No announcement yet.

GPO Logon script processing problems

  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO Logon script processing problems

    Hi Guys,

    I work in a school whereby we have student computers in IT suites and Staff computers in offices. A while ago we were asked to restrict it so that pupils could log on only to the computers in the IT suites. I thought this would be simple enough, use Active Directory to limit the workstations they can log onto. Unfortunately it wasn't that simple as Active Directory only lets you specify up to 64 workstations and we have 150 ish they must be able to log on to. So here is what we came up with instead, a VB script applied to Student User accounts that runs at logon. It reads the name of the computer they have logged onto, searches for it in an Array (which is a list of computers they are permitted to log onto) and if matched lets them log on ok, if it doesn't find the name in the list it immediately logs them off. Here is how the script looks:

    Option Explicit

    Dim objShell
    Dim ComputerName
    Dim ComputerNameArray
    Dim I
    Dim letpass
    Dim OpSysSet
    Dim OpSys

    'set letpass to false
    letpass = 0

    'set var objshell to a ws shell
    Set objShell = WScript.CreateObject("WScript.Shell")

    'use the ws shell to read computer name from reg
    ComputerName = objShell.RegRead _
    ("HKLM\System\CurreNtCoNtrolSet\Services\Tcpip\Par ameters\HostName")

    'build an array of some computers
    ComputerNameArray = Array("LIBRARYLAPTOP01", _
    "N001", _
    "N002", _
    "N003", _
    "N004", _
    "N005", _
    "N006", _
    "N007", _
    "N008", _
    "N009", _
    "N010", _
    "N011", _
    "N012", _
    "N013", _
    "N201", _
    "N202", _
    "N203", _
    "N204", _
    "N205", _
    "N206", _
    "N207", _
    "N208", _
    "N209", _
    "N210", _
    "N211", _
    "N212", _
    "N213", _
    "N214", _
    "N215", _
    "N216", _
    "N217", _
    "N218", _
    "RM301701", _
    "RM301702", _
    "RM301703", _
    "RM301704", _
    "RM301705", _
    "RM301706", _
    "RM301707", _
    "RM301708", _
    "RM301709", _
    "RM301710", _
    "RM301711", _
    "RM301712", _
    "RM301713", _
    "RM301714", _
    "RM301715", _
    "RM301716", _
    "RM301717", _
    "RM301718", _
    "RM301719", _
    "RM301720", _
    "RM301721", _
    "RM301722", _
    "RM301723", _
    "RM301724", _
    "RM301725", _
    "RM301726", _
    "RM301727", _
    "RM302001", _
    "RM302002", _
    "RM302003", _
    "RM302004", _
    "RM302005", _
    "RM302006", _
    "RM302007", _
    "RM302008", _
    "RM302009", _
    "RM302010", _
    "RM302011", _
    "RM302012", _
    "RM302013", _
    "RM302014", _
    "RM302015", _
    "RM302016", _
    "RM302017", _
    "RM302018", _
    "RM302019", _
    "RM302020", _
    "RM302021", _
    "RM302022", _
    "RM302023", _
    "RM302024", _
    "RM302025", _
    "RM302026", _
    "RM302027", _
    "SIXTHFORM01", _
    "SIXTHFORM02", _
    "SIXTHFORM03", _
    "SIXTHFORM04", _
    "SIXTHFORM05", _
    "A2PC0601", _
    "ART0501", _
    "ART0502", _
    "ART0503", _
    "ART0504", _
    "CHEM0501", _
    "CHEM0503", _
    "CHEMISTRY0401", _
    "CHEMISTRY0402", _
    "CHEMISTRYH403", _
    "ECONOMICS0601", _
    "ECONOMICS0602", _
    "N101", _
    "ALAN", _

    'cycle through array, looking for computer name

    For I = 0 to Ubound(ComputerNameArray) Step 1
    'we must ucase both name and array, VBS is case sen, VBA Not
    If ucase(ComputerName) = ucase(ComputerNameArray(I)) theN
    letpass = 1
    'if found early, exit
    I = UbouNd(ComputerNameArray)
    end if

    'if letpass is 0, then log em off
    if letpass = 0 theN

    ' Define some constants that can be used in this script;
    ' logoff = 0 (No forced close of applications) or 5 (forced);
    ' 5 works OK in Windows 2000, but may result in power off in XP
    CoNst EWX_LOGOFF = 0
    CoNst EWX_SHUTDOWN = 1
    CoNst EWX_REBOOT = 2
    CoNst EWX_FORCE = 4
    CoNst EWX_POWEROFF = 8

    ' Connect to computer
    Set OpSysSet = GetObject("winmgmts:{(Shutdown)}//" & ComputerName & "/root/cimv2").ExecQuery("select * from Win32_OperatingSystem where Primary=true")

    ' Actual logoff
    for each OpSys in OpSysSet
    OpSys.Win32Shutdown EWX_LOGOFF

    end if


    I apologise for the length but that's what it is. Yesterday we implemented a new IT suite of 27 computers named n401 through to n427. Unfortuantely when we added them to the array of computers in the same format as all the other computers we encountered some problems. When logging on as a student the log on process would run ok and leave you logged in first time you log in. If you log off and back on again the machine would log you off immediately as if it hadn't found the computer name in the script. The new machines we deployed had just been built with their own image which all seemed to be ok but after some extensive testing here is a few thigns we have noted:

    - If after a succesful log on to one of the new computers you copy the script to the local hard drive and run it manually it doesn't log you off. This would suggest there is no problem with the script.
    - If after a succesful log on you edit the script and remove your computer name from the array and run the script again, it DOES log you off. This would again suggest the script works ok.
    - We've tried logging on to all the other computers in the array repeatedly without any problems at all.
    - If you rename one of the new computers (i.e. n401) to a computer name already in the array (i.e. rm302022) you can log on ok as many times as you like, this would suggest that the windows build is ok.
    - If you rename an old computer (i.e. rm302022) to have a name the same as one of the n4 computers the problem continues to occur.
    - We have only 2 domain controllers and the script resides in the SYSVOL folder which has correctly replicated between the two since being edited. The domain controllers have been rebooted and it's nearly 24 hours since the problem first occured.
    - Lastly having named a computer that didn't have any previous problems with a completely new name (jonnostest) then adding this name to the array the computer logged student users off if they tried to log on for a second time.

    I know it's a bit of a long winded post but would be most grateful if anyone could help as i've been tearing my hair out on this one!


  • #2
    Re: GPO Logon script processing problems

    Originally posted by jonno_2
    Unfortunately it wasn't that simple as Active Directory only lets you specify up to 64 workstations
    What does this exactly mean?
    What OS are you running? I don't see why you can't do it with group policy.

    Network Consultant/Engineer
    Baltimore - Washington area and beyond