logonscript before policies?

  • Thread starter Thread starter Edward Kuenen
  • Start date Start date
E

Edward Kuenen

Hi,

Is it possible to change the processorder of the GPO's and loginscript so
that the GPO's are applied only after the logonscript?

With regards,

Edward
 
Edward,

A couple of questions:
How are the logon scripts assigned? Are you using Group Policy to run the
scripts or are these just the scripts assigned to the user on the Profile
tab in Active Directory Users and computers?

Is there any other protocols or client options installed on the network of
these machines? i.e. is Client32 for NetWare or other client installed on
your workstations? If there are, you may want to check the provider order in
your Advanced Network Settings to make sure that Microsoft Client is on top.

What is happening that leads you to determine that the login script is
running after group policy?

You might also want to try User Environment Logging to determine the order.
See the following:

221833 How to Enable User Environment Debug Logging in Retail Builds of
Windows
http://support.microsoft.com/?id=221833

Hi,

Is it possible to change the processorder of the GPO's and loginscript so
that the GPO's are applied only after the logonscript?

With regards,

Edward
 
Hi Edward,

I start the logonscript with a script assigned to the users in the profile
tab in the AD, but if it is possible as a logon script in the GPO I will use
that. There are no other protocols or client options installed (only TCP/IP,
the Microsoft client and server). The reason why I want this strange way is
because of the design of our terminal server farm. We use mandatory profiles
but we import registry settings with the logon script with the Office
Profile Wizard and export settings with a logoff script. So we can save some
settings and even different ones on different kind of servers without
corrupting or overwriting the profile.
The down-side is that the GPO's (and some first-use installations like IE)
are allways applied and not be cached like the normal way. If I could
process the GPO's after the profile wizard has imported the GPO settings
than the GPO would not be applied if nothing has changed and the logon
process is much faster (profile wizard is much faster than the GPO's).

I hope I make it clear...

With regards,

Edward (it's confusing ;-)
 
Edward,

Users can have logon and logoff scripts assigned via group policy. Machines
can have startup and shutdown scripts via group policy.

The issue at hand comes with these machines being terminal servers. Are you
only wanting these scripts to apply to the users when they log on to the
terminal servers? I know you are using these scripts attached to the user
name in the Profile tab, so does this script follow them to every machine
they log in to?

Are the registry keys you merge Local Machine keys or Local User keys? If
they are Local Machine, we might could set up a machine startup script.

Otherwise, let me look for some other options. It is interesting that you
are seeing that the GPOs apply before the script runs. Do you have loopback
policy enabled for these terminal servers in the farm?

Hi Edward,

I start the logonscript with a script assigned to the users in the profile
tab in the AD, but if it is possible as a logon script in the GPO I will use
that. There are no other protocols or client options installed (only TCP/IP,
the Microsoft client and server). The reason why I want this strange way is
because of the design of our terminal server farm. We use mandatory profiles
but we import registry settings with the logon script with the Office
Profile Wizard and export settings with a logoff script. So we can save some
settings and even different ones on different kind of servers without
corrupting or overwriting the profile.
The down-side is that the GPO's (and some first-use installations like IE)
are allways applied and not be cached like the normal way. If I could
process the GPO's after the profile wizard has imported the GPO settings
than the GPO would not be applied if nothing has changed and the logon
process is much faster (profile wizard is much faster than the GPO's).

I hope I make it clear...

With regards,

Edward (it's confusing ;-)
 
Hi Edward,

I use the script for users (not to the machine) because I import/merge user
settings (like all personal Office settings), because I don't want the user
to configure his personal settings everytime the user logs on (they use a
mandatory profile). In the current situation all users get the logonscript
but there is a check in the script if the user is logged on to the terminal
server or on a desktop and performs different actions. It's looks like
you're suprised that GPO's are applied before logon scripts. I believed it
is the normal procedure on all Windows 2000 or higher machines, but I want
to know if I could change this behavior. I do have loopback policy enabled.
Is this the normal order of processing (for a user logon)?
- Loading profile (loading your settings on screen)
- GPO (applying your personal settings on screen)
- Logonscripts (Logon scripts in GPO then Logon script in profile setting,
which could be asynchronous)
- HKLM\...\Run
- HKCU\...\Run
- Startup group in Start menu
Or do you have a different idea of normal processing? And is the order
between GPO and Logonscripts configurable?

With regards,

Edward
 
Edward,

I believe you are right. The act that the GPOs are "refreshed" in the
background was possibly what is throwing me off the trail.

The only way I would know how to do this would be what you mention below
with the script being applied via a GPO and using the asynchronous setting.

I trust some of the articles below may assist you.

322241 HOW TO: Assign Scripts in Windows 2000
http://support.microsoft.com/?id=322241

822706 Synchronous and Asynchronous Logon Script Processing
http://support.microsoft.com/?id=822706

179365 INFO: Run, RunOnce, RunServices, RunServicesOnce and Startup
http://support.microsoft.com/?id=179365

Hi Edward,

I use the script for users (not to the machine) because I import/merge user
settings (like all personal Office settings), because I don't want the user
to configure his personal settings everytime the user logs on (they use a
mandatory profile). In the current situation all users get the logonscript
but there is a check in the script if the user is logged on to the terminal
server or on a desktop and performs different actions. It's looks like
you're suprised that GPO's are applied before logon scripts. I believed it
is the normal procedure on all Windows 2000 or higher machines, but I want
to know if I could change this behavior. I do have loopback policy enabled.
Is this the normal order of processing (for a user logon)?
- Loading profile (loading your settings on screen)
- GPO (applying your personal settings on screen)
- Logonscripts (Logon scripts in GPO then Logon script in profile setting,
which could be asynchronous)
- HKLM\...\Run
- HKCU\...\Run
- Startup group in Start menu
Or do you have a different idea of normal processing? And is the order
between GPO and Logonscripts configurable?

With regards,

Edward
 
Back
Top