Group Policy Objects
Vera Schmidt
Richard Mueller
the logon/logoff scripts once for everybody in the domain.
In Active Directory Users & Computers, right click the
domain, select properties, click on the Group Policy tab,
select your GPO (or the Default Domain Policy), click
Edit, expand "Computer Configuration" Windows Settings,
and/or "User Configuration" Windows Settings. For each
(Computers or Users) there is a Scripts folder which has
StartUp/Shutdown or Logon/Logoff scripts.
This only works if your clients are Windows 2000. For NT
and Win9x, you must set the logon script in the user
properties in ADU&C. If your question is how to set this
programmatically, something like this would work.
Set oUserContainer = GetObject("WinNT://MyDomain")
oUserContainer.Filter = Array("user")
For Each oUser In oUserContainer
oUser.HomeDirectory = "\\MyServer\" & oUser.Name
oUser.HomeDirDrive = "H:"
oUser.SetInfo
Next
This would set the property for everyone, including
administrator, guest, etc. Also, the folders must exist,
the shares must exist and the users must have rights to
them.
It's best not to script this for everyone, but to have a
script for creating users that creates the folder (using
FSO), creates the share (using
WinNT://MyServer,lanmanserver and obj.Create("fileshare",
name), and sets the user properties for HomeDirectory and
HomeDirDrive. You could also set the rights.
Did I mis-understand?
Richard
>-----Original Message-----
>How can I set Logon/Logoff-Scripts (filename) with
scripting?
>
>.
>
Michael Harris (MVP)
-- Create 2 local scripts with very unique names (they don't need to do anything now).
-- Run gpedit.msc and assign them as the logon/logoff scripts under whatever category
-- Now run regedit and search for the script names...
--
Michael Harris
Microsoft.MVP.Scripting
--
"Vera Schmidt" <Vera.S...@wuestenrot.de> wrote in message news:3C7E1F82...@wuestenrot.de...
Vera Schmidt
notebooks all over Germany. So I can't go on each one with remote
control and activate the logon-script.
Thanks anyway
Vera
Richard Mueller schrieb:
Vera Schmidt
Thanks anyway
Vera
"Michael Harris (MVP)" schrieb:
Alex Angelopoulos
"Vera Schmidt" <Vera.S...@wuestenrot.de> wrote in message news:3C7F9628...@wuestenrot.de...
: Yes, you did. We are using W2K-Prof-PC's without AD with local GP, 3500
: > >
:
Vera Schmidt
Usually you do that manual.That's easy. But I can't find a registry key being filled with the logon-script-name. And the
white paper about Implementing Registry-Based Group Policy doesn't tell enough about that point.
Alex Angelopoulos schrieb:
Richard Mueller
can be downloaded from the PCMagazine site (I have version
5). This utility has solved similar problems for me many
times. In situations like this, I run it with the "setup
program" notepad.exe (or any similar dummy program that
does nothing), then make the changes I want to trap (setup
logon script). The InCtrl report lists everything that
changed on the computer during "installation" - files
added, files change, and any registry changes. Sometimes
you have to interpret the results, because there are often
misleading registry changes, like resetting most recently
used entries, etc.
Richard
>.
>
Richard Mueller
registry setting change when I setup a local logon script
was:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Use
rAssist\{xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx}
All the key values are encrypted. I think StartUp.vbs
became jbeqcnq.rkr on my machine. It looks un-usable.
Richard
>>> : > FSO), creates the sÍ{ wð9g of»"l+¨qhê~ °ìs hare
Alex Angelopoulos
"Richard Mueller" <RLMu...@ameritech.net> wrote in message news:98ac01c1c160$431d7630$35ef2ecf@TKMSFTNGXA11...
Alex Angelopoulos
doing at least a local logon somewhere accessible?
And the logon/logoff scripting you want to do - how "generic" is it?
"Vera Schmidt" <Vera.S...@wuestenrot.de> wrote in message news:3C7FCC69...@wuestenrot.de...
: Yes, that's the case. Well, my problem is: I don't know how and where to fill the Listbox of logon-script-filename.
: > :
:
Richard Mueller
figured out where to put it. The interface only
accepts "relative" paths, but I don't know relative to
what. The help says for local accounts, the logon script
should be in systemroot\system32\repl\import\scripts, but
I have no such folder.
I assume Vera's machines have no connection to the outside
world. She is using a local user account, local group
policy, and a local logon script. How her users will run a
script to set this up is another question. I setup a user
to have a logon script - I'm still working on where to put
the script so it will run. The "Local Users and Groups"
interface didn't seem to mind that it couldn't find my
script. Can someone tell me where to put it?
Richard
>>>> : > For Each oUser Í{ wØ Ó dn'JDf-W(M[ °ì /In
>.
>
Alex Angelopoulos
On XP I see the policies show up in "C:\WINDOWS\security\templates\policies", but I knuckled under and joined it to my local domain
after the ADSIEdit discussion a couple of weeks ago.
Two other places to check would be the *export* folder under System32 and - for the generic location for the scripts, but not the
policies AFAIK
C:\WINDOWS\system32\GroupPolicy
This appears to hold the ADM policies and then User/Machine scripts. Here is the folder structure on my (again, this is *XP*)
system:
C:\WINDOWS\system32\GroupPolicy>dir /b /s
C:\WINDOWS\system32\GroupPolicy\Adm
C:\WINDOWS\system32\GroupPolicy\gpt.ini
C:\WINDOWS\system32\GroupPolicy\Machine
C:\WINDOWS\system32\GroupPolicy\User
C:\WINDOWS\system32\GroupPolicy\Adm\conf.adm
C:\WINDOWS\system32\GroupPolicy\Adm\inetres.adm
C:\WINDOWS\system32\GroupPolicy\Adm\system.adm
C:\WINDOWS\system32\GroupPolicy\Adm\wmplayer.adm
C:\WINDOWS\system32\GroupPolicy\Machine\Registry.pol
C:\WINDOWS\system32\GroupPolicy\Machine\Scripts
C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Shutdown
C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Startup
C:\WINDOWS\system32\GroupPolicy\User\MICROSOFT
C:\WINDOWS\system32\GroupPolicy\User\Scripts
C:\WINDOWS\system32\GroupPolicy\User\MICROSOFT\IEAK
C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logoff
C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logon
"Richard Mueller" <RLMu...@ameritech.net> wrote in message news:1739b01c1c168$f192bdd0$37ef2ecf@TKMSFTNGXA13...
Richard Mueller
default scripts folder is not created during setup. You
have to create and share a scripts folder as NetLogon. I
did this and the logon script works (Hello World) when I
logon with a local account to the local W2k Pro machine
(no domain). Still, the registry has no reference to the
logon script, except under the encrypted key.
My guess is that this is to prevent malicious code from
altering someone's logon script. I see no way to script
setting up a local logon script.
This logon script only runs if you logon to the local
machine. It has no affect when you logon to the domain.
>>>times. InÍ{ w¸: |~:qô
>< ÈÃ" °ìÞ situations like this, I run it with the "setup
>.
>
Alex Angelopoulos
"Richard Mueller" <RLMu...@ameritech.net> wrote in message news:8cea01c1c171$55d8eeb0$9be62ecf@tkmsftngxa03...
Vera Schmidt
Indeed we have more than 3000 notebooks just working with local
'security'. The script should be in
c:\winnt\system32\grouppolicy\user\logon (or so - didn't take a notebook
with me into weekend), you have to change 2 other points in local
security under user and add the filename of the script) and than it
works.
These encrypted keys you are talking about are the w2k-security-keys
created after installation by sysprep. Every user has another one. you
usually find them under HKUSERS.The admin is ending with -500.
Next thing I will do: see what registry makes with a new listbox with 2
columms created by an adm-file. These 2 colums are special in my case:
you may fill in a filename AND a start parameter and both filename and
parameter are written in one key in registry. That's what the white
paper about implementing registry-based group policy says. Unfortunately
this speciality has no example or more information in the paper.
Therefore you do not know what that means.
I found out another position to activate login-scripts (just can tell it
in German: mmc-snap-in: Richtlinien lokaler
Computer-Computerkonfiguration-Administrative Vorlagen-System: Diese
Programme bei der Benutzeranmeldung ausführen, means: start these
programms by logon). If you activate that and add a script there, this
scriptname is written in a registry-key. But: here is no possibility to
add a start-parameter (means: just one column). We could use that, but
we need a script that has been finished before explorer starts because
we are creating desktop, quick launch and start-programms with this
script. And I was not sure (and it was late yesterday) if a script from
there does that. We will see next week.
Vera
Alex Angelopoulos
things that what you say bring to mind:
Synchronous vs. asynchronous processing.
The default settings on XP are for "asynchronous" processing of logon scripts; I don't know Win2K's method for certain.
Asynchronous logon allows logon while the script is still processing. NT 4 had a registry key to control this, but it does not
appear to work on 2000/XP. There is supposed to be a setting to control this, but I can't find it.
"Vera Schmidt" <Vera.S...@t-online.de> wrote in message news:3C809025...@t-online.de...
: Thanks alot guys for your help.
:
Michael Harris (MVP)
> Don't know if this is relevant or not - I may be jumping in at a point waaaaay past where you looked at this - but here's one
> things that what you say bring to mind:
> Synchronous vs. asynchronous processing.
>
> The default settings on XP are for "asynchronous" processing of logon scripts; I don't know Win2K's method for certain.
> Asynchronous logon allows logon while the script is still processing. NT 4 had a registry key to control this, but it does not
> appear to work on 2000/XP. There is supposed to be a setting to control this, but I can't find it.
>
On Win2000 (in Group Policy) it's under "Administrative Templates/System/Logon" as "Run logon scripts synchronously".
--
Michael Harris
Microsoft.MVP.Scripting
Seattle WA US
--
Torgeir Bakken
> Don't know if this is relevant or not - I may be jumping in at a point waaaaay past where you looked at this - but here's one
> things that what you say bring to mind:
> Synchronous vs. asynchronous processing.
>
> The default settings on XP are for "asynchronous" processing of logon scripts; I don't know Win2K's method for certain.
> Asynchronous logon allows logon while the script is still processing. NT 4 had a registry key to control this, but it does not
> appear to work on 2000/XP. There is supposed to be a setting to control this, but I can't find it.
Hi
They work for 2000/XP as well (at least for a NT4 domain, AD I don't know)
Here is a copy of a couple of newsgroup articles describing the registry settings as the Group Policy settings as well, and which
setiing that presides another:
<qoute>
************************************************************************
From: Jerold Schulman (Je...@jsiinc.com)
Subject: Re: Startup folder executing before login script.
Newsgroups: microsoft.public.win2000.general, microsoft.public.win2000.registry
Date: 2000-11-10 11:44:06 PST
Set tip 0099 at my 'NT Reg Hacks' at http://www.jsiinc.com
and
RunLogonScriptSync
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Data type Range Default value
REG_DWORD 0 | 1 0
Description
Directs the system to wait for the logon scripts to finish running before it starts the Windows Explorer interface program and
creates the desktop.
This entry stores the setting of the Run logon scripts synchronously Group Policy. Group Policy adds this entry to the registry
with a value of 1 when you enable the Run logon scripts synchronously policy. If you disable the policy, Group Policy sets the
value to 0. If you set the policy to Not configured, Group Policy deletes the entry from the registry and the system behaves as
though the value is 0.
Value Meaning
0 The policy is disabled or not configured. Logon scripts and Windows Explorer are not synchronized and can run simultaneously.
1 The policy is enabled. Windows Explorer does not start until the logon scripts have finished running. This setting assures that
logon script processing is complete before the user starts working, but it can delay the appearance of the desktop.
Change method
To change the value of this entry, use Group Policy. This entry corresponds to the Run logon scripts synchronously policy (User
Configuration\Administrative Templates\System\Logon).
Note
This entry appears in both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER. The value in HKEY_LOCAL_MACHINE takes precedence over the
policy set in HKEY_CURRENT_USER.
This entry takes precedence over a user setting. When this entry appears in the registry, a policy is in effect and the system
ignores the value of RunLogonScriptSync (HKLM) and RunLogonScriptSync (HKCU).
Tip
For detailed information about particular Group Policy settings, see the Group Policy Reference (Gp.chm) on the Windows 2000
Resource Kit companion CD.
For general information about Group Policy, see Group Policy in Windows 2000 Help.
To see a table associating policies with their corresponding registry entries, see the Group Policy Reference Table.
Related Entries
RunLogonScriptSync (HKLM)
RunLogonScriptSync (Winlogon in HKCU)
RunLogonScriptSync (Winlogon in HKLM)
Jerold Schulman / MVP
JSI, Inc.
http://www.jsiinc.com
************************************************************************
************************************************************************
From: JMV (jmvitto...@THIShotmail.com)
Subject: Re: How to make Win2000 wait for logon script to finish?
Newsgroups: microsoft.public.win2000.general
Date: 2000/06/01
There are several ways to solve this by adding a registry value. Where you make the change depends whether you want it to apply to
an individual user, a group policy, or to everyone. See below for further details.
HTH
RunLogonScriptSync
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Data type Range Default value
REG_DWORD 0 | 1 0
Description:
Determines whether the system waits for the logon script to finish running before it starts Windows Explorer and creates the
desktop.
ValueMeaning
0 The logon script and Windows Explorer can run simultaneously.
1 Windows Explorer does not start until the logon script has finished running.
Change method
To change the value of this entry, use Group Policy. This entry corresponds to the Run logon scripts synchronously policy (User
Configuration\Administrative Templates\System\Logon/Logoff).
Note
This entry also appears in the Winlogon subkey in HKEY_LOCAL_MACHINE (see RunLogonScriptSync (HKLM)). The
HKEY_LOCAL_MACHINE value applies to all users. The HKEY_CURRENT_USER value is configured separately for each user.
This entry can be superceded by Group Policy settings included in Windows 2000. While the Run logon scripts synchronously Group
Policy is enabled (in the Computer Configuratio or User Configuration policy folders), the system ignores this entry. The Run logon
scripts synchronously setting is stored in the values of RunLogonScriptSync (HKLM) and RunLogonScriptSync (HKCU).
Windows 2000 does not add this entry to the registry. You can add it by editing the registry or by using a program that edits the
registry.
ALSO:
RunStartupScriptSync
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
This entry takes precedence over a user setting. When this entry appears in the registry, a policy is in effect, and the system
ignores the value of RunStartupScriptSync in HKLM\SOFTWARE\Microsoft\CurrentVersion\Winlogon.
AND ..... :
RunLogonScriptSync
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
This entry also appears in the Winlogon subkey in HKEY_CURRENT_USER (see RunLogonScriptSync). The HKEY_LOCAL_MACHINE value applies
to all users. The HKEY_CURRENT_USER value is configured separately for each user.
This entry can be superceded by Group Policy settings included in Windows 2000. While the Run logon scripts synchronously Group
Policy is enabled (in the Computer Configuratio or User Configuration policy folders), the system ignores this entry. The Run logon
scripts synchronously setting is stored in the values of RunLogonScriptSync (HKLM) and RunLogonScriptSync (HKCU).
Windows 2000 does not add this entry to the registry. You can add it by editing the registry or by using a program that edits the
registry.
--
John M. Vittone
MS MVP
************************************************************************
</qoute>
--
torgeir
Alex Angelopoulos
Vera isn't using AD so it sounds like this would be an option.
"Torgeir Bakken" <Torgeir.B...@hydro.com> wrote in message news:3C81697B...@hydro.com...
:
Vera Schmidt
sript runs as it has to run. And I know how to set the scriptname and
starting parameter by hand. But I can't start three-and-a-half-thousend
remote controls after phoning with the users, activating mmc and
afterwards chancing the local group policy and filling in the filename
and starting parameter of the logon script.
What I don't know is where and how (what kind of data) to write the
filename of the script and the starting parameter in registry. Because
you don't find the logon-filename in registry if you do that by hand.
Vera
Alex Angelopoulos
One thing I didn't think of is the fact that since we're discussing some methods which *aren't* specifically built in to WIn2K, a
couple of better places to check include
microsoft.public.win2000.cmdprompt.admin
microsoft.public.adsi.general
The issue here goes beyond "native" scripting. It's "what ansewers are out there for this kind of a problem?"
"Vera Schmidt" <Vera.S...@wuestenrot.de> wrote in message news:3C7F9953...@wuestenrot.de...
: I already did that. You do not find anything in the registry, unfortunately.
: > >
:
Vera Schmidt
tell you his phonenumber and then you may start a remote control.
That is a thing we do on 1 notebook with a problem, not with more than 3000.
The way we have to change these things is our program spreading software. And these changes then come from CD.
Vera
Alex Angelopoulos schrieb: