone confirm this? never got round to testing it....
>  ------------------------------
>
> From: jakob@xxxxxxxxxxxxxxx
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Re: Running a Batch file at user logon.
> Date: Thu, 31 Jan 2008 13:27:03 +0100
>
> Hi Ananth,
>
>
>
> I think you first need to accept and understand this:
>
>
>
> 1. The Computer Configuration part of a policy applies to Computers only
>
> 2. The User Configuration part of a policy applies to Users only
>
>
>
> You do mention an "exception", which is account/password policies – it
> does **seem** like that is a Computer Configuration that actually hits
> Users, but it's not. You can have 1 account policy in a default AD
> (2000/2003) – it should be set in the Default Domain Policy (highest
> priority GPO on the Domain level) – and it can be set _*nowhere*_ else!!!
>
>
>
> For your second question – if you have a GPO with BOTH Computer and User
> Configuration policy settings defined – you could apply that on the domain
> level. And, as it has been said previously, the policy setting will "flow
> down" the OU hierarchy in your domain. So, all Computer AND User objects
> below will take on their respective part of the GPO (Computers will take the
> Comp. Conf. and Users will take the User Conf.). Basically, it doesn't
> matter how your OU structure is, you can have a single OU with all your
> Computer and User objects in it – and then link a single GPO with both
> Computer and Users settings in it, and it works.
>
>
>
> However, GPO filtering is needed in most cases. You can filter on several
> levels – Site, Domain, Ou + WMI filters + Security filtering (AD security
> groups). You can choose one filtering method, or combine them all.
>
>
>
> There are "advanced" policy processing options available, like Loopback
> processing etc. – but let's keep that out of the picture so far ;-)
>
>
>
>
>
> Did that help?
>
>
>
>
>
> Regards
>
> /Jakob H. Heidelberg
>
>
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Ananth Rajagopal
> *Sent:* 31. januar 2008 11:29
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Re: Running a Batch file at user logon.
>
>
>
> Two more queries, I seem to be confused here...
>
> Consider this scenario.....
>
> We have an Account lockout policy.. set at 5 invalid logons. This is in
> Computer configuration.
>
> What happens if I link this policy to the OU containing Users? If I give
> the Domain Computers in the scope will the policy work for only these users?
>
> or
>
> Should I create another OU of computers and link this policy and in the
> scope give the user group?
>
> For a set of "user and computer configurations" to work for a "set of
> users and computers" of a particular department should there be 2 OU's? one
> for users with user configuration policies linked and the other OU with
> Computers with computer configuration policies linked??
>
> hmm.... :-)
>
>
>  On Jan 31, 2008 3:45 PM, Ananth Rajagopal <ananth.rg@xxxxxxxxx> wrote:
>
> Thanks again :-)
>
>
>
> On Jan 31, 2008 3:42 PM, hans straat <hstraat@xxxxxxx> wrote:
>
> if you have a OU structure and no block inheritance etc configured the
> policy will flow down.
>
> OU domain Computers (GPO computer policy apply desktop blabla)
>    OU Site Computers (will get the policy)
>      OU Site KioskComputers (will get the policy)
>
> as long as they are nested under the main OU :)
> But you can do a RSOP planning to see if the OU get's the policy (RSOP in
> GPMC)
>  ------------------------------
>
> Date: Thu, 31 Jan 2008 15:21:24 +0530
>
>
> From: ananth.rg@xxxxxxxxx
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Re: Running a Batch file at user logon.
>
> If the policies are linked at the domain level, irrespective of whether
> its a user configuration or computer configuration will it run?
>
> On Jan 31, 2008 3:19 PM, Ananth Rajagopal <ananth.rg@xxxxxxxxx> wrote:
>
> Thanks Hans! :-)
>
>
>
> On Jan 31, 2008 2:18 PM, hans straat <hstraat@xxxxxxx> wrote:
>
> Anath,
>
> Computer configuration policies should be applied on the OU the computers
> you target are located in.
>
> Like User policies should be applied to the OU the targetted users reside
> in.
>
> regards,
> Hans Straat
> www.datacrash.net
>
>  ------------------------------
>
> Date: Thu, 31 Jan 2008 09:15:41 +0530
> From: ananth.rg@xxxxxxxxx
>
>
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Re: Running a Batch file at user logon.
>
> Hi Jacob,
>
> From the event viewer we got only the RSoP error, "RSoP could not be run"
> anyway we manually ran that script in some 50 systems and now its fine as
> internet explorer homepage was set to this mail server, so its coming fine
> now! We didn't get time to test further, sorry about that, the domain had to
> be up yesterday, its running fine now...
>
> Kindly send any more links of your articles! it was great
> reading....cleared a lot of things for us....
>
> One basic question.... Should Computer Configuration policies be applied
> on Domain Computers or OU of Computers?
>
> regards
> Ananth :-)
>
>
>  On Jan 29, 2008 4:36 PM, Ananth Rajagopal <ananth.rg@xxxxxxxxx> wrote:
>
> Hi Jacob,
>
> Thanks once again for your great support.
>
> We are actually testing this in a test environment of 6 systems. Except
> for this one script the rest all are working fine.
>
> We will do the Gpresult at the earliest and will let you know.
>
> I haven't checked the event viewer either, will do that right away.
>
> regards
> Ananth.
>
>
>
> On Jan 29, 2008 2:07 PM, Jakob H. Heidelberg <jakob@xxxxxxxxxxxxxxx>
> wrote:
>
> Hi,
>
> It does sound like you did everything needed to make this work – a restart
> is of course needed, but you took care of that you say.
>
> As this point it could be great if you checked the event viewer for any
> error on the clients that happens during startup. Later you might have to do
> advanced troubleshooting.
>
> You should perform the GPRESULT command to see if the computer "picked up"
> the policy at all.
>
> Note – you should probably test such a policy isolated the first time
> (limited to an OU with only one computer system within it or alike).
>
> /Jakob
>
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Ananth Rajagopal
> *Sent:* 29. januar 2008 09:17
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Re: Running a Batch file at user logon.
>
>
>
> Hi Jacob,
>
> Thanks for the article. It cleared a lot of doubts.
>
> We did as you said, but we still couldn't make it work! This how we did
> it... please go through it and advice on where we went wrong!
>
> In the Group Policy Objects we created a new policy called " Intranet Mail
> Srv Route"
> We edited the policy, we set it as  Computer Configuration>Windows
> Settings>scripts(Startup/Shutdown)>Startup> we showed the UNC path to the
> script.
>
> The scripts is stored in
> "\\Tai2D.ent\SysVol\Tai2D.ent\scripts\mailsrv_route.bat" this path and this
> share is accessible from all systems in the domain. The permission to this
> share is "Authenticated Users Read and Execute"
>
> Next, at the domain level we gave "Link an existing GPO" gave this GPO and
> enabled  enforced and link enabled.
>
> In the Security Filter windows we added "Authenticated Users" and "Domain
> Computers"
>
> Next we gave gpupdate /force
>
> We restarted the systems several times but still the new route is not
> getting added.
>
> Please analyze the steps and kindly inform us where we have gone wrong.
> Have we missed anything that you have told us? :-)
>
> Thanks for the help!
> regards
> Ananth :-)
>
> On Jan 25, 2008 3:49 PM, Jakob H. Heidelberg <jakob@xxxxxxxxxxxxxxx>
> wrote:
>
> Hi again Ananth,
>
> As stated before it would, in most cases, be better to add the route once
> and for all on the clients default gateway. But, you probably have your
> reasons J
>
> I think there are some basic things about GP processing and filtering you
> should take a look at. Maybe this blog will help you:
>
> http://heidelbergit.blogspot.com/2008/01/yes-of-course-you-can-assign-group.html
>
> Earlier you told me you want to "hit" all systems in the domain – in that
> case all you have to do is:
>
>
> 1.       Have the script file in a shared directory where Authenticated
> User or Domain Computers have Read access
>
> 2.       Create the GPO and point the Startup script to the shared script
> file (Computer Configuration part on the GPO)
>
> 3.       Link the GPO to the Domain Level (you don't have to change
> Permissions or anything in this case)
>
> 4.       Reboot all machines for the script to be executed (could take 2
> reboots)
>
>
> However – I must warn you a bit: this will execute the script during the
> next startup (or two) on ALL domain computers (including servers).
>
> Note to #3: If all of your computers are in the "My Computers OU" you
> could just link the GPO here (except computers in the Domain Controllers OU
> would not be hit – if they should be hit too you could link the policy to
> that OU too  and restart them one after the other perhaps).
>
> If this doesn't execute on the clients you must start troubleshooting.
> Look in the client eventlog to spot for any errors, use GPRESULT to be sure
> the GPO applies to the computers etc. However, I do expect this to work.
>
> Regards
> /Jakob
>
>
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Ananth Rajagopal
> *Sent:* 25. januar 2008 08:27
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] Running a Batch file at user logon.
>
>
> Hi All,
>
> We want to add a persistent route to all systems in 192.168.2.x network to
> a server having IP 192.168.3.240.
>
> We created a route.bat batch file and copied this command
>
> Route Add 192.168.3.240 MASK 255.255.255.255 192.168.2.254 -p
>
> This batch file was copied to
> \\Server.com\SysVol\Server.com\scripts\route.bat folder.
>
> The batch file was placed in Computer Configuration/Windows Settings/
> Scripts/Startup
>
> We created a new group called Harmony_Sys in Builtin folder in that
> Domain. Created a new OU called Harmony Systems, moved systems on which this
> batch file has to be run to this OU. Made the computer a member of the group
> Harmony_Sys group.
>
> >From GPMC, We applied this route policy to this Harmony Systems OU.
>
> But the new route is not getting created. Where have we gone wrong, is the
> procedure correct.
>
> regards
> Ananth.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>  ------------------------------
>
> Sounds like? How many syllables? Guess and win prizes with Search
> Charades! <http://www.searchcharades.com/>
>
>
>  ------------------------------
>
> Sounds like? How many syllables? Guess and win prizes with Search
> Charades! <http://www.searchcharades.com>
>

Other related posts: