[gptalk] Re: Running a Batch file at user logon.

  • From: "Jake Langerak" <jlangerak@xxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 31 Jan 2008 13:48:25 +0100


That would be in a windows 2000 domain. As far as I know in Windows 2003
you can also use your own custom gpo to override the ddp-settings.


Heavenly fix in server 2008, there will be password policies at any
level you wish to assign them, so multiple sets of users with own policy
in one domain J






Van: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
Namens hans straat
Verzonden: donderdag 31 januari 2008 13:28
Aan: gptalk@xxxxxxxxxxxxx
Onderwerp: [gptalk] Re: Running a Batch file at user logon.


Those policies can only be set at the default domain policy. account
lockout  password policy etc.

Jake Langerak 
ITIUM - Partners in ICT

Keizersgracht 442
The Netherlands

T: +31 (0)20 - 620 81 99
F: +31 (0)20 - 623 06 79


Date: Thu, 31 Jan 2008 15:59:08 +0530
From: ananth.rg@xxxxxxxxx
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Running a Batch file at user logon.

Two more queries, I seem to be confused here...

Consider this scenario.....

We have an Account lockout policy.. set at 5 invalid logons. This is in
Computer configuration.

What happens if I link this policy to the OU containing Users? If I give
the Domain Computers in the scope will the policy work for only these


Should I create another OU of computers and link this policy and in the
scope give the user group?

For a set of "user and computer configurations" to work for a "set of
users and computers" of a particular department should there be 2 OU's?
one for users with user configuration policies linked and the other OU
with Computers with computer configuration policies linked??

hmm.... :-)

On Jan 31, 2008 3:45 PM, Ananth Rajagopal <ananth.rg@xxxxxxxxx> wrote:

Thanks again :-) 


On Jan 31, 2008 3:42 PM, hans straat <hstraat@xxxxxxx> wrote:

if you have a OU structure and no block inheritance etc configured the
policy will flow down.
OU domain Computers (GPO computer policy apply desktop blabla)
   OU Site Computers (will get the policy)
     OU Site KioskComputers (will get the policy)

as long as they are nested under the main OU :)
But you can do a RSOP planning to see if the OU get's the policy (RSOP
in GPMC)


Date: Thu, 31 Jan 2008 15:21:24 +0530 

From: ananth.rg@xxxxxxxxx
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Running a Batch file at user logon.

If the policies are linked at the domain level, irrespective of whether
its a user configuration or computer configuration will it run?

On Jan 31, 2008 3:19 PM, Ananth Rajagopal <ananth.rg@xxxxxxxxx> wrote:

Thanks Hans! :-) 


On Jan 31, 2008 2:18 PM, hans straat <hstraat@xxxxxxx> wrote:

Computer configuration policies should be applied on the OU the
computers you target are located in.
Like User policies should be applied to the OU the targetted users
reside in.
Hans Straat
www.datacrash.net <http://www.datacrash.net/>  


Date: Thu, 31 Jan 2008 09:15:41 +0530
From: ananth.rg@xxxxxxxxx 

To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Running a Batch file at user logon.

Hi Jacob,

From the event viewer we got only the RSoP error, "RSoP could not be
run" anyway we manually ran that script in some 50 systems and now its
fine as internet explorer homepage was set to this mail server, so its
coming fine now! We didn't get time to test further, sorry about that,
the domain had to be up yesterday, its running fine now...

Kindly send any more links of your articles! it was great
reading....cleared a lot of things for us....

One basic question.... Should Computer Configuration policies be applied
on Domain Computers or OU of Computers? 

Ananth :-)

On Jan 29, 2008 4:36 PM, Ananth Rajagopal <ananth.rg@xxxxxxxxx> wrote:

Hi Jacob,

Thanks once again for your great support.

We are actually testing this in a test environment of 6 systems. Except
for this one script the rest all are working fine.

We will do the Gpresult at the earliest and will let you know.

I haven't checked the event viewer either, will do that right away.



On Jan 29, 2008 2:07 PM, Jakob H. Heidelberg <jakob@xxxxxxxxxxxxxxx>

It does sound like you did everything needed to make this work - a
restart is of course needed, but you took care of that you say.
As this point it could be great if you checked the event viewer for any
error on the clients that happens during startup. Later you might have
to do advanced troubleshooting.
You should perform the GPRESULT command to see if the computer "picked
up" the policy at all.
Note - you should probably test such a policy isolated the first time
(limited to an OU with only one computer system within it or alike).

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Ananth Rajagopal
Sent: 29. januar 2008 09:17
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Running a Batch file at user logon.


Hi Jacob,

Thanks for the article. It cleared a lot of doubts.

We did as you said, but we still couldn't make it work! This how we did
it... please go through it and advice on where we went wrong!

In the Group Policy Objects we created a new policy called " Intranet
Mail Srv Route"
We edited the policy, we set it as  Computer Configuration>Windows
Settings>scripts(Startup/Shutdown)>Startup> we showed the UNC path to
the script.

The scripts is stored in
"\\Tai2D.ent\SysVol\Tai2D.ent\scripts\mailsrv_route.bat" this path and
this share is accessible from all systems in the domain. The permission
to this share is "Authenticated Users Read and Execute"

Next, at the domain level we gave "Link an existing GPO" gave this GPO
and enabled  enforced and link enabled.

In the Security Filter windows we added "Authenticated Users" and
"Domain Computers" 

Next we gave gpupdate /force

We restarted the systems several times but still the new route is not
getting added.

Please analyze the steps and kindly inform us where we have gone wrong.
Have we missed anything that you have told us? :-)

Thanks for the help!
Ananth :-)

On Jan 25, 2008 3:49 PM, Jakob H. Heidelberg <jakob@xxxxxxxxxxxxxxx>

Hi again Ananth,
As stated before it would, in most cases, be better to add the route
once and for all on the clients default gateway. But, you probably have
your reasons J
I think there are some basic things about GP processing and filtering
you should take a look at. Maybe this blog will help you:
Earlier you told me you want to "hit" all systems in the domain - in
that case all you have to do is:

1.       Have the script file in a shared directory where Authenticated
User or Domain Computers have Read access

2.       Create the GPO and point the Startup script to the shared
script file (Computer Configuration part on the GPO)

3.       Link the GPO to the Domain Level (you don't have to change
Permissions or anything in this case)

4.       Reboot all machines for the script to be executed (could take 2

However - I must warn you a bit: this will execute the script during the
next startup (or two) on ALL domain computers (including servers).
Note to #3: If all of your computers are in the "My Computers OU" you
could just link the GPO here (except computers in the Domain Controllers
OU would not be hit - if they should be hit too you could link the
policy to that OU too  and restart them one after the other perhaps).
If this doesn't execute on the clients you must start troubleshooting.
Look in the client eventlog to spot for any errors, use GPRESULT to be
sure the GPO applies to the computers etc. However, I do expect this to

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Ananth Rajagopal
Sent: 25. januar 2008 08:27
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Running a Batch file at user logon.

Hi All,

We want to add a persistent route to all systems in 192.168.2.x network
to a server having IP <> .

We created a route.bat batch file and copied this command 

Route Add <>  MASK
<> <>  -p

This batch file was copied to
\\Server.com\SysVol\Server.com\scripts\route.bat folder.

The batch file was placed in Computer Configuration/Windows Settings/

We created a new group called Harmony_Sys in Builtin folder in that
Domain. Created a new OU called Harmony Systems, moved systems on which
this batch file has to be run to this OU. Made the computer a member of
the group Harmony_Sys group. 

>From GPMC, We applied this route policy to this Harmony Systems OU. 

But the new route is not getting created. Where have we gone wrong, is
the procedure correct.









JPEG image

Other related posts: