Group Policy domain logon script

By glenn22 ·
I am trying to have a logon script run when a user logs in to set the DHCP class id. The class will either enabled to disable internet access for the user. I have so far done the following:

1. I created a class called "InternetEnabled" which holds the appropriate DNS and router information.

2. I created a security group called "InternetUsers" and added the appropriate usernames.

3. I created a group policy called "EnableInternet" and linked it to the domain.

4. I filtered security by adding access to the group policy to the "InternetUsers" group and selecting "apply group policy".

5. I set the logon script under User Configuration>Windows Settings>Scripts(logon/logoff)>Logon to the batch file I created and tested (works fine).

This should be all I need to do right? the script does not run at all.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

group policy works on OUs

by CG IT In reply to Group Policy domain logon ...

create an computer OU called Internet Access Set the computer configuration you want e.g. network connections properties which will either exlude the default gateway or include the default gateway and better yet hide Network connections icon in control panel or hide the general tab or grey out the properties radio button in network connections so that users can't change the parameters set.

add those computers to the OU that you want to have the GPO applied to.

appy the group policy to the OU you created.

run secedit /refreshpolicy machine_policy
or secedit /refreshpolicy user_policy for force the application of the OU.

DHCP will hand out default gateway information information to clients [or router information] if that option is set in DHCP options.

How you go about controlling internet access sort of depends on how your physical network is setup. If you use a perimeter firewall/router that has plently of options, you can configure it to allow only certain computers to gain access to the internet. [Consumer level routers often don't have this level of configuration.]

Collapse -

Still have the same issue

by glenn22 In reply to group policy works on OUs

I had applied my policy to the domain level, but I tried creating a new OU, adding users accounts to that OU, and then applying the policy to the OU. Then I used GPUPDATE (not secedit since it's windows 2k3) and tested it. Same problem, the script simply doesn't run on the client machine. It will run the script just fine if I code the script directly into a users' profile tab, but that defeats the purpose of using a policy. Any ideas why the script will not run?

Collapse -

Further troubleshooting

Was your logon script coded at Computer or User policy level?
Run gpresult /Z and pipe output to a text file and review the results.
Also, examine the event logs on the PC and logon domain controller for any errors or warnings about policy.

Collapse -

billbohlen might have the answer

by CG IT In reply to Further troubleshooting

probably the only way to figure out why the GPO doesn't apply.

Collapse -

User Level

by glenn22 In reply to Further troubleshooting

It was coded at the User level. I reviewed the results and it seems to apply the GPO just fine, just doesn't run the script.

Collapse -

Your script

by billbohlen@hallmarkchannl In reply to User Level

Well if gpresult says the GPO is being applied, and you don't see any events in the event logs indicating a problem, make sure the script batch file has replicated to the local domain controller.
Find out your policy's GUID and the local DC name, then from the PC go to the directory \\<LOCALDCNAME>\SYSVOL\<POLICYGUID>\User\Scripts\Logon\ and make sure the batch file is there. If not, you have a replication issue on your domain, the file isn't there to run. But you should also see an error in your event log in that case.

Another helpful trick is to put some code in your batch file to see where things are happening. a line like:

ECHO Hello I am starting the batch file now! >%HOMEDRIVE%%HOMEPATH%\batchtest.txt

Can help. Make sure you pipe output to a directory the user will have access to.

Collapse -

That helped...but

by glenn22 In reply to Your script

It seems the file was not accessible before, but is now. I am able to get my policy and script to run on the one computer and everything works as it should. The problem I am having now is that when I log onto another domain machine the policy doesn't work on that machine. A gpresult output shows that the policy is neither denied or applied.... why would that be?

Update: After looking at what's happening on the original computer it seems like things are not actually functioning correctly there either. I have 2 policies set up, one for local users, and one for internet users. I apply both to an OU and filter them by security and add the users to the correct group (so they have access to either GPO). It seems that when I give a user the local group security it works fine and only applies the local users GPO, but when I remove the local group security and add internet group security, it applies both GPOs even tho they should be filtered out of the Local group.... it seems like somehow the policies are not updating... I do a gpupdate, but it doesn't help.

Collapse -

Try user gpo

by pstech In reply to That helped...but

Hi for our users who aren't allowed on, I drop their user account into a user ou and put a group policy with a phoney proxy setting and remove all access to change settings to it.

Related Discussions

Related Forums