Guest Alex Anderson Posted July 25, 2007 Posted July 25, 2007 Hello Everyone, We have a GPO logon script that users get when they log into their computer or TS. Our goal is disable the logon script when users log into the TS server. I found the KB article (http://support.microsoft.com/kb/924034/en-us) that explains the process however the script still runs when a user logs in. I'm not sure if it's because the script is tagged to a GPO or if the KB article is meant for entirely something else? I did get help from the VB script people on how to exclude certain computers from running however I thought it would be much easier to just disable the logon script feature on the TS server. Any help would be much appreciated. Thank you Alex Anderson
Guest Helge Klein Posted July 25, 2007 Posted July 25, 2007 Re: Disabling a GPO logon Script The KB article you reference (KB924034) refers to logon scripts that are set in the AD user account object properties. Blocking a GPO logon script on certain systems is probably easiest by reconfiguring the GPO / OU structure in such a way that the GPO simply does not apply to the systems in question. You could move your TS computer accounts to a dedicated OU and then make sure that the GPO with the logon script is not being applied or inherited on that OU. I hope this helps. Helge On 25 Jul., 22:00, Alex Anderson <AlexAnder...@discussions.microsoft.com> wrote: > Hello Everyone, > > We have a GPO logon script that users get when they log into their computer > or TS. Our goal is disable the logon script when users log into the TS > server. I found the KB article > (http://support.microsoft.com/kb/924034/en-us) that explains the process > however the script still runs when a user logs in. I'm not sure if it's > because the script is tagged to a GPO or if the KB article is meant for > entirely something else? I did get help from the VB script people on how to > exclude certain computers from running however I thought it would be much > easier to just disable the logon script feature on the TS server. Any help > would be much appreciated. > > Thank you > Alex Anderson
Guest Vera Noest [MVP] Posted July 25, 2007 Posted July 25, 2007 Re: Disabling a GPO logon Script Yes, that can be done, but how you have to do it depends on how exactly you have defined your current logon script, in which GPO, and to which OU the GPO is linked. I'm going to assume that your current logon script is defined in the "User configuration" part of a GPO which is linked to the "Users" OU, thus affecting all users, irrespective of the computer they logon to. The easiest way to prevent this script from running when users logon to the Terminal Server is to create a second GPO and link it to the OU which contains the Terminal Servers (but *no* user accounts). In this TS-GPO, you have to define minimally these 2 settings: Computer Configuration - Administrative Templates - System - Group Policy "User Group Policy loopback processing mode" - Enabled User Configuration - Windows Settings - Scripts Logon - Disabled What loopback processing does is that it takes the User Configurations from the GPO linked to the computer (in this case the Terminal Server), in stead of the normal processing (taking the user settings from the GPO linked to the user account). _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ =?Utf-8?B?QWxleCBBbmRlcnNvbg==?= <AlexAnderson@discussions.microsoft.com> wrote on 25 jul 2007 in microsoft.public.windows.terminal_services: > Hello Everyone, > > We have a GPO logon script that users get when they log into > their computer or TS. Our goal is disable the logon script when > users log into the TS server. I found the KB article > (http://support.microsoft.com/kb/924034/en-us) that explains the > process however the script still runs when a user logs in. I'm > not sure if it's because the script is tagged to a GPO or if the > KB article is meant for entirely something else? I did get help > from the VB script people on how to exclude certain computers > from running however I thought it would be much easier to just > disable the logon script feature on the TS server. Any help > would be much appreciated. > > Thank you > Alex Anderson
Guest Alex Anderson Posted July 25, 2007 Posted July 25, 2007 Re: Disabling a GPO logon Script Helge (interesting name) Here's the issue. They still need to run the logon script when logging into their computer so by moving them out of the line of fire of my logon script GPO effectively disables them from running the logon script on their personal computer. It will be a pain but I guess I could do what you say and apply the KB article I got from Microsoft then on each user that accesses our TS server give them the login script applied to the user's object under AD. That way, when they login it will disable the logon script but still be able to get their logon script when logging into their personal computer. Thank you Alex Anderson "Helge Klein" wrote: > The KB article you reference (KB924034) refers to logon scripts that > are set in the AD user account object properties. > > Blocking a GPO logon script on certain systems is probably easiest by > reconfiguring the GPO / OU structure in such a way that the GPO simply > does not apply to the systems in question. You could move your TS > computer accounts to a dedicated OU and then make sure that the GPO > with the logon script is not being applied or inherited on that OU. > > I hope this helps. > > Helge > > On 25 Jul., 22:00, Alex Anderson > <AlexAnder...@discussions.microsoft.com> wrote: > > Hello Everyone, > > > > We have a GPO logon script that users get when they log into their computer > > or TS. Our goal is disable the logon script when users log into the TS > > server. I found the KB article > > (http://support.microsoft.com/kb/924034/en-us) that explains the process > > however the script still runs when a user logs in. I'm not sure if it's > > because the script is tagged to a GPO or if the KB article is meant for > > entirely something else? I did get help from the VB script people on how to > > exclude certain computers from running however I thought it would be much > > easier to just disable the logon script feature on the TS server. Any help > > would be much appreciated. > > > > Thank you > > Alex Anderson > > >
Guest Helge Klein Posted July 25, 2007 Posted July 25, 2007 Re: Disabling a GPO logon Script Alex, I think you misunderstood me. I did _not_ mean to implement the solution outlined in KB924034. Instead I was referring (rather vaguely, I admit) to changing your GPOs. Vera described in her post what you have to do. The key is "Loopback Processing", which effectively disables the GPOs linked to the user accounts when users log on to the terminal servers. I hope this helps. Helge On 25 Jul., 22:46, Alex Anderson <AlexAnder...@discussions.microsoft.com> wrote: > Helge (interesting name) > > Here's the issue. They still need to run the logon script when logging into > their computer so by moving them out of the line of fire of my logon script > GPO effectively disables them from running the logon script on their personal > computer. It will be a pain but I guess I could do what you say and apply > the KB article I got from Microsoft then on each user that accesses our TS > server give them the login script applied to the user's object under AD. > That way, when they login it will disable the logon script but still be able > to get their logon script when logging into their personal computer. > > Thank you > Alex Anderson > > "Helge Klein" wrote: > > The KB article you reference (KB924034) refers to logon scripts that > > are set in the AD user account object properties. > > > Blocking a GPO logon script on certain systems is probably easiest by > > reconfiguring the GPO / OU structure in such a way that the GPO simply > > does not apply to the systems in question. You could move your TS > > computer accounts to a dedicated OU and then make sure that the GPO > > with the logon script is not being applied or inherited on that OU. > > > I hope this helps. > > > Helge > > > On 25 Jul., 22:00, Alex Anderson > > <AlexAnder...@discussions.microsoft.com> wrote: > > > Hello Everyone, > > > > We have a GPO logon script that users get when they log into their computer > > > or TS. Our goal is disable the logon script when users log into the TS > > > server. I found the KB article > > > (http://support.microsoft.com/kb/924034/en-us) that explains the process > > > however the script still runs when a user logs in. I'm not sure if it's > > > because the script is tagged to a GPO or if the KB article is meant for > > > entirely something else? I did get help from the VB script people on how to > > > exclude certain computers from running however I thought it would be much > > > easier to just disable the logon script feature on the TS server. Any help > > > would be much appreciated. > > > > Thank you > > > Alex Anderson
Guest Alex Anderson Posted July 25, 2007 Posted July 25, 2007 Re: Disabling a GPO logon Script Vera, How do disable scripts if you have no option too? Do you disable it by not specifying a logon script? "Vera Noest [MVP]" wrote: > Yes, that can be done, but how you have to do it depends on how > exactly you have defined your current logon script, in which GPO, > and to which OU the GPO is linked. > > I'm going to assume that your current logon script is defined in > the "User configuration" part of a GPO which is linked to the > "Users" OU, thus affecting all users, irrespective of the computer > they logon to. > > The easiest way to prevent this script from running when users > logon to the Terminal Server is to create a second GPO and link it > to the OU which contains the Terminal Servers (but *no* user > accounts). > In this TS-GPO, you have to define minimally these 2 settings: > > Computer Configuration - Administrative Templates - System - Group > Policy > "User Group Policy loopback processing mode" - Enabled > > User Configuration - Windows Settings - Scripts > Logon - Disabled > > What loopback processing does is that it takes the User > Configurations from the GPO linked to the computer (in this case > the Terminal Server), in stead of the normal processing (taking the > user settings from the GPO linked to the user account). > > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > ___ please respond in newsgroup, NOT by private email ___ > > =?Utf-8?B?QWxleCBBbmRlcnNvbg==?= > <AlexAnderson@discussions.microsoft.com> wrote on 25 jul 2007 in > microsoft.public.windows.terminal_services: > > > Hello Everyone, > > > > We have a GPO logon script that users get when they log into > > their computer or TS. Our goal is disable the logon script when > > users log into the TS server. I found the KB article > > (http://support.microsoft.com/kb/924034/en-us) that explains the > > process however the script still runs when a user logs in. I'm > > not sure if it's because the script is tagged to a GPO or if the > > KB article is meant for entirely something else? I did get help > > from the VB script people on how to exclude certain computers > > from running however I thought it would be much easier to just > > disable the logon script feature on the TS server. Any help > > would be much appreciated. > > > > Thank you > > Alex Anderson >
Guest Vera Noest [MVP] Posted July 25, 2007 Posted July 25, 2007 Re: Disabling a GPO logon Script Mmm, I didn't think about that, it's not a setting which you can disable. Have a try with no script defined, and be sure that you use the "Replace" option on the loopback policy. If that should fail, you can easily jump out of the script by checking the variable %computername% to see if it equals the name of the TS. But a GPO would be nicer. _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ =?Utf-8?B?QWxleCBBbmRlcnNvbg==?= <AlexAnderson@discussions.microsoft.com> wrote on 26 jul 2007 in microsoft.public.windows.terminal_services: > Vera, > > How do disable scripts if you have no option too? Do you > disable it by not specifying a logon script? > > "Vera Noest [MVP]" wrote: > >> Yes, that can be done, but how you have to do it depends on how >> exactly you have defined your current logon script, in which >> GPO, and to which OU the GPO is linked. >> >> I'm going to assume that your current logon script is defined >> in the "User configuration" part of a GPO which is linked to >> the "Users" OU, thus affecting all users, irrespective of the >> computer they logon to. >> >> The easiest way to prevent this script from running when users >> logon to the Terminal Server is to create a second GPO and link >> it to the OU which contains the Terminal Servers (but *no* user >> accounts). >> In this TS-GPO, you have to define minimally these 2 settings: >> >> Computer Configuration - Administrative Templates - System - >> Group Policy >> "User Group Policy loopback processing mode" - Enabled >> >> User Configuration - Windows Settings - Scripts >> Logon - Disabled >> >> What loopback processing does is that it takes the User >> Configurations from the GPO linked to the computer (in this >> case the Terminal Server), in stead of the normal processing >> (taking the user settings from the GPO linked to the user >> account). >> >> _________________________________________________________ >> Vera Noest >> MCSE, CCEA, Microsoft MVP - Terminal Server >> TS troubleshooting: http://ts.veranoest.net >> ___ please respond in newsgroup, NOT by private email ___ >> >> =?Utf-8?B?QWxleCBBbmRlcnNvbg==?= >> <AlexAnderson@discussions.microsoft.com> wrote on 25 jul 2007 >> in microsoft.public.windows.terminal_services: >> >> > Hello Everyone, >> > >> > We have a GPO logon script that users get when they log into >> > their computer or TS. Our goal is disable the logon script >> > when users log into the TS server. I found the KB article >> > (http://support.microsoft.com/kb/924034/en-us) that explains >> > the process however the script still runs when a user logs >> > in. I'm not sure if it's because the script is tagged to a >> > GPO or if the KB article is meant for entirely something >> > else? I did get help from the VB script people on how to >> > exclude certain computers from running however I thought it >> > would be much easier to just disable the logon script feature >> > on the TS server. Any help would be much appreciated. >> > >> > Thank you >> > Alex Anderson
Guest Alex Anderson Posted July 25, 2007 Posted July 25, 2007 Re: Disabling a GPO logon Script Vera, Well, if you don't define anything, then nothing should run. I just did a test run and it worked great. Thank you and Helge (cool name) for the help with my dilemma. Thank you Alex Anderson "Vera Noest [MVP]" wrote: > Mmm, I didn't think about that, it's not a setting which you can > disable. Have a try with no script defined, and be sure that you use > the "Replace" option on the loopback policy. > > If that should fail, you can easily jump out of the script by > checking the variable %computername% to see if it equals the name of > the TS. But a GPO would be nicer. > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > ___ please respond in newsgroup, NOT by private email ___ > > =?Utf-8?B?QWxleCBBbmRlcnNvbg==?= > <AlexAnderson@discussions.microsoft.com> wrote on 26 jul 2007 in > microsoft.public.windows.terminal_services: > > > Vera, > > > > How do disable scripts if you have no option too? Do you > > disable it by not specifying a logon script? > > > > "Vera Noest [MVP]" wrote: > > > >> Yes, that can be done, but how you have to do it depends on how > >> exactly you have defined your current logon script, in which > >> GPO, and to which OU the GPO is linked. > >> > >> I'm going to assume that your current logon script is defined > >> in the "User configuration" part of a GPO which is linked to > >> the "Users" OU, thus affecting all users, irrespective of the > >> computer they logon to. > >> > >> The easiest way to prevent this script from running when users > >> logon to the Terminal Server is to create a second GPO and link > >> it to the OU which contains the Terminal Servers (but *no* user > >> accounts). > >> In this TS-GPO, you have to define minimally these 2 settings: > >> > >> Computer Configuration - Administrative Templates - System - > >> Group Policy > >> "User Group Policy loopback processing mode" - Enabled > >> > >> User Configuration - Windows Settings - Scripts > >> Logon - Disabled > >> > >> What loopback processing does is that it takes the User > >> Configurations from the GPO linked to the computer (in this > >> case the Terminal Server), in stead of the normal processing > >> (taking the user settings from the GPO linked to the user > >> account). > >> > >> _________________________________________________________ > >> Vera Noest > >> MCSE, CCEA, Microsoft MVP - Terminal Server > >> TS troubleshooting: http://ts.veranoest.net > >> ___ please respond in newsgroup, NOT by private email ___ > >> > >> =?Utf-8?B?QWxleCBBbmRlcnNvbg==?= > >> <AlexAnderson@discussions.microsoft.com> wrote on 25 jul 2007 > >> in microsoft.public.windows.terminal_services: > >> > >> > Hello Everyone, > >> > > >> > We have a GPO logon script that users get when they log into > >> > their computer or TS. Our goal is disable the logon script > >> > when users log into the TS server. I found the KB article > >> > (http://support.microsoft.com/kb/924034/en-us) that explains > >> > the process however the script still runs when a user logs > >> > in. I'm not sure if it's because the script is tagged to a > >> > GPO or if the KB article is meant for entirely something > >> > else? I did get help from the VB script people on how to > >> > exclude certain computers from running however I thought it > >> > would be much easier to just disable the logon script feature > >> > on the TS server. Any help would be much appreciated. > >> > > >> > Thank you > >> > Alex Anderson >
Guest Vera Noest [MVP] Posted July 26, 2007 Posted July 26, 2007 Re: Disabling a GPO logon Script OK, I'm glad that your problem is solved, and thanks for reporting the results back here, Alex! _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net *----------- Please reply in newsgroup -------------* =?Utf-8?B?QWxleCBBbmRlcnNvbg==?= <AlexAnderson@discussions.microsoft.com> wrote on 26 jul 2007: > Vera, > > Well, if you don't define anything, then nothing should run. I > just did a test run and it worked great. Thank you and Helge > (cool name) for the help with my dilemma. > > Thank you > Alex Anderson > > > "Vera Noest [MVP]" wrote: > >> Mmm, I didn't think about that, it's not a setting which you >> can disable. Have a try with no script defined, and be sure >> that you use the "Replace" option on the loopback policy. >> >> If that should fail, you can easily jump out of the script by >> checking the variable %computername% to see if it equals the >> name of the TS. But a GPO would be nicer. >> _________________________________________________________ >> Vera Noest >> MCSE, CCEA, Microsoft MVP - Terminal Server >> TS troubleshooting: http://ts.veranoest.net >> ___ please respond in newsgroup, NOT by private email ___ >> >> =?Utf-8?B?QWxleCBBbmRlcnNvbg==?= >> <AlexAnderson@discussions.microsoft.com> wrote on 26 jul 2007 >> in microsoft.public.windows.terminal_services: >> >> > Vera, >> > >> > How do disable scripts if you have no option too? Do you >> > disable it by not specifying a logon script? >> > >> > "Vera Noest [MVP]" wrote: >> > >> >> Yes, that can be done, but how you have to do it depends on >> >> how exactly you have defined your current logon script, in >> >> which GPO, and to which OU the GPO is linked. >> >> >> >> I'm going to assume that your current logon script is >> >> defined in the "User configuration" part of a GPO which is >> >> linked to the "Users" OU, thus affecting all users, >> >> irrespective of the computer they logon to. >> >> >> >> The easiest way to prevent this script from running when >> >> users logon to the Terminal Server is to create a second GPO >> >> and link it to the OU which contains the Terminal Servers >> >> (but *no* user accounts). >> >> In this TS-GPO, you have to define minimally these 2 >> >> settings: >> >> >> >> Computer Configuration - Administrative Templates - System - >> >> Group Policy >> >> "User Group Policy loopback processing mode" - Enabled >> >> >> >> User Configuration - Windows Settings - Scripts >> >> Logon - Disabled >> >> >> >> What loopback processing does is that it takes the User >> >> Configurations from the GPO linked to the computer (in this >> >> case the Terminal Server), in stead of the normal processing >> >> (taking the user settings from the GPO linked to the user >> >> account). >> >> >> >> _________________________________________________________ >> >> Vera Noest >> >> MCSE, CCEA, Microsoft MVP - Terminal Server >> >> TS troubleshooting: http://ts.veranoest.net >> >> ___ please respond in newsgroup, NOT by private email ___ >> >> >> >> =?Utf-8?B?QWxleCBBbmRlcnNvbg==?= >> >> <AlexAnderson@discussions.microsoft.com> wrote on 25 jul >> >> 2007 in microsoft.public.windows.terminal_services: >> >> >> >> > Hello Everyone, >> >> > >> >> > We have a GPO logon script that users get when they log >> >> > into their computer or TS. Our goal is disable the logon >> >> > script when users log into the TS server. I found the KB >> >> > article (http://support.microsoft.com/kb/924034/en-us) >> >> > that explains the process however the script still runs >> >> > when a user logs in. I'm not sure if it's because the >> >> > script is tagged to a GPO or if the KB article is meant >> >> > for entirely something else? I did get help from the VB >> >> > script people on how to exclude certain computers from >> >> > running however I thought it would be much easier to just >> >> > disable the logon script feature on the TS server. Any >> >> > help would be much appreciated. >> >> > >> >> > Thank you >> >> > Alex Anderson
Recommended Posts