Disabling a GPO logon Script

A

Alex Anderson

Hello Everyone,

We have a GPO logon script that users get when they log into their computer
or TS. Our goal is disable the logon script when users log into the TS
server. I found the KB article
(http://support.microsoft.com/kb/924034/en-us) that explains the process
however the script still runs when a user logs in. I'm not sure if it's
because the script is tagged to a GPO or if the KB article is meant for
entirely something else? I did get help from the VB script people on how to
exclude certain computers from running however I thought it would be much
easier to just disable the logon script feature on the TS server. Any help
would be much appreciated.

Thank you
Alex Anderson
 
H

Helge Klein

The KB article you reference (KB924034) refers to logon scripts that
are set in the AD user account object properties.

Blocking a GPO logon script on certain systems is probably easiest by
reconfiguring the GPO / OU structure in such a way that the GPO simply
does not apply to the systems in question. You could move your TS
computer accounts to a dedicated OU and then make sure that the GPO
with the logon script is not being applied or inherited on that OU.

I hope this helps.

Helge

On 25 Jul., 22:00, Alex Anderson
<AlexAnder...@discussions.microsoft.com> wrote:
> Hello Everyone,
>
> We have a GPO logon script that users get when they log into their computer
> or TS. Our goal is disable the logon script when users log into the TS
> server. I found the KB article
> (http://support.microsoft.com/kb/924034/en-us) that explains the process
> however the script still runs when a user logs in. I'm not sure if it's
> because the script is tagged to a GPO or if the KB article is meant for
> entirely something else? I did get help from the VB script people on how to
> exclude certain computers from running however I thought it would be much
> easier to just disable the logon script feature on the TS server. Any help
> would be much appreciated.
>
> Thank you
> Alex Anderson
 
V

Vera Noest [MVP]

Yes, that can be done, but how you have to do it depends on how
exactly you have defined your current logon script, in which GPO,
and to which OU the GPO is linked.

I'm going to assume that your current logon script is defined in
the "User configuration" part of a GPO which is linked to the
"Users" OU, thus affecting all users, irrespective of the computer
they logon to.

The easiest way to prevent this script from running when users
logon to the Terminal Server is to create a second GPO and link it
to the OU which contains the Terminal Servers (but *no* user
accounts).
In this TS-GPO, you have to define minimally these 2 settings:

Computer Configuration - Administrative Templates - System - Group
Policy
"User Group Policy loopback processing mode" - Enabled

User Configuration - Windows Settings - Scripts
Logon - Disabled

What loopback processing does is that it takes the User
Configurations from the GPO linked to the computer (in this case
the Terminal Server), in stead of the normal processing (taking the
user settings from the GPO linked to the user account).

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?QWxleCBBbmRlcnNvbg==?=
<AlexAnderson@discussions.microsoft.com> wrote on 25 jul 2007 in
microsoft.public.windows.terminal_services:

> Hello Everyone,
>
> We have a GPO logon script that users get when they log into
> their computer or TS. Our goal is disable the logon script when
> users log into the TS server. I found the KB article
> (http://support.microsoft.com/kb/924034/en-us) that explains the
> process however the script still runs when a user logs in. I'm
> not sure if it's because the script is tagged to a GPO or if the
> KB article is meant for entirely something else? I did get help
> from the VB script people on how to exclude certain computers
> from running however I thought it would be much easier to just
> disable the logon script feature on the TS server. Any help
> would be much appreciated.
>
> Thank you
> Alex Anderson
 
A

Alex Anderson

Helge (interesting name)

Here's the issue. They still need to run the logon script when logging into
their computer so by moving them out of the line of fire of my logon script
GPO effectively disables them from running the logon script on their personal
computer. It will be a pain but I guess I could do what you say and apply
the KB article I got from Microsoft then on each user that accesses our TS
server give them the login script applied to the user's object under AD.
That way, when they login it will disable the logon script but still be able
to get their logon script when logging into their personal computer.

Thank you
Alex Anderson


"Helge Klein" wrote:

> The KB article you reference (KB924034) refers to logon scripts that
> are set in the AD user account object properties.
>
> Blocking a GPO logon script on certain systems is probably easiest by
> reconfiguring the GPO / OU structure in such a way that the GPO simply
> does not apply to the systems in question. You could move your TS
> computer accounts to a dedicated OU and then make sure that the GPO
> with the logon script is not being applied or inherited on that OU.
>
> I hope this helps.
>
> Helge
>
> On 25 Jul., 22:00, Alex Anderson
> <AlexAnder...@discussions.microsoft.com> wrote:
> > Hello Everyone,
> >
> > We have a GPO logon script that users get when they log into their computer
> > or TS. Our goal is disable the logon script when users log into the TS
> > server. I found the KB article
> > (http://support.microsoft.com/kb/924034/en-us) that explains the process
> > however the script still runs when a user logs in. I'm not sure if it's
> > because the script is tagged to a GPO or if the KB article is meant for
> > entirely something else? I did get help from the VB script people on how to
> > exclude certain computers from running however I thought it would be much
> > easier to just disable the logon script feature on the TS server. Any help
> > would be much appreciated.
> >
> > Thank you
> > Alex Anderson
>
>
>
 
H

Helge Klein

Alex, I think you misunderstood me. I did _not_ mean to implement the
solution outlined in KB924034. Instead I was referring (rather
vaguely, I admit) to changing your GPOs.

Vera described in her post what you have to do. The key is "Loopback
Processing", which effectively disables the GPOs linked to the user
accounts when users log on to the terminal servers.

I hope this helps.

Helge

On 25 Jul., 22:46, Alex Anderson
<AlexAnder...@discussions.microsoft.com> wrote:
> Helge (interesting name)
>
> Here's the issue. They still need to run the logon script when logging into
> their computer so by moving them out of the line of fire of my logon script
> GPO effectively disables them from running the logon script on their personal
> computer. It will be a pain but I guess I could do what you say and apply
> the KB article I got from Microsoft then on each user that accesses our TS
> server give them the login script applied to the user's object under AD.
> That way, when they login it will disable the logon script but still be able
> to get their logon script when logging into their personal computer.
>
> Thank you
> Alex Anderson
>
> "Helge Klein" wrote:
> > The KB article you reference (KB924034) refers to logon scripts that
> > are set in the AD user account object properties.
>
> > Blocking a GPO logon script on certain systems is probably easiest by
> > reconfiguring the GPO / OU structure in such a way that the GPO simply
> > does not apply to the systems in question. You could move your TS
> > computer accounts to a dedicated OU and then make sure that the GPO
> > with the logon script is not being applied or inherited on that OU.
>
> > I hope this helps.
>
> > Helge
>
> > On 25 Jul., 22:00, Alex Anderson
> > <AlexAnder...@discussions.microsoft.com> wrote:
> > > Hello Everyone,
>
> > > We have a GPO logon script that users get when they log into their computer
> > > or TS. Our goal is disable the logon script when users log into the TS
> > > server. I found the KB article
> > > (http://support.microsoft.com/kb/924034/en-us) that explains the process
> > > however the script still runs when a user logs in. I'm not sure if it's
> > > because the script is tagged to a GPO or if the KB article is meant for
> > > entirely something else? I did get help from the VB script people on how to
> > > exclude certain computers from running however I thought it would be much
> > > easier to just disable the logon script feature on the TS server. Any help
> > > would be much appreciated.
>
> > > Thank you
> > > Alex Anderson
 
A

Alex Anderson

Vera,

How do disable scripts if you have no option too? Do you disable it by not
specifying a logon script?

"Vera Noest [MVP]" wrote:

> Yes, that can be done, but how you have to do it depends on how
> exactly you have defined your current logon script, in which GPO,
> and to which OU the GPO is linked.
>
> I'm going to assume that your current logon script is defined in
> the "User configuration" part of a GPO which is linked to the
> "Users" OU, thus affecting all users, irrespective of the computer
> they logon to.
>
> The easiest way to prevent this script from running when users
> logon to the Terminal Server is to create a second GPO and link it
> to the OU which contains the Terminal Servers (but *no* user
> accounts).
> In this TS-GPO, you have to define minimally these 2 settings:
>
> Computer Configuration - Administrative Templates - System - Group
> Policy
> "User Group Policy loopback processing mode" - Enabled
>
> User Configuration - Windows Settings - Scripts
> Logon - Disabled
>
> What loopback processing does is that it takes the User
> Configurations from the GPO linked to the computer (in this case
> the Terminal Server), in stead of the normal processing (taking the
> user settings from the GPO linked to the user account).
>
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?QWxleCBBbmRlcnNvbg==?=
> <AlexAnderson@discussions.microsoft.com> wrote on 25 jul 2007 in
> microsoft.public.windows.terminal_services:
>
> > Hello Everyone,
> >
> > We have a GPO logon script that users get when they log into
> > their computer or TS. Our goal is disable the logon script when
> > users log into the TS server. I found the KB article
> > (http://support.microsoft.com/kb/924034/en-us) that explains the
> > process however the script still runs when a user logs in. I'm
> > not sure if it's because the script is tagged to a GPO or if the
> > KB article is meant for entirely something else? I did get help
> > from the VB script people on how to exclude certain computers
> > from running however I thought it would be much easier to just
> > disable the logon script feature on the TS server. Any help
> > would be much appreciated.
> >
> > Thank you
> > Alex Anderson
>
 
V

Vera Noest [MVP]

Mmm, I didn't think about that, it's not a setting which you can
disable. Have a try with no script defined, and be sure that you use
the "Replace" option on the loopback policy.

If that should fail, you can easily jump out of the script by
checking the variable %computername% to see if it equals the name of
the TS. But a GPO would be nicer.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?QWxleCBBbmRlcnNvbg==?=
<AlexAnderson@discussions.microsoft.com> wrote on 26 jul 2007 in
microsoft.public.windows.terminal_services:

> Vera,
>
> How do disable scripts if you have no option too? Do you
> disable it by not specifying a logon script?
>
> "Vera Noest [MVP]" wrote:
>
>> Yes, that can be done, but how you have to do it depends on how
>> exactly you have defined your current logon script, in which
>> GPO, and to which OU the GPO is linked.
>>
>> I'm going to assume that your current logon script is defined
>> in the "User configuration" part of a GPO which is linked to
>> the "Users" OU, thus affecting all users, irrespective of the
>> computer they logon to.
>>
>> The easiest way to prevent this script from running when users
>> logon to the Terminal Server is to create a second GPO and link
>> it to the OU which contains the Terminal Servers (but *no* user
>> accounts).
>> In this TS-GPO, you have to define minimally these 2 settings:
>>
>> Computer Configuration - Administrative Templates - System -
>> Group Policy
>> "User Group Policy loopback processing mode" - Enabled
>>
>> User Configuration - Windows Settings - Scripts
>> Logon - Disabled
>>
>> What loopback processing does is that it takes the User
>> Configurations from the GPO linked to the computer (in this
>> case the Terminal Server), in stead of the normal processing
>> (taking the user settings from the GPO linked to the user
>> account).
>>
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
>>
>> =?Utf-8?B?QWxleCBBbmRlcnNvbg==?=
>> <AlexAnderson@discussions.microsoft.com> wrote on 25 jul 2007
>> in microsoft.public.windows.terminal_services:
>>
>> > Hello Everyone,
>> >
>> > We have a GPO logon script that users get when they log into
>> > their computer or TS. Our goal is disable the logon script
>> > when users log into the TS server. I found the KB article
>> > (http://support.microsoft.com/kb/924034/en-us) that explains
>> > the process however the script still runs when a user logs
>> > in. I'm not sure if it's because the script is tagged to a
>> > GPO or if the KB article is meant for entirely something
>> > else? I did get help from the VB script people on how to
>> > exclude certain computers from running however I thought it
>> > would be much easier to just disable the logon script feature
>> > on the TS server. Any help would be much appreciated.
>> >
>> > Thank you
>> > Alex Anderson
 
A

Alex Anderson

Vera,

Well, if you don't define anything, then nothing should run. I just did a
test run and it worked great. Thank you and Helge (cool name) for the help
with my dilemma.

Thank you
Alex Anderson


"Vera Noest [MVP]" wrote:

> Mmm, I didn't think about that, it's not a setting which you can
> disable. Have a try with no script defined, and be sure that you use
> the "Replace" option on the loopback policy.
>
> If that should fail, you can easily jump out of the script by
> checking the variable %computername% to see if it equals the name of
> the TS. But a GPO would be nicer.
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?QWxleCBBbmRlcnNvbg==?=
> <AlexAnderson@discussions.microsoft.com> wrote on 26 jul 2007 in
> microsoft.public.windows.terminal_services:
>
> > Vera,
> >
> > How do disable scripts if you have no option too? Do you
> > disable it by not specifying a logon script?
> >
> > "Vera Noest [MVP]" wrote:
> >
> >> Yes, that can be done, but how you have to do it depends on how
> >> exactly you have defined your current logon script, in which
> >> GPO, and to which OU the GPO is linked.
> >>
> >> I'm going to assume that your current logon script is defined
> >> in the "User configuration" part of a GPO which is linked to
> >> the "Users" OU, thus affecting all users, irrespective of the
> >> computer they logon to.
> >>
> >> The easiest way to prevent this script from running when users
> >> logon to the Terminal Server is to create a second GPO and link
> >> it to the OU which contains the Terminal Servers (but *no* user
> >> accounts).
> >> In this TS-GPO, you have to define minimally these 2 settings:
> >>
> >> Computer Configuration - Administrative Templates - System -
> >> Group Policy
> >> "User Group Policy loopback processing mode" - Enabled
> >>
> >> User Configuration - Windows Settings - Scripts
> >> Logon - Disabled
> >>
> >> What loopback processing does is that it takes the User
> >> Configurations from the GPO linked to the computer (in this
> >> case the Terminal Server), in stead of the normal processing
> >> (taking the user settings from the GPO linked to the user
> >> account).
> >>
> >> _________________________________________________________
> >> Vera Noest
> >> MCSE, CCEA, Microsoft MVP - Terminal Server
> >> TS troubleshooting: http://ts.veranoest.net
> >> ___ please respond in newsgroup, NOT by private email ___
> >>
> >> =?Utf-8?B?QWxleCBBbmRlcnNvbg==?=
> >> <AlexAnderson@discussions.microsoft.com> wrote on 25 jul 2007
> >> in microsoft.public.windows.terminal_services:
> >>
> >> > Hello Everyone,
> >> >
> >> > We have a GPO logon script that users get when they log into
> >> > their computer or TS. Our goal is disable the logon script
> >> > when users log into the TS server. I found the KB article
> >> > (http://support.microsoft.com/kb/924034/en-us) that explains
> >> > the process however the script still runs when a user logs
> >> > in. I'm not sure if it's because the script is tagged to a
> >> > GPO or if the KB article is meant for entirely something
> >> > else? I did get help from the VB script people on how to
> >> > exclude certain computers from running however I thought it
> >> > would be much easier to just disable the logon script feature
> >> > on the TS server. Any help would be much appreciated.
> >> >
> >> > Thank you
> >> > Alex Anderson
>
 
V

Vera Noest [MVP]

OK, I'm glad that your problem is solved, and thanks for reporting
the results back here, Alex!
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*

=?Utf-8?B?QWxleCBBbmRlcnNvbg==?=
<AlexAnderson@discussions.microsoft.com> wrote on 26 jul 2007:

> Vera,
>
> Well, if you don't define anything, then nothing should run. I
> just did a test run and it worked great. Thank you and Helge
> (cool name) for the help with my dilemma.
>
> Thank you
> Alex Anderson
>
>
> "Vera Noest [MVP]" wrote:
>
>> Mmm, I didn't think about that, it's not a setting which you
>> can disable. Have a try with no script defined, and be sure
>> that you use the "Replace" option on the loopback policy.
>>
>> If that should fail, you can easily jump out of the script by
>> checking the variable %computername% to see if it equals the
>> name of the TS. But a GPO would be nicer.
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
>>
>> =?Utf-8?B?QWxleCBBbmRlcnNvbg==?=
>> <AlexAnderson@discussions.microsoft.com> wrote on 26 jul 2007
>> in microsoft.public.windows.terminal_services:
>>
>> > Vera,
>> >
>> > How do disable scripts if you have no option too? Do you
>> > disable it by not specifying a logon script?
>> >
>> > "Vera Noest [MVP]" wrote:
>> >
>> >> Yes, that can be done, but how you have to do it depends on
>> >> how exactly you have defined your current logon script, in
>> >> which GPO, and to which OU the GPO is linked.
>> >>
>> >> I'm going to assume that your current logon script is
>> >> defined in the "User configuration" part of a GPO which is
>> >> linked to the "Users" OU, thus affecting all users,
>> >> irrespective of the computer they logon to.
>> >>
>> >> The easiest way to prevent this script from running when
>> >> users logon to the Terminal Server is to create a second GPO
>> >> and link it to the OU which contains the Terminal Servers
>> >> (but *no* user accounts).
>> >> In this TS-GPO, you have to define minimally these 2
>> >> settings:
>> >>
>> >> Computer Configuration - Administrative Templates - System -
>> >> Group Policy
>> >> "User Group Policy loopback processing mode" - Enabled
>> >>
>> >> User Configuration - Windows Settings - Scripts
>> >> Logon - Disabled
>> >>
>> >> What loopback processing does is that it takes the User
>> >> Configurations from the GPO linked to the computer (in this
>> >> case the Terminal Server), in stead of the normal processing
>> >> (taking the user settings from the GPO linked to the user
>> >> account).
>> >>
>> >> _________________________________________________________
>> >> Vera Noest
>> >> MCSE, CCEA, Microsoft MVP - Terminal Server
>> >> TS troubleshooting: http://ts.veranoest.net
>> >> ___ please respond in newsgroup, NOT by private email ___
>> >>
>> >> =?Utf-8?B?QWxleCBBbmRlcnNvbg==?=
>> >> <AlexAnderson@discussions.microsoft.com> wrote on 25 jul
>> >> 2007 in microsoft.public.windows.terminal_services:
>> >>
>> >> > Hello Everyone,
>> >> >
>> >> > We have a GPO logon script that users get when they log
>> >> > into their computer or TS. Our goal is disable the logon
>> >> > script when users log into the TS server. I found the KB
>> >> > article (http://support.microsoft.com/kb/924034/en-us)
>> >> > that explains the process however the script still runs
>> >> > when a user logs in. I'm not sure if it's because the
>> >> > script is tagged to a GPO or if the KB article is meant
>> >> > for entirely something else? I did get help from the VB
>> >> > script people on how to exclude certain computers from
>> >> > running however I thought it would be much easier to just
>> >> > disable the logon script feature on the TS server. Any
>> >> > help would be much appreciated.
>> >> >
>> >> > Thank you
>> >> > Alex Anderson
 
You must log in or register to reply here.

Similar threads

S
Logon batch or Startup script in 365
Replies
0
Views
33
Steve Gwynne
S
H
Scheduled Task to run powershell script via GPO(computer on a particular day
Replies
0
Views
211
HarishCS
H
R
  • Article
A year of DAX Copilot: Healthcare innovation that refocuses on the clinician-patient connection
Replies
0
Views
66
Robert Dahdah
R
M
Disabling the screen lock after a period of user inactivity
Replies
0
Views
93
markoshack
M
P
  • Article
Update on the Recall preview feature for Copilot+ PCs
Replies
0
Views
62
Pavan Davuluri
P
Back
Top Bottom