Hans, That would be in a windows 2000 domain. As far as I know in Windows 2003 you can also use your own custom gpo to override the ddp-settings. Heavenly fix in server 2008, there will be password policies at any level you wish to assign them, so multiple sets of users with own policy in one domain J Groet, Jake Van: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] Namens hans straat Verzonden: donderdag 31 januari 2008 13:28 Aan: gptalk@xxxxxxxxxxxxx Onderwerp: [gptalk] Re: Running a Batch file at user logon. Anath, Those policies can only be set at the default domain policy. account lockout password policy etc. Jake Langerak ITIUM - Partners in ICT Keizersgracht 442 1016 GD AMSTERDAM The Netherlands T: +31 (0)20 - 620 81 99 F: +31 (0)20 - 623 06 79 ________________________________ Date: Thu, 31 Jan 2008 15:59:08 +0530 From: ananth.rg@xxxxxxxxx To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Running a Batch file at user logon. Two more queries, I seem to be confused here... Consider this scenario..... We have an Account lockout policy.. set at 5 invalid logons. This is in Computer configuration. What happens if I link this policy to the OU containing Users? If I give the Domain Computers in the scope will the policy work for only these users? or Should I create another OU of computers and link this policy and in the scope give the user group? For a set of "user and computer configurations" to work for a "set of users and computers" of a particular department should there be 2 OU's? one for users with user configuration policies linked and the other OU with Computers with computer configuration policies linked?? hmm.... :-) On Jan 31, 2008 3:45 PM, Ananth Rajagopal <ananth.rg@xxxxxxxxx> wrote: Thanks again :-) On Jan 31, 2008 3:42 PM, hans straat <hstraat@xxxxxxx> wrote: if you have a OU structure and no block inheritance etc configured the policy will flow down. OU domain Computers (GPO computer policy apply desktop blabla) OU Site Computers (will get the policy) OU Site KioskComputers (will get the policy) as long as they are nested under the main OU :) But you can do a RSOP planning to see if the OU get's the policy (RSOP in GPMC) ________________________________ Date: Thu, 31 Jan 2008 15:21:24 +0530 From: ananth.rg@xxxxxxxxx To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Running a Batch file at user logon. If the policies are linked at the domain level, irrespective of whether its a user configuration or computer configuration will it run? On Jan 31, 2008 3:19 PM, Ananth Rajagopal <ananth.rg@xxxxxxxxx> wrote: Thanks Hans! :-) On Jan 31, 2008 2:18 PM, hans straat <hstraat@xxxxxxx> wrote: Anath, Computer configuration policies should be applied on the OU the computers you target are located in. Like User policies should be applied to the OU the targetted users reside in. regards, Hans Straat www.datacrash.net <http://www.datacrash.net/> ________________________________ Date: Thu, 31 Jan 2008 09:15:41 +0530 From: ananth.rg@xxxxxxxxx To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Running a Batch file at user logon. Hi Jacob, From the event viewer we got only the RSoP error, "RSoP could not be run" anyway we manually ran that script in some 50 systems and now its fine as internet explorer homepage was set to this mail server, so its coming fine now! We didn't get time to test further, sorry about that, the domain had to be up yesterday, its running fine now... Kindly send any more links of your articles! it was great reading....cleared a lot of things for us.... One basic question.... Should Computer Configuration policies be applied on Domain Computers or OU of Computers? regards Ananth :-) On Jan 29, 2008 4:36 PM, Ananth Rajagopal <ananth.rg@xxxxxxxxx> wrote: Hi Jacob, Thanks once again for your great support. We are actually testing this in a test environment of 6 systems. Except for this one script the rest all are working fine. We will do the Gpresult at the earliest and will let you know. I haven't checked the event viewer either, will do that right away. regards Ananth. On Jan 29, 2008 2:07 PM, Jakob H. Heidelberg <jakob@xxxxxxxxxxxxxxx> wrote: Hi, It does sound like you did everything needed to make this work - a restart is of course needed, but you took care of that you say. As this point it could be great if you checked the event viewer for any error on the clients that happens during startup. Later you might have to do advanced troubleshooting. You should perform the GPRESULT command to see if the computer "picked up" the policy at all. Note - you should probably test such a policy isolated the first time (limited to an OU with only one computer system within it or alike). /Jakob From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Ananth Rajagopal Sent: 29. januar 2008 09:17 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Running a Batch file at user logon. Hi Jacob, Thanks for the article. It cleared a lot of doubts. We did as you said, but we still couldn't make it work! This how we did it... please go through it and advice on where we went wrong! In the Group Policy Objects we created a new policy called " Intranet Mail Srv Route" We edited the policy, we set it as Computer Configuration>Windows Settings>scripts(Startup/Shutdown)>Startup> we showed the UNC path to the script. The scripts is stored in "\\Tai2D.ent\SysVol\Tai2D.ent\scripts\mailsrv_route.bat" this path and this share is accessible from all systems in the domain. The permission to this share is "Authenticated Users Read and Execute" Next, at the domain level we gave "Link an existing GPO" gave this GPO and enabled enforced and link enabled. In the Security Filter windows we added "Authenticated Users" and "Domain Computers" Next we gave gpupdate /force We restarted the systems several times but still the new route is not getting added. Please analyze the steps and kindly inform us where we have gone wrong. Have we missed anything that you have told us? :-) Thanks for the help! regards Ananth :-) On Jan 25, 2008 3:49 PM, Jakob H. Heidelberg <jakob@xxxxxxxxxxxxxxx> wrote: Hi again Ananth, As stated before it would, in most cases, be better to add the route once and for all on the clients default gateway. But, you probably have your reasons J I think there are some basic things about GP processing and filtering you should take a look at. Maybe this blog will help you: http://heidelbergit.blogspot.com/2008/01/yes-of-course-you-can-assign-gr oup.html Earlier you told me you want to "hit" all systems in the domain - in that case all you have to do is: 1. Have the script file in a shared directory where Authenticated User or Domain Computers have Read access 2. Create the GPO and point the Startup script to the shared script file (Computer Configuration part on the GPO) 3. Link the GPO to the Domain Level (you don't have to change Permissions or anything in this case) 4. Reboot all machines for the script to be executed (could take 2 reboots) However - I must warn you a bit: this will execute the script during the next startup (or two) on ALL domain computers (including servers). Note to #3: If all of your computers are in the "My Computers OU" you could just link the GPO here (except computers in the Domain Controllers OU would not be hit - if they should be hit too you could link the policy to that OU too and restart them one after the other perhaps). If this doesn't execute on the clients you must start troubleshooting. Look in the client eventlog to spot for any errors, use GPRESULT to be sure the GPO applies to the computers etc. However, I do expect this to work. Regards /Jakob From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Ananth Rajagopal Sent: 25. januar 2008 08:27 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Running a Batch file at user logon. Hi All, We want to add a persistent route to all systems in 192.168.2.x network to a server having IP 192.168.3.240 <http://192.168.3.240/> . We created a route.bat batch file and copied this command Route Add 192.168.3.240 <http://192.168.3.240/> MASK 255.255.255.255 <http://255.255.255.255/> 192.168.2.254 <http://192.168.2.254/> -p This batch file was copied to \\Server.com\SysVol\Server.com\scripts\route.bat folder. The batch file was placed in Computer Configuration/Windows Settings/ Scripts/Startup We created a new group called Harmony_Sys in Builtin folder in that Domain. Created a new OU called Harmony Systems, moved systems on which this batch file has to be run to this OU. Made the computer a member of the group Harmony_Sys group. >From GPMC, We applied this route policy to this Harmony Systems OU. But the new route is not getting created. Where have we gone wrong, is the procedure correct. regards Ananth.