Disabling a GPO logon Script

[Guest Alex Anderson]

Hello Everyone,

 

We have a GPO logon script that users get when they log into their computer

or TS. Our goal is disable the logon script when users log into the TS

server. I found the KB article

(http://support.microsoft.com/kb/924034/en-us) that explains the process

however the script still runs when a user logs in. I'm not sure if it's

because the script is tagged to a GPO or if the KB article is meant for

entirely something else? I did get help from the VB script people on how to

exclude certain computers from running however I thought it would be much

easier to just disable the logon script feature on the TS server. Any help

would be much appreciated.

 

Thank you

Alex Anderson

[Guest Helge Klein]

Re: Disabling a GPO logon Script

 

The KB article you reference (KB924034) refers to logon scripts that

are set in the AD user account object properties.

 

Blocking a GPO logon script on certain systems is probably easiest by

reconfiguring the GPO / OU structure in such a way that the GPO simply

does not apply to the systems in question. You could move your TS

computer accounts to a dedicated OU and then make sure that the GPO

with the logon script is not being applied or inherited on that OU.

 

I hope this helps.

 

Helge

 

On 25 Jul., 22:00, Alex Anderson

<AlexAnder...@discussions.microsoft.com> wrote:

> Hello Everyone,

>

> We have a GPO logon script that users get when they log into their computer

> or TS. Our goal is disable the logon script when users log into the TS

> server. I found the KB article

> (http://support.microsoft.com/kb/924034/en-us) that explains the process

> however the script still runs when a user logs in. I'm not sure if it's

> because the script is tagged to a GPO or if the KB article is meant for

> entirely something else? I did get help from the VB script people on how to

> exclude certain computers from running however I thought it would be much

> easier to just disable the logon script feature on the TS server. Any help

> would be much appreciated.

>

> Thank you

> Alex Anderson

[Guest Vera Noest [MVP]]

Re: Disabling a GPO logon Script

 

Yes, that can be done, but how you have to do it depends on how

exactly you have defined your current logon script, in which GPO,

and to which OU the GPO is linked.

 

I'm going to assume that your current logon script is defined in

the "User configuration" part of a GPO which is linked to the

"Users" OU, thus affecting all users, irrespective of the computer

they logon to.

 

The easiest way to prevent this script from running when users

logon to the Terminal Server is to create a second GPO and link it

to the OU which contains the Terminal Servers (but *no* user

accounts).

In this TS-GPO, you have to define minimally these 2 settings:

 

Computer Configuration - Administrative Templates - System - Group

Policy

"User Group Policy loopback processing mode" - Enabled

 

User Configuration - Windows Settings - Scripts

Logon - Disabled

 

What loopback processing does is that it takes the User

Configurations from the GPO linked to the computer (in this case

the Terminal Server), in stead of the normal processing (taking the

user settings from the GPO linked to the user account).

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?QWxleCBBbmRlcnNvbg==?=

<AlexAnderson@discussions.microsoft.com> wrote on 25 jul 2007 in

microsoft.public.windows.terminal_services:

> Hello Everyone,

>

> We have a GPO logon script that users get when they log into

> their computer or TS. Our goal is disable the logon script when

> users log into the TS server. I found the KB article

> (http://support.microsoft.com/kb/924034/en-us) that explains the

> process however the script still runs when a user logs in. I'm

> not sure if it's because the script is tagged to a GPO or if the

> KB article is meant for entirely something else? I did get help

> from the VB script people on how to exclude certain computers

> from running however I thought it would be much easier to just

> disable the logon script feature on the TS server. Any help

> would be much appreciated.

>

> Thank you

> Alex Anderson

[Guest Alex Anderson]

Re: Disabling a GPO logon Script

 

Helge (interesting name)

 

Here's the issue. They still need to run the logon script when logging into

their computer so by moving them out of the line of fire of my logon script

GPO effectively disables them from running the logon script on their personal

computer. It will be a pain but I guess I could do what you say and apply

the KB article I got from Microsoft then on each user that accesses our TS

server give them the login script applied to the user's object under AD.

That way, when they login it will disable the logon script but still be able

to get their logon script when logging into their personal computer.

 

Thank you

Alex Anderson

 

 

"Helge Klein" wrote:

> The KB article you reference (KB924034) refers to logon scripts that

> are set in the AD user account object properties.

>

> Blocking a GPO logon script on certain systems is probably easiest by

> reconfiguring the GPO / OU structure in such a way that the GPO simply

> does not apply to the systems in question. You could move your TS

> computer accounts to a dedicated OU and then make sure that the GPO

> with the logon script is not being applied or inherited on that OU.

>

> I hope this helps.

>

> Helge

>

> On 25 Jul., 22:00, Alex Anderson

> <AlexAnder...@discussions.microsoft.com> wrote:

> > Hello Everyone,

> >

> > We have a GPO logon script that users get when they log into their computer

> > or TS. Our goal is disable the logon script when users log into the TS

> > server. I found the KB article

> > (http://support.microsoft.com/kb/924034/en-us) that explains the process

> > however the script still runs when a user logs in. I'm not sure if it's

> > because the script is tagged to a GPO or if the KB article is meant for

> > entirely something else? I did get help from the VB script people on how to

> > exclude certain computers from running however I thought it would be much

> > easier to just disable the logon script feature on the TS server. Any help

> > would be much appreciated.

> >

> > Thank you

> > Alex Anderson

>

>

>

[Guest Helge Klein]

Re: Disabling a GPO logon Script

 

Alex, I think you misunderstood me. I did _not_ mean to implement the

solution outlined in KB924034. Instead I was referring (rather

vaguely, I admit) to changing your GPOs.

 

Vera described in her post what you have to do. The key is "Loopback

Processing", which effectively disables the GPOs linked to the user

accounts when users log on to the terminal servers.

 

I hope this helps.

 

Helge

 

On 25 Jul., 22:46, Alex Anderson

<AlexAnder...@discussions.microsoft.com> wrote:

> Helge (interesting name)

>

> Here's the issue. They still need to run the logon script when logging into

> their computer so by moving them out of the line of fire of my logon script

> GPO effectively disables them from running the logon script on their personal

> computer. It will be a pain but I guess I could do what you say and apply

> the KB article I got from Microsoft then on each user that accesses our TS

> server give them the login script applied to the user's object under AD.

> That way, when they login it will disable the logon script but still be able

> to get their logon script when logging into their personal computer.

>

> Thank you

> Alex Anderson

>

> "Helge Klein" wrote:

> > The KB article you reference (KB924034) refers to logon scripts that

> > are set in the AD user account object properties.

>

> > Blocking a GPO logon script on certain systems is probably easiest by

> > reconfiguring the GPO / OU structure in such a way that the GPO simply

> > does not apply to the systems in question. You could move your TS

> > computer accounts to a dedicated OU and then make sure that the GPO

> > with the logon script is not being applied or inherited on that OU.

>

> > I hope this helps.

>

> > Helge

>

> > On 25 Jul., 22:00, Alex Anderson

> > <AlexAnder...@discussions.microsoft.com> wrote:

> > > Hello Everyone,

>

> > > We have a GPO logon script that users get when they log into their computer

> > > or TS. Our goal is disable the logon script when users log into the TS

> > > server. I found the KB article

> > > (http://support.microsoft.com/kb/924034/en-us) that explains the process

> > > however the script still runs when a user logs in. I'm not sure if it's

> > > because the script is tagged to a GPO or if the KB article is meant for

> > > entirely something else? I did get help from the VB script people on how to

> > > exclude certain computers from running however I thought it would be much

> > > easier to just disable the logon script feature on the TS server. Any help

> > > would be much appreciated.

>

> > > Thank you

> > > Alex Anderson

[Guest Alex Anderson]

Re: Disabling a GPO logon Script

 

Vera,

 

How do disable scripts if you have no option too? Do you disable it by not

specifying a logon script?

 

"Vera Noest [MVP]" wrote:

> Yes, that can be done, but how you have to do it depends on how

> exactly you have defined your current logon script, in which GPO,

> and to which OU the GPO is linked.

>

> I'm going to assume that your current logon script is defined in

> the "User configuration" part of a GPO which is linked to the

> "Users" OU, thus affecting all users, irrespective of the computer

> they logon to.

>

> The easiest way to prevent this script from running when users

> logon to the Terminal Server is to create a second GPO and link it

> to the OU which contains the Terminal Servers (but *no* user

> accounts).

> In this TS-GPO, you have to define minimally these 2 settings:

>

> Computer Configuration - Administrative Templates - System - Group

> Policy

> "User Group Policy loopback processing mode" - Enabled

>

> User Configuration - Windows Settings - Scripts

> Logon - Disabled

>

> What loopback processing does is that it takes the User

> Configurations from the GPO linked to the computer (in this case

> the Terminal Server), in stead of the normal processing (taking the

> user settings from the GPO linked to the user account).

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?QWxleCBBbmRlcnNvbg==?=

> <AlexAnderson@discussions.microsoft.com> wrote on 25 jul 2007 in

> microsoft.public.windows.terminal_services:

>

> > Hello Everyone,

> >

> > We have a GPO logon script that users get when they log into

> > their computer or TS. Our goal is disable the logon script when

> > users log into the TS server. I found the KB article

> > (http://support.microsoft.com/kb/924034/en-us) that explains the

> > process however the script still runs when a user logs in. I'm

> > not sure if it's because the script is tagged to a GPO or if the

> > KB article is meant for entirely something else? I did get help

> > from the VB script people on how to exclude certain computers

> > from running however I thought it would be much easier to just

> > disable the logon script feature on the TS server. Any help

> > would be much appreciated.

> >

> > Thank you

> > Alex Anderson

>

[Guest Vera Noest [MVP]]

Re: Disabling a GPO logon Script

 

Mmm, I didn't think about that, it's not a setting which you can

disable. Have a try with no script defined, and be sure that you use

the "Replace" option on the loopback policy.

 

If that should fail, you can easily jump out of the script by

checking the variable %computername% to see if it equals the name of

the TS. But a GPO would be nicer.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?QWxleCBBbmRlcnNvbg==?=

<AlexAnderson@discussions.microsoft.com> wrote on 26 jul 2007 in

microsoft.public.windows.terminal_services:

> Vera,

>

> How do disable scripts if you have no option too? Do you

> disable it by not specifying a logon script?

>

> "Vera Noest [MVP]" wrote:

>

>> Yes, that can be done, but how you have to do it depends on how

>> exactly you have defined your current logon script, in which

>> GPO, and to which OU the GPO is linked.

>>

>> I'm going to assume that your current logon script is defined

>> in the "User configuration" part of a GPO which is linked to

>> the "Users" OU, thus affecting all users, irrespective of the

>> computer they logon to.

>>

>> The easiest way to prevent this script from running when users

>> logon to the Terminal Server is to create a second GPO and link

>> it to the OU which contains the Terminal Servers (but *no* user

>> accounts).

>> In this TS-GPO, you have to define minimally these 2 settings:

>>

>> Computer Configuration - Administrative Templates - System -

>> Group Policy

>> "User Group Policy loopback processing mode" - Enabled

>>

>> User Configuration - Windows Settings - Scripts

>> Logon - Disabled

>>

>> What loopback processing does is that it takes the User

>> Configurations from the GPO linked to the computer (in this

>> case the Terminal Server), in stead of the normal processing

>> (taking the user settings from the GPO linked to the user

>> account).

>>

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?QWxleCBBbmRlcnNvbg==?=

>> <AlexAnderson@discussions.microsoft.com> wrote on 25 jul 2007

>> in microsoft.public.windows.terminal_services:

>>

>> > Hello Everyone,

>> >

>> > We have a GPO logon script that users get when they log into

>> > their computer or TS. Our goal is disable the logon script

>> > when users log into the TS server. I found the KB article

>> > (http://support.microsoft.com/kb/924034/en-us) that explains

>> > the process however the script still runs when a user logs

>> > in. I'm not sure if it's because the script is tagged to a

>> > GPO or if the KB article is meant for entirely something

>> > else? I did get help from the VB script people on how to

>> > exclude certain computers from running however I thought it

>> > would be much easier to just disable the logon script feature

>> > on the TS server. Any help would be much appreciated.

>> >

>> > Thank you

>> > Alex Anderson

[Guest Alex Anderson]

Re: Disabling a GPO logon Script

 

Vera,

 

Well, if you don't define anything, then nothing should run. I just did a

test run and it worked great. Thank you and Helge (cool name) for the help

with my dilemma.

 

Thank you

Alex Anderson

 

 

"Vera Noest [MVP]" wrote:

> Mmm, I didn't think about that, it's not a setting which you can

> disable. Have a try with no script defined, and be sure that you use

> the "Replace" option on the loopback policy.

>

> If that should fail, you can easily jump out of the script by

> checking the variable %computername% to see if it equals the name of

> the TS. But a GPO would be nicer.

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?QWxleCBBbmRlcnNvbg==?=

> <AlexAnderson@discussions.microsoft.com> wrote on 26 jul 2007 in

> microsoft.public.windows.terminal_services:

>

> > Vera,

> >

> > How do disable scripts if you have no option too? Do you

> > disable it by not specifying a logon script?

> >

> > "Vera Noest [MVP]" wrote:

> >

> >> Yes, that can be done, but how you have to do it depends on how

> >> exactly you have defined your current logon script, in which

> >> GPO, and to which OU the GPO is linked.

> >>

> >> I'm going to assume that your current logon script is defined

> >> in the "User configuration" part of a GPO which is linked to

> >> the "Users" OU, thus affecting all users, irrespective of the

> >> computer they logon to.

> >>

> >> The easiest way to prevent this script from running when users

> >> logon to the Terminal Server is to create a second GPO and link

> >> it to the OU which contains the Terminal Servers (but *no* user

> >> accounts).

> >> In this TS-GPO, you have to define minimally these 2 settings:

> >>

> >> Computer Configuration - Administrative Templates - System -

> >> Group Policy

> >> "User Group Policy loopback processing mode" - Enabled

> >>

> >> User Configuration - Windows Settings - Scripts

> >> Logon - Disabled

> >>

> >> What loopback processing does is that it takes the User

> >> Configurations from the GPO linked to the computer (in this

> >> case the Terminal Server), in stead of the normal processing

> >> (taking the user settings from the GPO linked to the user

> >> account).

> >>

> >> _________________________________________________________

> >> Vera Noest

> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> TS troubleshooting: http://ts.veranoest.net

> >> ___ please respond in newsgroup, NOT by private email ___

> >>

> >> =?Utf-8?B?QWxleCBBbmRlcnNvbg==?=

> >> <AlexAnderson@discussions.microsoft.com> wrote on 25 jul 2007

> >> in microsoft.public.windows.terminal_services:

> >>

> >> > Hello Everyone,

> >> >

> >> > We have a GPO logon script that users get when they log into

> >> > their computer or TS. Our goal is disable the logon script

> >> > when users log into the TS server. I found the KB article

> >> > (http://support.microsoft.com/kb/924034/en-us) that explains

> >> > the process however the script still runs when a user logs

> >> > in. I'm not sure if it's because the script is tagged to a

> >> > GPO or if the KB article is meant for entirely something

> >> > else? I did get help from the VB script people on how to

> >> > exclude certain computers from running however I thought it

> >> > would be much easier to just disable the logon script feature

> >> > on the TS server. Any help would be much appreciated.

> >> >

> >> > Thank you

> >> > Alex Anderson

>

[Guest Vera Noest [MVP]]

Re: Disabling a GPO logon Script

 

OK, I'm glad that your problem is solved, and thanks for reporting

the results back here, Alex!

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

*----------- Please reply in newsgroup -------------*

 

=?Utf-8?B?QWxleCBBbmRlcnNvbg==?=

<AlexAnderson@discussions.microsoft.com> wrote on 26 jul 2007:

> Vera,

>

> Well, if you don't define anything, then nothing should run. I

> just did a test run and it worked great. Thank you and Helge

> (cool name) for the help with my dilemma.

>

> Thank you

> Alex Anderson

>

>

> "Vera Noest [MVP]" wrote:

>

>> Mmm, I didn't think about that, it's not a setting which you

>> can disable. Have a try with no script defined, and be sure

>> that you use the "Replace" option on the loopback policy.

>>

>> If that should fail, you can easily jump out of the script by

>> checking the variable %computername% to see if it equals the

>> name of the TS. But a GPO would be nicer.

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?QWxleCBBbmRlcnNvbg==?=

>> <AlexAnderson@discussions.microsoft.com> wrote on 26 jul 2007

>> in microsoft.public.windows.terminal_services:

>>

>> > Vera,

>> >

>> > How do disable scripts if you have no option too? Do you

>> > disable it by not specifying a logon script?

>> >

>> > "Vera Noest [MVP]" wrote:

>> >

>> >> Yes, that can be done, but how you have to do it depends on

>> >> how exactly you have defined your current logon script, in

>> >> which GPO, and to which OU the GPO is linked.

>> >>

>> >> I'm going to assume that your current logon script is

>> >> defined in the "User configuration" part of a GPO which is

>> >> linked to the "Users" OU, thus affecting all users,

>> >> irrespective of the computer they logon to.

>> >>

>> >> The easiest way to prevent this script from running when

>> >> users logon to the Terminal Server is to create a second GPO

>> >> and link it to the OU which contains the Terminal Servers

>> >> (but *no* user accounts).

>> >> In this TS-GPO, you have to define minimally these 2

>> >> settings:

>> >>

>> >> Computer Configuration - Administrative Templates - System -

>> >> Group Policy

>> >> "User Group Policy loopback processing mode" - Enabled

>> >>

>> >> User Configuration - Windows Settings - Scripts

>> >> Logon - Disabled

>> >>

>> >> What loopback processing does is that it takes the User

>> >> Configurations from the GPO linked to the computer (in this

>> >> case the Terminal Server), in stead of the normal processing

>> >> (taking the user settings from the GPO linked to the user

>> >> account).

>> >>

>> >> _________________________________________________________

>> >> Vera Noest

>> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> TS troubleshooting: http://ts.veranoest.net

>> >> ___ please respond in newsgroup, NOT by private email ___

>> >>

>> >> =?Utf-8?B?QWxleCBBbmRlcnNvbg==?=

>> >> <AlexAnderson@discussions.microsoft.com> wrote on 25 jul

>> >> 2007 in microsoft.public.windows.terminal_services:

>> >>

>> >> > Hello Everyone,

>> >> >

>> >> > We have a GPO logon script that users get when they log

>> >> > into their computer or TS. Our goal is disable the logon

>> >> > script when users log into the TS server. I found the KB

>> >> > article (http://support.microsoft.com/kb/924034/en-us)

>> >> > that explains the process however the script still runs

>> >> > when a user logs in. I'm not sure if it's because the

>> >> > script is tagged to a GPO or if the KB article is meant

>> >> > for entirely something else? I did get help from the VB

>> >> > script people on how to exclude certain computers from

>> >> > running however I thought it would be much easier to just

>> >> > disable the logon script feature on the TS server. Any

>> >> > help would be much appreciated.

>> >> >

>> >> > Thank you

>> >> > Alex Anderson