Re: apply group policy logon logoff to computers

Hi Jim,

If you are applying a policy to an OU, there are two considerations:

1. If you are enabling a user policy (applying to users - User Config Part
of the policy), you need the users to be in that OU
2. If you are enabling a computer policy (applying to computers - Computer
Confg Part of the policy), you need the computers in that OU

Logon scripts can be applied via:
1. Group Policy
2. Specify in the User Account properties

In your case, you may have to have both user and computer in the OU, since
the services policy is a computer policy, scripts (if applied via policy) is
a user policy.

Thanks
Sabin Nair M.S(Computer Engg.), MCSE, MCSA
Directory Services Team
Microsoft Corp.

"Please do not send e-mail directly to this alias.
This alias is for newsgroup purposes only."

"Jim Carney" <JCarney@agmins.com> wrote in message
news:00a501c361c6$efdc58c0$a601280a@phx.gbl...
> I am trying to run a logon script that starts the print
> spooler service, and a logoff that stops it.
>
> i have a very simple
> @echo off
> net stop spooler /y
>
>
> and one for the starting script.
> however it won't run unless the user has admin privelages.
> now i have tried to go to the group policy editor in
> active directory and given users the ability to modify the
> spooler service. i added the system account, the domain
> user, the user, the domain admin accounts. the system
> account and admin acounts got full rights. the other two
> got rights to read - and start stop the service.
>
> so far it does not seem to be working. i applied the
> policy in the default logon policy of the OU that all my
> user accounts are contained in. i've read that you should
> make a new OU and move all the computer accounts into that
> you want this kind of thing to work on. however i cannot
> tell if that's just one method for doing this, or the only
> way.
> also the logon scripts i put on each individual pc. do i
> need to put them on a network share for this to work?
> any advice would be greatly appreciated.

and there's no limitation on having the computer's and
user in the same OU?

and as far as the actual login script, can i leave that on
the individual pcs i want to do this for, or do i need to
put in on the network share, and point their logon gp at
it? (its only 5 computers that need this feature, but i
want to understand why things work the way they do, so i
can make better decisions)

thank you very much for your help so far!
>-----Original Message-----
>Hi Jim,
>
>If you are applying a policy to an OU, there are two
considerations:
>
>1. If you are enabling a user policy (applying to users -
User Config Part
>of the policy), you need the users to be in that OU
>2. If you are enabling a computer policy (applying to
computers - Computer
>Confg Part of the policy), you need the computers in that
OU
>
>Logon scripts can be applied via:
>1. Group Policy
>2. Specify in the User Account properties
>
>In your case, you may have to have both user and computer
in the OU, since
>the services policy is a computer policy, scripts (if
applied via policy) is
>a user policy.
>
>Thanks
>Sabin Nair M.S(Computer Engg.), MCSE, MCSA
>Directory Services Team
>Microsoft Corp.
>
>"Please do not send e-mail directly to this alias.
>This alias is for newsgroup purposes only."
>
>"Jim Carney" <JCarney@agmins.com> wrote in message
>news:00a501c361c6$efdc58c0$a601280a@phx.gbl...
>> I am trying to run a logon script that starts the print
>> spooler service, and a logoff that stops it.
>>
>> i have a very simple
>> @echo off
>> net stop spooler /y
>>
>>
>> and one for the starting script.
>> however it won't run unless the user has admin
privelages.
>> now i have tried to go to the group policy editor in
>> active directory and given users the ability to modify
the
>> spooler service. i added the system account, the domain
>> user, the user, the domain admin accounts. the system
>> account and admin acounts got full rights. the other two
>> got rights to read - and start stop the service.
>>
>> so far it does not seem to be working. i applied the
>> policy in the default logon policy of the OU that all my
>> user accounts are contained in. i've read that you
should
>> make a new OU and move all the computer accounts into
that
>> you want this kind of thing to work on. however i cannot
>> tell if that's just one method for doing this, or the
only
>> way.
>> also the logon scripts i put on each individual pc. do i
>> need to put them on a network share for this to work?
>> any advice would be greatly appreciated.
>
>
>.
>

stupid side question.

i could keep the computers in a different ou, users in
theirs...and make the same policy twice, and get the same
effect? i know its redundant, and you would have to
duplicate your work in two spots, but seems logical to me?
again, just wanting to get a better understanding on the
whys and the wherefores....
>-----Original Message-----
>Hi Jim,
>
>If you are applying a policy to an OU, there are two
considerations:
>
>1. If you are enabling a user policy (applying to users -
User Config Part
>of the policy), you need the users to be in that OU
>2. If you are enabling a computer policy (applying to
computers - Computer
>Confg Part of the policy), you need the computers in that
OU
>
>Logon scripts can be applied via:
>1. Group Policy
>2. Specify in the User Account properties
>
>In your case, you may have to have both user and computer
in the OU, since
>the services policy is a computer policy, scripts (if
applied via policy) is
>a user policy.
>
>Thanks
>Sabin Nair M.S(Computer Engg.), MCSE, MCSA
>Directory Services Team
>Microsoft Corp.
>
>"Please do not send e-mail directly to this alias.
>This alias is for newsgroup purposes only."
>
>"Jim Carney" <JCarney@agmins.com> wrote in message
>news:00a501c361c6$efdc58c0$a601280a@phx.gbl...
>> I am trying to run a logon script that starts the print
>> spooler service, and a logoff that stops it.
>>
>> i have a very simple
>> @echo off
>> net stop spooler /y
>>
>>
>> and one for the starting script.
>> however it won't run unless the user has admin
privelages.
>> now i have tried to go to the group policy editor in
>> active directory and given users the ability to modify
the
>> spooler service. i added the system account, the domain
>> user, the user, the domain admin accounts. the system
>> account and admin acounts got full rights. the other two
>> got rights to read - and start stop the service.
>>
>> so far it does not seem to be working. i applied the
>> policy in the default logon policy of the OU that all my
>> user accounts are contained in. i've read that you
should
>> make a new OU and move all the computer accounts into
that
>> you want this kind of thing to work on. however i cannot
>> tell if that's just one method for doing this, or the
only
>> way.
>> also the logon scripts i put on each individual pc. do i
>> need to put them on a network share for this to work?
>> any advice would be greatly appreciated.
>
>
>.
>

Hi Jim,

1. logon script via policies:
322241 HOW TO: Assign Scripts in Windows 2000
http://kb/article.asp?id=Q322241

2. Assigning it to a local user:
315245 How to Assign a Logon Script to a Profile for a Local User
http://kb/article.asp?id=Q315245

- no limitations on having computer and user in the same OU, provided there
are good reasons for the same

--
Thanks
Sabin Nair M.S(Computer Engg.), MCSE, MCSA
Directory Services Team
Microsoft Corp.

"Please do not send e-mail directly to this alias.
This alias is for newsgroup purposes only."

"Jim Carney" <JCarney@agmins.com> wrote in message
news:033101c361ca$c09145e0$a401280a@phx.gbl...
> and there's no limitation on having the computer's and
> user in the same OU?
>
> and as far as the actual login script, can i leave that on
> the individual pcs i want to do this for, or do i need to
> put in on the network share, and point their logon gp at
> it? (its only 5 computers that need this feature, but i
> want to understand why things work the way they do, so i
> can make better decisions)
>
> thank you very much for your help so far!
> >-----Original Message-----
> >Hi Jim,
> >
> >If you are applying a policy to an OU, there are two
> considerations:
> >
> >1. If you are enabling a user policy (applying to users -
> User Config Part
> >of the policy), you need the users to be in that OU
> >2. If you are enabling a computer policy (applying to
> computers - Computer
> >Confg Part of the policy), you need the computers in that
> OU
> >
> >Logon scripts can be applied via:
> >1. Group Policy
> >2. Specify in the User Account properties
> >
> >In your case, you may have to have both user and computer
> in the OU, since
> >the services policy is a computer policy, scripts (if
> applied via policy) is
> >a user policy.
> >
> >Thanks
> >Sabin Nair M.S(Computer Engg.), MCSE, MCSA
> >Directory Services Team
> >Microsoft Corp.
> >
> >"Please do not send e-mail directly to this alias.
> >This alias is for newsgroup purposes only."
> >
> >"Jim Carney" <JCarney@agmins.com> wrote in message
> >news:00a501c361c6$efdc58c0$a601280a@phx.gbl...
> >> I am trying to run a logon script that starts the print
> >> spooler service, and a logoff that stops it.
> >>
> >> i have a very simple
> >> @echo off
> >> net stop spooler /y
> >>
> >>
> >> and one for the starting script.
> >> however it won't run unless the user has admin
> privelages.
> >> now i have tried to go to the group policy editor in
> >> active directory and given users the ability to modify
> the
> >> spooler service. i added the system account, the domain
> >> user, the user, the domain admin accounts. the system
> >> account and admin acounts got full rights. the other two
> >> got rights to read - and start stop the service.
> >>
> >> so far it does not seem to be working. i applied the
> >> policy in the default logon policy of the OU that all my
> >> user accounts are contained in. i've read that you
> should
> >> make a new OU and move all the computer accounts into
> that
> >> you want this kind of thing to work on. however i cannot
> >> tell if that's just one method for doing this, or the
> only
> >> way.
> >> also the logon scripts i put on each individual pc. do i
> >> need to put them on a network share for this to work?
> >> any advice would be greatly appreciated.
> >
> >
> >.
> >

but if i did apply the same one, to the two OU's i would
be all set? sorry don't mean to beat a dead horse, i've
been staring at this for sometime, feel i am close to
getting it working...

the reason for applying it this way in both cases, is the
thought i want it to apply to both users, and computers.

i did at one point have this policy up at the domain
level, but it did not seem to kick in.
>-----Original Message-----
>Hi Jim,
>
>The way policies apply is: LSDOU (local, site, domain, OU)
>- so OU policies get applied last, domain policies before
that etc..
>- but the order of precedence is reverse "OU has the
highest preference"
>- now precedence comes into picture, typically when you
have conflicting
>policies
>
>ex: if you say you have "hide all icons on Desktop"
enabled at Domain level
>and disabled at OU level, then OU would take precedence
>
>- bit if you have "hide all icons on Desktop" at domain
level, and "hide
>control panel" at OU level, the user inside the OU, will
get both the
>policies (it will add)
>
>- So, in your case, you do not have to define the policy
twice (just once at
>the highest level)
>- just be careful on whom you apply it to
>
>--
>Thanks
>Sabin Nair M.S(Computer Engg.), MCSE, MCSA
>Directory Services Team
>Microsoft Corp.
>
>"Please do not send e-mail directly to this alias.
>This alias is for newsgroup purposes only."
>
>"Jim Carney" <JCarney@agmins.com> wrote in message
>news:011701c361cb$44668290$a601280a@phx.gbl...
>> stupid side question.
>>
>> i could keep the computers in a different ou, users in
>> theirs...and make the same policy twice, and get the
same
>> effect? i know its redundant, and you would have to
>> duplicate your work in two spots, but seems logical to
me?
>> again, just wanting to get a better understanding on the
>> whys and the wherefores....
>> >-----Original Message-----
>> >Hi Jim,
>> >
>> >If you are applying a policy to an OU, there are two
>> considerations:
>> >
>> >1. If you are enabling a user policy (applying to
users -
>> User Config Part
>> >of the policy), you need the users to be in that OU
>> >2. If you are enabling a computer policy (applying to
>> computers - Computer
>> >Confg Part of the policy), you need the computers in
that
>> OU
>> >
>> >Logon scripts can be applied via:
>> >1. Group Policy
>> >2. Specify in the User Account properties
>> >
>> >In your case, you may have to have both user and
computer
>> in the OU, since
>> >the services policy is a computer policy, scripts (if
>> applied via policy) is
>> >a user policy.
>> >
>> >Thanks
>> >Sabin Nair M.S(Computer Engg.), MCSE, MCSA
>> >Directory Services Team
>> >Microsoft Corp.
>> >
>> >"Please do not send e-mail directly to this alias.
>> >This alias is for newsgroup purposes only."
>> >
>> >"Jim Carney" <JCarney@agmins.com> wrote in message
>> >news:00a501c361c6$efdc58c0$a601280a@phx.gbl...
>> >> I am trying to run a logon script that starts the
print
>> >> spooler service, and a logoff that stops it.
>> >>
>> >> i have a very simple
>> >> @echo off
>> >> net stop spooler /y
>> >>
>> >>
>> >> and one for the starting script.
>> >> however it won't run unless the user has admin
>> privelages.
>> >> now i have tried to go to the group policy editor in
>> >> active directory and given users the ability to
modify
>> the
>> >> spooler service. i added the system account, the
domain
>> >> user, the user, the domain admin accounts. the system
>> >> account and admin acounts got full rights. the other
two
>> >> got rights to read - and start stop the service.
>> >>
>> >> so far it does not seem to be working. i applied the
>> >> policy in the default logon policy of the OU that
all my
>> >> user accounts are contained in. i've read that you
>> should
>> >> make a new OU and move all the computer accounts into
>> that
>> >> you want this kind of thing to work on. however i
cannot
>> >> tell if that's just one method for doing this, or the
>> only
>> >> way.
>> >> also the logon scripts i put on each individual pc.
do i
>> >> need to put them on a network share for this to work?
>> >> any advice would be greatly appreciated.
>> >
>> >
>> >.
>> >
>
>
>.
>