Discussion:
Disabling a GPO logon Script
(too old to reply)
Alex Anderson
2007-07-25 20:00:08 UTC
Permalink
Hello Everyone,

We have a GPO logon script that users get when they log into their computer
or TS. Our goal is disable the logon script when users log into the TS
server. I found the KB article
(http://support.microsoft.com/kb/924034/en-us) that explains the process
however the script still runs when a user logs in. I'm not sure if it's
because the script is tagged to a GPO or if the KB article is meant for
entirely something else? I did get help from the VB script people on how to
exclude certain computers from running however I thought it would be much
easier to just disable the logon script feature on the TS server. Any help
would be much appreciated.

Thank you
Alex Anderson
Helge Klein
2007-07-25 20:30:57 UTC
Permalink
The KB article you reference (KB924034) refers to logon scripts that
are set in the AD user account object properties.

Blocking a GPO logon script on certain systems is probably easiest by
reconfiguring the GPO / OU structure in such a way that the GPO simply
does not apply to the systems in question. You could move your TS
computer accounts to a dedicated OU and then make sure that the GPO
with the logon script is not being applied or inherited on that OU.

I hope this helps.

Helge

On 25 Jul., 22:00, Alex Anderson
Post by Alex Anderson
Hello Everyone,
We have a GPO logon script that users get when they log into their computer
or TS. Our goal is disable the logon script when users log into the TS
server. I found the KB article
(http://support.microsoft.com/kb/924034/en-us) that explains the process
however the script still runs when a user logs in. I'm not sure if it's
because the script is tagged to a GPO or if the KB article is meant for
entirely something else? I did get help from the VB script people on how to
exclude certain computers from running however I thought it would be much
easier to just disable the logon script feature on the TS server. Any help
would be much appreciated.
Thank you
Alex Anderson
Alex Anderson
2007-07-25 20:46:05 UTC
Permalink
Helge (interesting name)

Here's the issue. They still need to run the logon script when logging into
their computer so by moving them out of the line of fire of my logon script
GPO effectively disables them from running the logon script on their personal
computer. It will be a pain but I guess I could do what you say and apply
the KB article I got from Microsoft then on each user that accesses our TS
server give them the login script applied to the user's object under AD.
That way, when they login it will disable the logon script but still be able
to get their logon script when logging into their personal computer.

Thank you
Alex Anderson
Post by Helge Klein
The KB article you reference (KB924034) refers to logon scripts that
are set in the AD user account object properties.
Blocking a GPO logon script on certain systems is probably easiest by
reconfiguring the GPO / OU structure in such a way that the GPO simply
does not apply to the systems in question. You could move your TS
computer accounts to a dedicated OU and then make sure that the GPO
with the logon script is not being applied or inherited on that OU.
I hope this helps.
Helge
On 25 Jul., 22:00, Alex Anderson
Post by Alex Anderson
Hello Everyone,
We have a GPO logon script that users get when they log into their computer
or TS. Our goal is disable the logon script when users log into the TS
server. I found the KB article
(http://support.microsoft.com/kb/924034/en-us) that explains the process
however the script still runs when a user logs in. I'm not sure if it's
because the script is tagged to a GPO or if the KB article is meant for
entirely something else? I did get help from the VB script people on how to
exclude certain computers from running however I thought it would be much
easier to just disable the logon script feature on the TS server. Any help
would be much appreciated.
Thank you
Alex Anderson
Helge Klein
2007-07-25 20:55:10 UTC
Permalink
Alex, I think you misunderstood me. I did _not_ mean to implement the
solution outlined in KB924034. Instead I was referring (rather
vaguely, I admit) to changing your GPOs.

Vera described in her post what you have to do. The key is "Loopback
Processing", which effectively disables the GPOs linked to the user
accounts when users log on to the terminal servers.

I hope this helps.

Helge

On 25 Jul., 22:46, Alex Anderson
Post by Alex Anderson
Helge (interesting name)
Here's the issue. They still need to run the logon script when logging into
their computer so by moving them out of the line of fire of my logon script
GPO effectively disables them from running the logon script on their personal
computer. It will be a pain but I guess I could do what you say and apply
the KB article I got from Microsoft then on each user that accesses our TS
server give them the login script applied to the user's object under AD.
That way, when they login it will disable the logon script but still be able
to get their logon script when logging into their personal computer.
Thank you
Alex Anderson
Post by Helge Klein
The KB article you reference (KB924034) refers to logon scripts that
are set in the AD user account object properties.
Blocking a GPO logon script on certain systems is probably easiest by
reconfiguring the GPO / OU structure in such a way that the GPO simply
does not apply to the systems in question. You could move your TS
computer accounts to a dedicated OU and then make sure that the GPO
with the logon script is not being applied or inherited on that OU.
I hope this helps.
Helge
On 25 Jul., 22:00, Alex Anderson
Post by Alex Anderson
Hello Everyone,
We have a GPO logon script that users get when they log into their computer
or TS. Our goal is disable the logon script when users log into the TS
server. I found the KB article
(http://support.microsoft.com/kb/924034/en-us) that explains the process
however the script still runs when a user logs in. I'm not sure if it's
because the script is tagged to a GPO or if the KB article is meant for
entirely something else? I did get help from the VB script people on how to
exclude certain computers from running however I thought it would be much
easier to just disable the logon script feature on the TS server. Any help
would be much appreciated.
Thank you
Alex Anderson
Vera Noest [MVP]
2007-07-25 20:38:50 UTC
Permalink
Yes, that can be done, but how you have to do it depends on how
exactly you have defined your current logon script, in which GPO,
and to which OU the GPO is linked.

I'm going to assume that your current logon script is defined in
the "User configuration" part of a GPO which is linked to the
"Users" OU, thus affecting all users, irrespective of the computer
they logon to.

The easiest way to prevent this script from running when users
logon to the Terminal Server is to create a second GPO and link it
to the OU which contains the Terminal Servers (but *no* user
accounts).
In this TS-GPO, you have to define minimally these 2 settings:

Computer Configuration - Administrative Templates - System - Group
Policy
"User Group Policy loopback processing mode" - Enabled

User Configuration - Windows Settings - Scripts
Logon - Disabled

What loopback processing does is that it takes the User
Configurations from the GPO linked to the computer (in this case
the Terminal Server), in stead of the normal processing (taking the
user settings from the GPO linked to the user account).

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?QWxleCBBbmRlcnNvbg==?=
Post by Alex Anderson
Hello Everyone,
We have a GPO logon script that users get when they log into
their computer or TS. Our goal is disable the logon script when
users log into the TS server. I found the KB article
(http://support.microsoft.com/kb/924034/en-us) that explains the
process however the script still runs when a user logs in. I'm
not sure if it's because the script is tagged to a GPO or if the
KB article is meant for entirely something else? I did get help
from the VB script people on how to exclude certain computers
from running however I thought it would be much easier to just
disable the logon script feature on the TS server. Any help
would be much appreciated.
Thank you
Alex Anderson
Alex Anderson
2007-07-25 22:08:03 UTC
Permalink
Vera,

How do disable scripts if you have no option too? Do you disable it by not
specifying a logon script?
Post by Vera Noest [MVP]
Yes, that can be done, but how you have to do it depends on how
exactly you have defined your current logon script, in which GPO,
and to which OU the GPO is linked.
I'm going to assume that your current logon script is defined in
the "User configuration" part of a GPO which is linked to the
"Users" OU, thus affecting all users, irrespective of the computer
they logon to.
The easiest way to prevent this script from running when users
logon to the Terminal Server is to create a second GPO and link it
to the OU which contains the Terminal Servers (but *no* user
accounts).
Computer Configuration - Administrative Templates - System - Group
Policy
"User Group Policy loopback processing mode" - Enabled
User Configuration - Windows Settings - Scripts
Logon - Disabled
What loopback processing does is that it takes the User
Configurations from the GPO linked to the computer (in this case
the Terminal Server), in stead of the normal processing (taking the
user settings from the GPO linked to the user account).
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?QWxleCBBbmRlcnNvbg==?=
Post by Alex Anderson
Hello Everyone,
We have a GPO logon script that users get when they log into
their computer or TS. Our goal is disable the logon script when
users log into the TS server. I found the KB article
(http://support.microsoft.com/kb/924034/en-us) that explains the
process however the script still runs when a user logs in. I'm
not sure if it's because the script is tagged to a GPO or if the
KB article is meant for entirely something else? I did get help
from the VB script people on how to exclude certain computers
from running however I thought it would be much easier to just
disable the logon script feature on the TS server. Any help
would be much appreciated.
Thank you
Alex Anderson
Vera Noest [MVP]
2007-07-25 23:16:31 UTC
Permalink
Mmm, I didn't think about that, it's not a setting which you can
disable. Have a try with no script defined, and be sure that you use
the "Replace" option on the loopback policy.

If that should fail, you can easily jump out of the script by
checking the variable %computername% to see if it equals the name of
the TS. But a GPO would be nicer.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?QWxleCBBbmRlcnNvbg==?=
Post by Alex Anderson
Vera,
How do disable scripts if you have no option too? Do you
disable it by not specifying a logon script?
Post by Vera Noest [MVP]
Yes, that can be done, but how you have to do it depends on how
exactly you have defined your current logon script, in which
GPO, and to which OU the GPO is linked.
I'm going to assume that your current logon script is defined
in the "User configuration" part of a GPO which is linked to
the "Users" OU, thus affecting all users, irrespective of the
computer they logon to.
The easiest way to prevent this script from running when users
logon to the Terminal Server is to create a second GPO and link
it to the OU which contains the Terminal Servers (but *no* user
accounts).
Computer Configuration - Administrative Templates - System -
Group Policy
"User Group Policy loopback processing mode" - Enabled
User Configuration - Windows Settings - Scripts
Logon - Disabled
What loopback processing does is that it takes the User
Configurations from the GPO linked to the computer (in this
case the Terminal Server), in stead of the normal processing
(taking the user settings from the GPO linked to the user
account).
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?QWxleCBBbmRlcnNvbg==?=
Post by Alex Anderson
Hello Everyone,
We have a GPO logon script that users get when they log into
their computer or TS. Our goal is disable the logon script
when users log into the TS server. I found the KB article
(http://support.microsoft.com/kb/924034/en-us) that explains
the process however the script still runs when a user logs
in. I'm not sure if it's because the script is tagged to a
GPO or if the KB article is meant for entirely something
else? I did get help from the VB script people on how to
exclude certain computers from running however I thought it
would be much easier to just disable the logon script feature
on the TS server. Any help would be much appreciated.
Thank you
Alex Anderson
Alex Anderson
2007-07-25 23:24:03 UTC
Permalink
Vera,

Well, if you don't define anything, then nothing should run. I just did a
test run and it worked great. Thank you and Helge (cool name) for the help
with my dilemma.

Thank you
Alex Anderson
Post by Vera Noest [MVP]
Mmm, I didn't think about that, it's not a setting which you can
disable. Have a try with no script defined, and be sure that you use
the "Replace" option on the loopback policy.
If that should fail, you can easily jump out of the script by
checking the variable %computername% to see if it equals the name of
the TS. But a GPO would be nicer.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?QWxleCBBbmRlcnNvbg==?=
Post by Alex Anderson
Vera,
How do disable scripts if you have no option too? Do you
disable it by not specifying a logon script?
Post by Vera Noest [MVP]
Yes, that can be done, but how you have to do it depends on how
exactly you have defined your current logon script, in which
GPO, and to which OU the GPO is linked.
I'm going to assume that your current logon script is defined
in the "User configuration" part of a GPO which is linked to
the "Users" OU, thus affecting all users, irrespective of the
computer they logon to.
The easiest way to prevent this script from running when users
logon to the Terminal Server is to create a second GPO and link
it to the OU which contains the Terminal Servers (but *no* user
accounts).
Computer Configuration - Administrative Templates - System -
Group Policy
"User Group Policy loopback processing mode" - Enabled
User Configuration - Windows Settings - Scripts
Logon - Disabled
What loopback processing does is that it takes the User
Configurations from the GPO linked to the computer (in this
case the Terminal Server), in stead of the normal processing
(taking the user settings from the GPO linked to the user
account).
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?QWxleCBBbmRlcnNvbg==?=
Post by Alex Anderson
Hello Everyone,
We have a GPO logon script that users get when they log into
their computer or TS. Our goal is disable the logon script
when users log into the TS server. I found the KB article
(http://support.microsoft.com/kb/924034/en-us) that explains
the process however the script still runs when a user logs
in. I'm not sure if it's because the script is tagged to a
GPO or if the KB article is meant for entirely something
else? I did get help from the VB script people on how to
exclude certain computers from running however I thought it
would be much easier to just disable the logon script feature
on the TS server. Any help would be much appreciated.
Thank you
Alex Anderson
Vera Noest [MVP]
2007-07-26 11:50:31 UTC
Permalink
OK, I'm glad that your problem is solved, and thanks for reporting
the results back here, Alex!
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*

=?Utf-8?B?QWxleCBBbmRlcnNvbg==?=
Post by Alex Anderson
Vera,
Well, if you don't define anything, then nothing should run. I
just did a test run and it worked great. Thank you and Helge
(cool name) for the help with my dilemma.
Thank you
Alex Anderson
Post by Vera Noest [MVP]
Mmm, I didn't think about that, it's not a setting which you
can disable. Have a try with no script defined, and be sure
that you use the "Replace" option on the loopback policy.
If that should fail, you can easily jump out of the script by
checking the variable %computername% to see if it equals the
name of the TS. But a GPO would be nicer.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?QWxleCBBbmRlcnNvbg==?=
Post by Alex Anderson
Vera,
How do disable scripts if you have no option too? Do you
disable it by not specifying a logon script?
Post by Vera Noest [MVP]
Yes, that can be done, but how you have to do it depends on
how exactly you have defined your current logon script, in
which GPO, and to which OU the GPO is linked.
I'm going to assume that your current logon script is
defined in the "User configuration" part of a GPO which is
linked to the "Users" OU, thus affecting all users,
irrespective of the computer they logon to.
The easiest way to prevent this script from running when
users logon to the Terminal Server is to create a second GPO
and link it to the OU which contains the Terminal Servers
(but *no* user accounts).
In this TS-GPO, you have to define minimally these 2
Computer Configuration - Administrative Templates - System -
Group Policy
"User Group Policy loopback processing mode" - Enabled
User Configuration - Windows Settings - Scripts
Logon - Disabled
What loopback processing does is that it takes the User
Configurations from the GPO linked to the computer (in this
case the Terminal Server), in stead of the normal processing
(taking the user settings from the GPO linked to the user
account).
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?QWxleCBBbmRlcnNvbg==?=
Post by Alex Anderson
Hello Everyone,
We have a GPO logon script that users get when they log
into their computer or TS. Our goal is disable the logon
script when users log into the TS server. I found the KB
article (http://support.microsoft.com/kb/924034/en-us)
that explains the process however the script still runs
when a user logs in. I'm not sure if it's because the
script is tagged to a GPO or if the KB article is meant
for entirely something else? I did get help from the VB
script people on how to exclude certain computers from
running however I thought it would be much easier to just
disable the logon script feature on the TS server. Any
help would be much appreciated.
Thank you
Alex Anderson
Loading...