Announcement

Collapse
No announcement yet.

Problems with a Loopback GPO

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problems with a Loopback GPO

    Hi everyone,
    Here is my situation. I think i have set it properly, but I am not 100% sure. We want to have the BGInfo (http://technet.microsoft.com/en-us/s.../bb897557.aspx) data shown on all of my domain servers. this way we can get details on the system at a glance. I know i could put the files locally on each server, and setup a file in the All Users StartUp folder, but i am approaching 100+ servers, and I don't want to have to manually do this, or have to go to multiple places if we want to add something, so I figured i would do this via a GPO, makes sense so far, right.

    Here is how i set things up. in \\DOMAIN\sysvol\DOMAIN\scripts i created a folder called BGInfo and i put the BGInfo.exe and the BGI configuration file in there. In the \\DOMAIN\sysvol\DOMAIN\scripts folder i put a very simple batch file:
    Code:
    "\\DOMAIN\sysvol\DOMAIN\scripts\BGInfo\BGInfo.exe" "\\DOMAIN\sysvol\DOMAIN\scripts\BGInfo\SSVDC.bgi" /timer:0 /all /nolicprompt
    and if i double click on that file it applies the info properly.

    Then I created a new Group Policy. In this policy, i went to the User Configuration area, Windows Settings, and Scripts and added a new logon script, since i want this applied at Logon, not at computer startup. In the script name i put in \\DOMAIN\sysvol\DOMAIN\bgi.cmg and left the parameters blank. Then, i went to the Computer Configuration area, Administrative Templates, System, Group Policy, Loopback area and enabled that, mode set to replace.

    I assigned this GPO to the Domain Controllers OU, adjusted the Security Filtering to include Domain Controllers and then waited for everything to replicate.

    After a while, I ran GPUpdate /force on one of the DCs and logged off and back on, but the script didn't do anything. If i run the Group Policy Results, it shows that this new GPO is being applied, but i am not seeing what i am looking for.

    If anyone could assist me that would be greatly appreciated, or if you know a better way of doing this that would be great too.

    Thanks

    app

  • #2
    Re: Problems with a Loopback GPO

    Probably a security issue,
    give this batch a try:

    Code:
    :: This batch works for windows XP (if Security Zones and Privacy settings are not Esc enabled).
    :: If you want to use it on Windows Server see notes here,
    ::    Post # 10 in this thread
    :: More comments here,
    ::    Post # 11 in this thread
    
    :: note. The User must be a member of the "Administrators" group.
    
    @echo off
    
    Set "AcceptEula1=HKEY_USERS\.DEFAULT\Software\Sysinternals\BGInfo"
    Set "AcceptEula2=HKCU\Software\Sysinternals\BGInfo"
    
    Set "LocalIntranetZone=HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\%userDNSdomain%"
    
    Reg ADD "%AcceptEula1%" /v EulaAccepted /t REG_DWORD /d 1 /f >nul
    Reg ADD "%AcceptEula2%" /v EulaAccepted /t REG_DWORD /d 1 /f >nul
    
    Reg QUERY "%LocalIntranetZone%">nul 2>&1 &&(
      SET ZoneExists=True)||(
      Reg ADD "%LocalIntranetZone%" /v  * /t REG_DWORD /d 1)>nul
    
    Start ""/w "\\%userDNSdomain%\netlogon\Utils\Bginfo.exe" /silent /all /timer:0
    
    If NOT defined ZoneExists (
      Reg DELETE "%LocalIntranetZone%" /F)>nul
    Instead of the two AcceptEula1 entries that are added to the registry by the batch above, probably it is better to try the /accepteula switch on the Bginfo.exe command line first!


    \Rems
    Last edited by Rems; 17th October 2008, 23:20. Reason: added a 2nd %AcceptEula%

    This posting is provided "AS IS" with no warranties, and confers no rights.

    __________________

    ** Remember to give credit where credit's due **
    and leave Reputation Points for meaningful posts

    Comment


    • #3
      Re: Problems with a Loopback GPO

      Argh, still no love.

      So the setup i have for the GPO looks correct, right? I have tried it with both .bat and .cmd extensions and it still doesn't work. Should i try and convert the script to VBS and see if that works?

      thanks for the help on this one. this would be a major help if i could get this working.

      app

      Comment


      • #4
        Re: Problems with a Loopback GPO

        In a sub-subkey in HKCU\Software\Policies\Microsoft \Windows\System\Scripts\Logon
        on the DC where the GPO applied already, is there a "Script" value that is showing the correct path to the logonscript batch?

        Can you run the batch manually without errors?

        \Rems


        -=EDIT=-
        changed the batch: I added a 2nd %AcceptEula%

        .
        Last edited by Rems; 5th September 2008, 20:12.

        This posting is provided "AS IS" with no warranties, and confers no rights.

        __________________

        ** Remember to give credit where credit's due **
        and leave Reputation Points for meaningful posts

        Comment


        • #5
          Re: Problems with a Loopback GPO

          yeah, that path is there on the server and it looks to be pointing to the correct location. This is really start to stump me...

          And double clicking on the batch file does cause it to run. i get the message asking to confirm the running of the batch, but once i click OK it works.


          app

          Comment


          • #6
            Re: Problems with a Loopback GPO

            Originally posted by apperrault View Post
            i get the message asking to confirm the running of the batch, but once i click OK it works.
            And who is clicking OK during the logon process?

            It is a security message?

            , maybe there should be a short pause before launching the exe in the script, just to be sure that the local domain is added succesfully to the security Zone.
            Or, you can manually add the domain.local to the zone via IE / Internetoptions / tab: Security / Local Intranet / Advanced , ...for testing.

            \Rems
            Last edited by Rems; 5th September 2008, 20:34.

            This posting is provided "AS IS" with no warranties, and confers no rights.

            __________________

            ** Remember to give credit where credit's due **
            and leave Reputation Points for meaningful posts

            Comment


            • #7
              Re: Problems with a Loopback GPO

              Doh!!!!

              Ok, on to convert it to VBS. should be pretty easy to do.

              app

              Comment


              • #8
                Re: Problems with a Loopback GPO

                Why converting the batch to vbs? Is it because you don't get the message that is asking to confirm the running when it is vbs?

                \Rems

                This posting is provided "AS IS" with no warranties, and confers no rights.

                __________________

                ** Remember to give credit where credit's due **
                and leave Reputation Points for meaningful posts

                Comment


                • #9
                  Re: Problems with a Loopback GPO

                  that was the thought.

                  Comment


                  • #10
                    Re: Problems with a Loopback GPO

                    I don't think that converting the batch to vbs will help to solve the issue.

                    The problem is related to the fact that the batch and the exe files both are opened from an UNC path (containing the domainname) and not from a local path or mapped drive.
                    The computer must be configured to trust that "zone" otherwise you always get the "File Open Security Warning" first when you try to open a file identified as one of "HighRiskFileTypes" on the computer.

                    The sample batch that I showed above adds the fqdn of the local domain (as a wildcard domain: *.domain.local) to the "Local Intranetzone", you can configure this in Internet Explorer / Internet options / Security. Or via the registry - For Windows XP you can add the domainname as subkey of the key: ZoneMap\Domains\, that is what I did in the batch. But,,, Windows Server use the 'Enhanced Security Configuration Zones' therefore the domainname should have been added as a subkey under the key ZoneMap\EscDomains (!).
                    So, edit that registry path in the batch and Im positive the logonscript will work for the DC's.

                    Still one entry to check though, just to be sure.
                    If in the key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\CurrentVersion\Internet Settings the value of "Security_HKLM_only" is 1, then probably in a GPO for the DCs the policy "Security Zones: Use only machine settings" setting is enabled. If this is true, then disable the policy or else you'll have to configure the ZoneMap\EscDomains domainname entry in HKLM instead of HKCU.

                    - "File Open Security Warning"


                    \Rems

                    This posting is provided "AS IS" with no warranties, and confers no rights.

                    __________________

                    ** Remember to give credit where credit's due **
                    and leave Reputation Points for meaningful posts

                    Comment


                    • #11
                      Re: Problems with a Loopback GPO

                      Of course, with the batch sample I am assuming that during the logon process there wouldn't be a problem running the logonscript it self (opening the batchfile by the userinit process). In this process it is just opening the exe file that is launched from within your logonscript that is causing the problem.

                      But.. If still no succes, then you can manually add a wildcard domain of your internal domain to the Local Intranet zone on each DC.
                      Or, change the script's path and exe path into a local path for the DC (since the script is replicated to each DC).


                      \Rems
                      Last edited by Rems; 6th September 2008, 11:16.

                      This posting is provided "AS IS" with no warranties, and confers no rights.

                      __________________

                      ** Remember to give credit where credit's due **
                      and leave Reputation Points for meaningful posts

                      Comment

                      Working...
                      X