Loopback policy enabled, seems to cause login script to run twice
markm75
policy seems to be cause our login script to run twice on login.
I have a seperate policy for running the login scripts (default domain
one) and another where this is enabled (a screen saver policy).. IE:
I thought i read somewhere that it is bad practice to modify the
default policies.. so I try to to create seperate policies for
different things (or combos where appropriate), except in this case
where its just a batch file referenced in the def. domain policy,
though I should probably move that one out.
I enabled loopback on the user portion of the screensaver policy
(timeout and password options set here).. I did this so I could
disable the policy on a machine basis, rather than user basis (I didnt
see how it could be done without the loopback turned on, as the screen
saver settings come from the user section, not the computer section).
Any thoughts on why this enabled in that policy would cause the
scripts to run twice in the default domain one?
Thanks,
Mark
Bruce Sanderson
GPO containing it applies to, regardless of which actual GPO it is included
in. You can't "enable loopback processing" for a single GPO or a portion of
a GPO, it is either enabled for a computer or not. See
http://support.microsoft.com/?kbid=231287 and "Method 2" in
http://support.microsoft.com/?kbid=260370 (although this article is about
Terminal Services, the description of how Loopback processing works is NOT
specific to Terminal Services).
Without understanding the OU hierarchy, where in that hierarchy the GPO that
enables loopback processing appears and where the relevant computer accounts
are it is difficult to diagnose what you are seeing.
When loopback processing is applicable to a computer, the following process
applies for users logging on at that computer:
1. the User Configuration settings from GPOs that apply to the user account
(based on where the User's account is in the OU hierarchy) are applied
2. the User Configuration settings from any GPO that applies to the computer
(based on where the Computer's account is in the OU hierarchy) are applied
Sounds like you have included the setting that runs the Logon Script so high
in the OU hierarchy that that GPO is in scope for both User accounts and
Computer accounts. This is most likely why the logon script runs twice: the
GPO that specifies it applies to the OU containing the User's account and
also the OU containing the Computer's account that has loopback processing
applied to in it.
I suggest not putting logon script (or startup, shutdown, logoff scripts for
that matter) in GPOs at the domain level. Rather, create an OU hierarchy
something like the one below and use a GPO at the Normal User Accounts OU to
apply the Logon Script. There are most likely some user accounts you do not
want the Logon Script to run for (e.g. administrators, service accounts -
particularly if the people who are administrators have a seperate user
account for administration only tasks).
I suggest applying the GPO containing the Screen Saver settings at the
Workstation, Servers or perhaps Computers OU.
Domain
Base Container
Computers
Servers
Workstations
Users
Normal User Accounts
Special User Accounts [administrators, service accounts etc.]
Groups
Computer Administration Groups
Resource Groups [groups used to apply permissions to resources -
shares, folders, printers etc.]
Role Groups [groups with user accounts - use these groups to
populate the appropriate Resource Groups]
--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong question.
"markm75" <mark...@msn.com> wrote in message
news:1178827970.6...@q75g2000hsh.googlegroups.com...
markm75
wrote:
> The scope of the Loopback processing setting is the computers to which the
> GPO containing it applies to, regardless of which actual GPO it is included
> in. You can't "enable loopback processing" for a single GPO or a portion of
>
> It is perfectly useless to know the right answer to the wrong question.
>
>
> news:1178827970.6...@q75g2000hsh.googlegroups.com...
>
>
>
> > As far as I can tell, enabling loopback processing in a seperate group
> > policy seems to be cause our login script to run twice on login.
>
> > I have a seperate policy for running the login scripts (default domain
> > one) and another where this is enabled (a screen saver policy).. IE:
> > I thought i read somewhere that it is bad practice to modify the
> > default policies.. so I try to to create seperate policies for
> > different things (or combos where appropriate), except in this case
> > where its just a batch file referenced in the def. domain policy,
> > though I should probably move that one out.
>
> > I enabled loopback on the user portion of the screensaver policy
> > (timeout and password options set here).. I did this so I could
> > disable the policy on a machine basis, rather than user basis (I didnt
> > see how it could be done without the loopback turned on, as the screen
> > saver settings come from the user section, not the computer section).
>
> > Any thoughts on why this enabled in that policy would cause the
> > scripts to run twice in the default domain one?
>
> > Thanks,
>
>
> - Show quoted text -
That was real useful and yeah turning off the loopback fixed the issue
for now..
Is there any other way to exclude "machines" from a screen saver
policy other than enabling loopback that you know of?
The screen saver policy falls under the user class.. but when certain
users use (random users) a laptop offsite and log into it via the
machine "domain", they cant change settings because the GPO overrides
things.. I'd like to be able to exclude certain "machines" rather than
users in this case..
Thanks
Dragos CAMARA
you can still use loopback processing mode but move the logon scripts from
local policie, domain default and site - that will be executing twice.
you can use filtering based on user group.
--
Dragos CAMARA
MCSA Windows 2003 server