Announcement

Collapse
No announcement yet.

User logon script issue with loopback GPO under SBS 2003

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • User logon script issue with loopback GPO under SBS 2003

    My company is running SBS 2003, with our computers and users organised into OUs based on their department. There are different GPOs applied to each of the user OUs, one of which is a batch file which runs at logon to map network printers using con2prt. For example, the script for IT admins connects to all shared printers

    User Configuration > Windows Settings > Scripts > Logon > ITAdminPrinters.bat

    The script runs con2prt with the /f flag which removes all currently connected printers, then runs con2prt several times with the /c flag to connect printers and once with /cd to connect a printer and set it as the default.

    That all works fine.

    The problem comes when I try to use a loopback policy to force a different script to run for *any* user who logs onto a specific PC. In this instance, the computer is in a meeting room, it has a USB printer which we want to be set as the default and we only want it to have one other printer listed.

    The script to set this up is easy enough and works fine when I test it. The problem is that when a user logs in to this PC, the script from their OU runs and sets up the printers, but the script defined in the GPO for this PC does not. I have defined the script in the same location as mentioned previously, and enabled the loopback processing setting at

    Computer Configuration > Administrative Templates > System > Group Policy > Use Group Policy loopback processing mode.

    This is enabled and I have tried setting the mode to both Replace and Merge.

    If I disable the logon script in my user OU, the script in the computer OU still does not run.

    Is it possible to define user logon scripts in a loopback setting?

    There are no errors in the event log on the machine. I am sure that the script is not running as one of the commands in the script for testing purposes is to invoke gbmail and send a message to my account.

    To summarise: I want the user OU script to run on any machine I log in to, *unless* the computer has a loopback policy defined with a different script to run, in which case I *only* want the specialised script to run, and not the user script.
    Last edited by gforceindustries; 9th September 2008, 10:57.
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

  • #2
    Re: User logon script issue with loopback GPO under SBS 2003

    Update: The issue of the replacement script not running at all was cleared by a DC reboot following an issue over the weekend, but with both Replace and Merge modes, the user script still runs in addition to the computer script. How can I prevent the script defined in the user OU GPO from running? Given what this particular set of scripts is doing, I realise that there is little point in still having scripts defined in the user OU and I will be looking to move all printer mapping scripts to computer GPOs soon, but in general, is it possible to disable processing of a logon script? Should this not be the case if the mode for loopback processing is set to Replace?
    Last edited by gforceindustries; 9th September 2008, 11:38.
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

    Comment


    • #3
      Re: User logon script issue with loopback GPO under SBS 2003

      Two things:

      1. Is there a script set on the user object itself?

      2. does the GPO where the user object is have the no override option set?

      Comment


      • #4
        Re: User logon script issue with loopback GPO under SBS 2003

        Thanks for your reply...

        Originally posted by joeqwerty View Post
        1. Is there a script set on the user object itself?
        For our user accounts, the following scripts and policies apply:

        1) The logon script defined on the Profile tab of my user account properties in ADUC - SBS_LOGIN_SCRIPT.bat which is a default logon script created by SBS

        2) Startup scripts defined in the Computer Configuration of group policies - at present we do not have any of these.

        3) Logon scripts defined in the User Configuration of group policies applied to an OU containing user accounts. Each user OU has several of these, each of which is in a different GPO:

        - a number of GPOs which each map a drive letter to a share (VBS script)
        -a GPO containing the batch file to map printers using con2prt - this is the script we want to override

        4) Logon scripts defined in the User Configuration of group policies applied to an OU containing computer accounts, with loopback processing enabled. Computer OUs have zero or one of these. These are what we want to replace the user scripts.

        Originally posted by joeqwerty View Post
        2. does the GPO where the user object is have the no override option set?
        Where can I find the no override option? Presumably this would be a property of the GPO rather than a setting defined in it? If you are referring to the Enforced attribute, then this is not enabled.

        Basically, what I want to achieve is a different set of network printers for different sets of users, varying based on which computer they logon to. Users from departments with their own printers should all default to that printer. Users from departments without their own printers should all default to the photocopier. Computers with USB printers should default to that (all computers have at least one local printer as we have a PDF writer installed as part of our standard image). All networked printers are shared from the server.
        Gareth Howells

        BSc (Hons), MBCS, MCP, MCDST, ICCE

        Any advice is given in good faith and without warranty.

        Please give reputation points if somebody has helped you.

        "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

        "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

        Comment


        • #5
          Re: User logon script issue with loopback GPO under SBS 2003

          Try removing the script from the profile tab of the user object.

          Comment


          • #6
            Re: User logon script issue with loopback GPO under SBS 2003

            Didn't work, wouldn't expect it to. That script is not related to printers. It runs the SBS client setup from the SBS server. It's the default script created when you install SBS and we only still have it there because things don't work properly if the SBS client isn't setup on the workstations. I much prefer to use group policy to control user account properties rather than specifying them in ADUC.

            Which loopback mode would you recommend for what I am trying to do? I would have thought that the Replace option would prevent all scripts defined in the user OU from running and instead only run the scripts defined in the computer OU.
            Last edited by gforceindustries; 9th September 2008, 17:52.
            Gareth Howells

            BSc (Hons), MBCS, MCP, MCDST, ICCE

            Any advice is given in good faith and without warranty.

            Please give reputation points if somebody has helped you.

            "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

            "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

            Comment


            • #7
              Re: User logon script issue with loopback GPO under SBS 2003

              I too would think that Replace mode would give you the desired results. I would suggest running gpresults against the user while logged on to the machine in question to find out what settings are being applied or not applied and why.

              Comment


              • #8
                Re: User logon script issue with loopback GPO under SBS 2003

                Thanks, will do that tomorrow. Unfortunately it's just gone 6pm here and our machines shutdown at 6 so I can't get into it over VPN. I'll post back with the results when I can.
                Gareth Howells

                BSc (Hons), MBCS, MCP, MCDST, ICCE

                Any advice is given in good faith and without warranty.

                Please give reputation points if somebody has helped you.

                "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                Comment


                • #9
                  Re: User logon script issue with loopback GPO under SBS 2003

                  I've had a fiddle and both scripts are now being executed. Not ideal (as I had intended the machine OU script to *replace* the user OU script) but not a dead loss. However, what I need to be able to do is change the order that the scripts are applied in - ie I need the user OU GPOs to apply, and then the user settings from the loopback. Output from gpresult attached using both Merge and Replace loopback mode.
                  Attached Files
                  Gareth Howells

                  BSc (Hons), MBCS, MCP, MCDST, ICCE

                  Any advice is given in good faith and without warranty.

                  Please give reputation points if somebody has helped you.

                  "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                  "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                  Comment


                  • #10
                    Re: User logon script issue with loopback GPO under SBS 2003

                    No, the order the startup or logon stripts start in would only be the order the GPO's are applied, site-level first, then domain-level, OU-level, and finally User-object scripts. But the scripts will run parallel so it still is possible the script that is started as first not have to finish first.

                    Only the scripts launched from one GPO can be configured to start in a particular order. You can configure "Run logon scripts synchronously"=Enabled and "Run startup scripts asynchronously"=Disabled. (this configuration could have consequences however if you launch apps/scripts from within a logonscript).

                    IMHO what you would like to accomplish does not nesseraly require to run multiple scripts from different GPOs. Not even multiple scripts from one GPO.
                    You can add a part to the default user logonscript that will only be proccessed if the name of the computer (or computer's memberschip of a particular group, or the name of the computer's OU) matches a certain Name.

                    ie
                    Code:
                    ' -----------------------------------------------------------
                    
                    'Running of the following is based on the name of the computer:
                    Set WshNetwork = WScript.CreateObject("WScript.Network")
                    
                    strComputer = WshNetwork.ComputerName
                    If UCase(strComputer) = Ucase("Desktop021") Then
                    
                      'code for the userlogon script that only 
                      'will be processed on the specified computer.
                    
                    Else
                    
                      'default code for the userlogon script here
                    
                    End If
                    
                    ' -----------------------------------------------------------
                    a batch sample:
                    Code:
                    If /i NOT [%Computername%]==[Desktop021] (
                      rem default code for the userlogon script here
                    ) ELSE (
                      rem code for the userlogon script that only 
                      rem will be processed on the specified computer.
                    )
                    \Rems

                    This posting is provided "AS IS" with no warranties, and confers no rights.

                    __________________

                    ** Remember to give credit where credit's due **
                    and leave Reputation Points for meaningful posts

                    Comment

                    Working...
                    X