Multiple Questions

[Adrian Marsh]

Hi,

Sorry for the cross-post, but I've a bunch of questions covering a range
of topics. I've posted some of these independantly to seperate groups in
the past, but haven't had answers to some (and I didn't understand the
others...) Hope you can help...

Setup: test network at present, Currently 1 W2K AS DC/DNS/DHCP. W2K
Pro/XP only clients. Real network will be only 1/2 user ids spread over
about 50-60 clients, one domain.

1) Script Replication - Do the W2K Login scripts in Group Policies get
automatically synced across DCs ? I know NT4 didn't.

2) Admin of local Clients - I've a Domain "Lab", under that I've the
standard Container for Builtin, and a labadmin user defined. Then theres
a test OU, with its own test\testlaptop1,2,3 computers and test\testuser
user.

I want the testuser user to be local Administrator of the testlaptops
themselves, but not of the Domain or test OU itself. If I make
test\testuser part of the Lab\Builtin\Administrator group then won't
they be "admins" of the whole Domain?? How can I do what I want here ?
I think the answer is something to do with Restricted groups, but
haven't quite got the concept..

3) Login scripts - I've a bunch of various apps I need installed on
each testlaptop, everything from Office 2k to mcafee to DrTcpIp. I've
written some .bat login scripts that will do the job of installing,
logging and uninstalling/running the setup.exe, etc. But I'm wondering
if its worth my while trying to put these into .zap scripts. I don't
have any 95/98/NT4 clients, 2000 and XP only. Opinions??
BTW: When do .msi/.zap installations run - at login only ??

4) Start vs CMD - My initial script will be "hidden" so that I can
guarantee the sub-scripts run. My Logon scripts execute Start "with
params" to install the above apps, actually running another .bat script
first. This leaves the CMD window open at a prompt (because Start calls
CMD with a /K option). If I put an "exit" at the end of the Start'ed
..bat script then the window closes in error (I hear a beep when Login
finishes). I want my master login script to kick off "about to
install..." messages windows before kicking off the actual setup.exe
runs- whats the best method? I can live with the beeps, but I must be
missing something...

5) Protected Windows - When the above .bat scripts are running, I see
that they can actually be "closed" by the user, prior to completion. Any
way of disabling the "close window" buttons during Logon ?

6) Disable local PC logins - I'd like to disable the ability to login
locally on a client PC, except with a Domain ID, but I think that'l
conflict with 2) above where users have admin rights. Once a PCs added
to the domain I'd like to remove the "testlaptopX" from the drop down
Domain selection list at the login prompt. If I can't do that, then I
need a way of automatically removing all logins except the Administrator
login, and then a way of changing the Administrator login password.

7) Midnight scripts - Most of the PCs in the domain will remain logged
on. I'd like to have each PC run a script at midnight to check for
updated s/w installs. I've experimented with Scheduled tasks, but hit
authentication issues. Can AD help with this??

8) Auto lock - Whats the GPO for having the PC auto-lock after xx
minutes?? - buggered if I can find it.

9) Timezone - I've got the SNTP working, and I've put a net time /domain
/set /y command in the login scripts, but I can't figure out how to
force the clients to use a specific timezone - any advice ??

10) SUS Reboots - I've got SUS services and Autoinstall running. I can't
have the PCs auto-reboot straight after install, only when users aren't
doing critical work, so it'll pop-up with the "should reboot to
continue..." message at present. Is there any way of seeing which PCs
have been rebooted after install?? Or forcing a reboot if, say, that PC
hasn't been rebooted within 7 days after install. I'll be logging
within the Login scripts so I could tell manually which PCs have been
rebooted, but is there a way of automating it?

11) SUS Reboots 2 - Within SUS, does the white-paper says the above
no-reboot settings apply when a user is logged in. Does that mean that
when a PC is left at the login screen that it will auto-reboot anyway??

12) Finally - I'm trying to figure out which is the best starting point
for Microsoft training courses. I'm reading books, online, etc on AD,
DNS and DHCP, but when i try to see what course/certificate to try and
start with I get lost... MVP vs MSFT... and can anyone recommend a good
company for this in the UK?

Ok, thats all I can think of. Come on you MVPs and MSFTs... see if you
can meet the challenge...

Ta v. much.
Adrian

 

[ptwilliams]

I've answered in-line...

Hi,

Sorry for the cross-post, but I've a bunch of questions covering a range
of topics. I've posted some of these independantly to seperate groups in
the past, but haven't had answers to some (and I didn't understand the
others...) Hope you can help...

Setup: test network at present, Currently 1 W2K AS DC/DNS/DHCP. W2K
Pro/XP only clients. Real network will be only 1/2 user ids spread over
about 50-60 clients, one domain.

1) Script Replication - Do the W2K Login scripts in Group Policies get
automatically synced across DCs ? I know NT4 didn't.

Yes, if they're in the SYSVOL they'll get replicated.


2) Admin of local Clients - I've a Domain "Lab", under that I've the
standard Container for Builtin, and a labadmin user defined. Then theres
a test OU, with its own test\testlaptop1,2,3 computers and test\testuser
user.

I want the testuser user to be local Administrator of the testlaptops
themselves, but not of the Domain or test OU itself. If I make
test\testuser part of the Lab\Builtin\Administrator group then won't
they be "admins" of the whole Domain?? How can I do what I want here ?
I think the answer is something to do with Restricted groups, but
haven't quite got the concept..

You are correct: adding to the (domain) local administrators group is giving
them administrative rights across all DCs. What you'll need to do is
configure the restricted groups part of a GPO. Adding users into the
Administrators via this will add them to the local administrators group on
all domain members.


3) Login scripts - I've a bunch of various apps I need installed on
each testlaptop, everything from Office 2k to mcafee to DrTcpIp. I've
written some .bat login scripts that will do the job of installing,
logging and uninstalling/running the setup.exe, etc. But I'm wondering
if its worth my while trying to put these into .zap scripts. I don't
have any 95/98/NT4 clients, 2000 and XP only. Opinions??
BTW: When do .msi/.zap installations run - at login only ??

If the apps are already .msi files deploy them via GPO. .zap is another
good way of doing this. When you deploy apps using GPOs you have a few
options: publish to a user, assign to a user and assign to a computer.

Publishing to a user means that a user goes into add/ remove and the add
programs part and any published apps will show up in here. The user
selectes the app he/ she wants and it gets installed using a set of elevated
credentials

Assigning to a user will install the app upon logon. Note. If the user
logs onto multiple computers the app will be installed on each computer.

Assigning to a computer will deploy when gpo is applied before the winlogon
screen.


4) Start vs CMD - My initial script will be "hidden" so that I can
guarantee the sub-scripts run. My Logon scripts execute Start "with
params" to install the above apps, actually running another .bat script
first. This leaves the CMD window open at a prompt (because Start calls
CMD with a /K option). If I put an "exit" at the end of the Start'ed
..bat script then the window closes in error (I hear a beep when Login
finishes). I want my master login script to kick off "about to
install..." messages windows before kicking off the actual setup.exe
runs- whats the best method? I can live with the beeps, but I must be
missing something...

Yes, there's a way of hiding the windows, but I don't know it...somebody
else will have to answer that ;-)


5) Protected Windows - When the above .bat scripts are running, I see
that they can actually be "closed" by the user, prior to completion. Any
way of disabling the "close window" buttons during Logon ?

See above answer.


6) Disable local PC logins - I'd like to disable the ability to login
locally on a client PC, except with a Domain ID, but I think that'l
conflict with 2) above where users have admin rights. Once a PCs added
to the domain I'd like to remove the "testlaptopX" from the drop down
Domain selection list at the login prompt. If I can't do that, then I
need a way of automatically removing all logins except the Administrator
login, and then a way of changing the Administrator login password.

If you want to stop users logging on using local accounts either disable or
delete the local accounts.

I don't think you can remove anything from that drop-down list. The best
thing is to uncheck the options button so that the users cannot see that by
default.


7) Midnight scripts - Most of the PCs in the domain will remain logged
on. I'd like to have each PC run a script at midnight to check for
updated s/w installs. I've experimented with Scheduled tasks, but hit
authentication issues. Can AD help with this??

I don't understand what you mean here. Can you elaborate please? What kind
of s/w installs, and what kind of authentication issues?


8) Auto lock - Whats the GPO for having the PC auto-lock after xx
minutes?? - buggered if I can find it.

It's the screen saver time out and password protect screen saver options:

\User Configuration\ Administrative Templates\ Control Panel\ Display\
Password protect the screen saver
\User Configuration\ Administrative Templates\ Control Panel\ Display\
Screen Saver timeout


9) Timezone - I've got the SNTP working, and I've put a net time /domain
/set /y command in the login scripts, but I can't figure out how to
force the clients to use a specific timezone - any advice ??

There's no need to do that in the logon scripts. Windows Time (w32time.exe)
automatically keeps your time synchronised. Only configure the forest root
domain PDCe to synchronise time with another source.

Timezone's are regional options. Either configure upon building the PC, or
have a look through the GPO.


10) SUS Reboots - I've got SUS services and Autoinstall running. I can't
have the PCs auto-reboot straight after install, only when users aren't
doing critical work, so it'll pop-up with the "should reboot to
continue..." message at present. Is there any way of seeing which PCs
have been rebooted after install?? Or forcing a reboot if, say, that PC
hasn't been rebooted within 7 days after install. I'll be logging
within the Login scripts so I could tell manually which PCs have been
rebooted, but is there a way of automating it?

Here's a good place to have a look: www.susserver.com


11) SUS Reboots 2 - Within SUS, does the white-paper says the above
no-reboot settings apply when a user is logged in. Does that mean that
when a PC is left at the login screen that it will auto-reboot anyway??

No, I believe if you set it to not reboot it doesn't - period.


12) Finally - I'm trying to figure out which is the best starting point
for Microsoft training courses. I'm reading books, online, etc on AD,
DNS and DHCP, but when i try to see what course/certificate to try and
start with I get lost... MVP vs MSFT... and can anyone recommend a good
company for this in the UK?

An MVP isn't a certification as such. You cannot sit an exam and get it.
MS simply awards you one for being a real expert and helping people in these
newsgroups and public forums, etc.

Microsoft certifications are MCP, MCSA and MCSE for administrators (there's
also DBS and Developer ones). If you are planning on becoming an MCSA/E
then you will need to buy the books, read the books, work in an environment
that uses this technology, setup labs, and work very hard. Choose what you
want and then have a look at www.microsoft.com/learning for more info.

I'm currently heading towards both my MCSA and MCSE in Win2000. I then plan
to upgrade this to 2003. Some of my collegues who are NT4 MCSEs are simply
going for the 2003 certs as we've got a lot of work coming up with 2003...

As for courses, there are loads. I would use www.google.co.uk to try and
pin down what you want. Prices are usually fixed at a certain price and
then go up and up. You can barter these prices ;-)


Ok, thats all I can think of. Come on you MVPs and MSFTs... see if you
can meet the challenge...

Ta v. much.
Adrian

Maybe next time, you could try and post several different questions, eh??
;-)

I hope I've helped in some way, as that took ages to work through!!!


--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________

 

[Adrian Marsh]

Paul,

Many thanks for taking the time to answer. I appreciate it was a long read, but I was on a flow....  I've given some more details below in Red.

ptwilliams wrote:

I've answered in-line... "Adrian Marsh" <[email protected]> wrote in message news:[email protected]... Hi, Sorry for the cross-post, but I've a bunch of questions covering a range of topics. I've posted some of these independantly to seperate groups in the past, but haven't had answers to some (and I didn't understand the others...) Hope you can help... Setup: test network at present, Currently 1 W2K AS DC/DNS/DHCP. W2K Pro/XP only clients. Real network will be only 1/2 user ids spread over about 50-60 clients, one domain. 1) Script Replication - Do the W2K Login scripts in Group Policies get automatically synced across DCs ? I know NT4 didn't. Yes, if they're in the SYSVOL they'll get replicated.

Ta.


2) Admin of local Clients - I've a Domain "Lab", under that I've the standard Container for Builtin, and a labadmin user defined. Then theres a test OU, with its own test\testlaptop1,2,3 computers and test\testuser user. I want the testuser user to be local Administrator of the testlaptops themselves, but not of the Domain or test OU itself. If I make test\testuser part of the Lab\Builtin\Administrator group then won't they be "admins" of the whole Domain?? How can I do what I want here ? I think the answer is something to do with Restricted groups, but haven't quite got the concept.. You are correct: adding to the (domain) local administrators group is giving them administrative rights across all DCs. What you'll need to do is configure the restricted groups part of a GPO. Adding users into the Administrators via this will add them to the local administrators group on all domain members.

Could you give a summary on the Restrited usage?  Do I add the user to the Lab\Builtin\Administrator group, and then put the Administrator group in the restictions or something?  Wouldn't that then affect ALL Admin users in that OU?? Rather than just the testuser id.


3) Login scripts - I've a bunch of various apps I need installed on each testlaptop, everything from Office 2k to mcafee to DrTcpIp. I've written some .bat login scripts that will do the job of installing, logging and uninstalling/running the setup.exe, etc. But I'm wondering if its worth my while trying to put these into .zap scripts. I don't have any 95/98/NT4 clients, 2000 and XP only. Opinions?? BTW: When do .msi/.zap installations run - at login only ?? If the apps are already .msi files deploy them via GPO. .zap is another good way of doing this. When you deploy apps using GPOs you have a few options: publish to a user, assign to a user and assign to a computer. Publishing to a user means that a user goes into add/ remove and the add programs part and any published apps will show up in here. The user selectes the app he/ she wants and it gets installed using a set of elevated credentials Assigning to a user will install the app upon logon. Note. If the user logs onto multiple computers the app will be installed on each computer. Assigning to a computer will deploy when gpo is applied before the winlogon screen.

Using "assign to computer ", what happens if there are prompts in the setup - "Press Ok to continue.. "etc?

And for Assign to user, does that mean that - for example - Office 2K would get installed twice if two users login to the same PC ??


4) Start vs CMD - My initial script will be "hidden" so that I can guarantee the sub-scripts run. My Logon scripts execute Start "with params" to install the above apps, actually running another .bat script first. This leaves the CMD window open at a prompt (because Start calls CMD with a /K option). If I put an "exit" at the end of the Start'ed ..bat script then the window closes in error (I hear a beep when Login finishes). I want my master login script to kick off "about to install..." messages windows before kicking off the actual setup.exe runs- whats the best method? I can live with the beeps, but I must be missing something... Yes, there's a way of hiding the windows, but I don't know it...somebody else will have to answer that ;-)

Ta anyway.


5) Protected Windows - When the above .bat scripts are running, I see that they can actually be "closed" by the user, prior to completion. Any way of disabling the "close window" buttons during Logon ? See above answer. 6) Disable local PC logins - I'd like to disable the ability to login locally on a client PC, except with a Domain ID, but I think that'l conflict with 2) above where users have admin rights. Once a PCs added to the domain I'd like to remove the "testlaptopX" from the drop down Domain selection list at the login prompt. If I can't do that, then I need a way of automatically removing all logins except the Administrator login, and then a way of changing the Administrator login password. If you want to stop users logging on using local accounts either disable or delete the local accounts. I don't think you can remove anything from that drop-down list. The best thing is to uncheck the options button so that the users cannot see that by default.

Ok - do you know any tools/commands for removing accounts from scripts or remotely??


7) Midnight scripts - Most of the PCs in the domain will remain logged on. I'd like to have each PC run a script at midnight to check for updated s/w installs. I've experimented with Scheduled tasks, but hit authentication issues. Can AD help with this?? I don't understand what you mean here. Can you elaborate please? What kind of s/w installs, and what kind of authentication issues?

Ok - some more detail -  If I install apps via logon scripts, and the user never logs off, then that PC may not get the patches I need to install. So I thought the best way around that was to have the PC run a standard "re-fresh"ing script each day. Then I can put into that script any updates.

When I tried to do this, I tried to put the Scheduled Task in via "reg" update commands within the Login scripts. But in 2000/XP you have to also specify a user/password in the Scheduled Task. And thats where I hit a problem as I couldn't enter the user/password as part of the script.  Is there an AD way of doing this??


8) Auto lock - Whats the GPO for having the PC auto-lock after xx minutes?? - buggered if I can find it. It's the screen saver time out and password protect screen saver options: \User Configuration\ Administrative Templates\ Control Panel\ Display\ Password protect the screen saver \User Configuration\ Administrative Templates\ Control Panel\ Display\ Screen Saver timeout

Ta.


9) Timezone - I've got the SNTP working, and I've put a net time /domain /set /y command in the login scripts, but I can't figure out how to force the clients to use a specific timezone - any advice ?? There's no need to do that in the logon scripts. Windows Time (w32time.exe) automatically keeps your time synchronised. Only configure the forest root domain PDCe to synchronise time with another source. Timezone's are regional options. Either configure upon building the PC, or have a look through the GPO.

Any idea where? I've looked but can't find it.


10) SUS Reboots - I've got SUS services and Autoinstall running. I can't have the PCs auto-reboot straight after install, only when users aren't doing critical work, so it'll pop-up with the "should reboot to continue..." message at present. Is there any way of seeing which PCs have been rebooted after install?? Or forcing a reboot if, say, that PC hasn't been rebooted within 7 days after install. I'll be logging within the Login scripts so I could tell manually which PCs have been rebooted, but is there a way of automating it? Here's a good place to have a look: www.susserver.com 11) SUS Reboots 2 - Within SUS, does the white-paper says the above no-reboot settings apply when a user is logged in. Does that mean that when a PC is left at the login screen that it will auto-reboot anyway?? No, I believe if you set it to not reboot it doesn't - period. 12) Finally - I'm trying to figure out which is the best starting point for Microsoft training courses. I'm reading books, online, etc on AD, DNS and DHCP, but when i try to see what course/certificate to try and start with I get lost... MVP vs MSFT... and can anyone recommend a good company for this in the UK? An MVP isn't a certification as such. You cannot sit an exam and get it. MS simply awards you one for being a real expert and helping people in these newsgroups and public forums, etc. Microsoft certifications are MCP, MCSA and MCSE for administrators (there's also DBS and Developer ones). If you are planning on becoming an MCSA/E then you will need to buy the books, read the books, work in an environment that uses this technology, setup labs, and work very hard. Choose what you want and then have a look at www.microsoft.com/learning for more info. I'm currently heading towards both my MCSA and MCSE in Win2000. I then plan to upgrade this to 2003. Some of my collegues who are NT4 MCSEs are simply going for the 2003 certs as we've got a lot of work coming up with 2003... As for courses, there are loads. I would use www.google.co.uk to try and pin down what you want. Prices are usually fixed at a certain price and then go up and up. You can barter these prices ;-) Ok, thats all I can think of. Come on you MVPs and MSFTs... see if you can meet the challenge... Ta v. much. Adrian Maybe next time, you could try and post several different questions, eh?? ;-) I hope I've helped in some way, as that took ages to work through!!!

Your a star!

 

[Torgeir Bakken \(MVP\)]

[snip]
2) Admin of local Clients - I've a Domain "Lab", under that I've the
standard Container for Builtin, and a labadmin user defined. Then theres
a test OU, with its own test\testlaptop1,2,3 computers and test\testuser
user.

I want the testuser user to be local Administrator of the testlaptops
themselves, but not of the Domain or test OU itself. If I make
test\testuser part of the Lab\Builtin\Administrator group then won't
they be "admins" of the whole Domain?? How can I do what I want here ? I
think the answer is something to do with Restricted groups, but haven't
quite got the concept..

We add "NT Authority\Interactive" in the local Administrators group
to let all domain users automatically be local admins when they log
on to a computer interactively.

This is more secure than adding "Authenticated Domain users",
"Domain Users" or "NT AUTHORITY\Authenticated Users" because you
avoid the issue with cross network admin rights (remote access)
that these groups introduces.

3) Login scripts - I've a bunch of various apps I need installed on
each testlaptop, everything from Office 2k to mcafee to DrTcpIp. I've
written some .bat login scripts that will do the job of installing,
logging and uninstalling/running the setup.exe, etc. But I'm wondering
if its worth my while trying to put these into .zap scripts. I don't
have any 95/98/NT4 clients, 2000 and XP only. Opinions??
BTW: When do .msi/.zap installations run - at login only ??

Paul described the msi part. Note that .zap installations are much
more limited, it can only be published to users (the user needs to
go to Add/Remove Program and select the program for installation.

231747 How to Publish Non-MSI Programs with .Zap Files
http://support.microsoft.com/?id=231747

4) Start vs CMD - My initial script will be "hidden" so that I can
guarantee the sub-scripts run. My Logon scripts execute Start "with
params" to install the above apps, actually running another .bat script
first. This leaves the CMD window open at a prompt (because Start calls
CMD with a /K option). If I put an "exit" at the end of the Start'ed
.bat script then the window closes in error (I hear a beep when Login
finishes). I want my master login script to kick off "about to
install..." messages windows before kicking off the actual setup.exe
runs- whats the best method? I can live with the beeps, but I must be
missing something...

Use a VBScript based logon script. From this vbscript, you can launch
batch files so they are "invisible":

Set oShell = CreateObject("WScript.Shell")
oShell.Run "some.bat", 0, True


WSH 5.6 documentation (local help file) can be downloaded from here
if you haven't got it already:
http://msdn.microsoft.com/downloads/list/webdev.asp

5) Protected Windows - When the above .bat scripts are running, I see
that they can actually be "closed" by the user, prior to completion. Any
way of disabling the "close window" buttons during Logon ?

See my response to 4)

[snip]

 

[ptwilliams]

In-line answers again...
Paul,

Many thanks for taking the time to answer. I appreciate it was a long read, but I was on a flow.... I've given some more details below in Red.

ptwilliams wrote:
I've answered in-line...

Hi,

Sorry for the cross-post, but I've a bunch of questions covering a range
of topics. I've posted some of these independantly to seperate groups in
the past, but haven't had answers to some (and I didn't understand the
others...) Hope you can help...

Setup: test network at present, Currently 1 W2K AS DC/DNS/DHCP. W2K
Pro/XP only clients. Real network will be only 1/2 user ids spread over
about 50-60 clients, one domain.

1) Script Replication - Do the W2K Login scripts in Group Policies get
automatically synced across DCs ? I know NT4 didn't.

Yes, if they're in the SYSVOL they'll get replicated.

Ta.

2) Admin of local Clients - I've a Domain "Lab", under that I've the
standard Container for Builtin, and a labadmin user defined. Then theres
a test OU, with its own test\testlaptop1,2,3 computers and test\testuser
user.

I want the testuser user to be local Administrator of the testlaptops
themselves, but not of the Domain or test OU itself. If I make
test\testuser part of the Lab\Builtin\Administrator group then won't
they be "admins" of the whole Domain?? How can I do what I want here ?
I think the answer is something to do with Restricted groups, but
haven't quite got the concept..

You are correct: adding to the (domain) local administrators group is giving
them administrative rights across all DCs. What you'll need to do is
configure the restricted groups part of a GPO. Adding users into the
Administrators via this will add them to the local administrators group on
all domain members.

Could you give a summary on the Restrited usage? Do I add the user to the Lab\Builtin\Administrator group, and then put the Administrator group in the restictions or something? Wouldn't that then affect ALL Admin users in that OU?? Rather than just the testuser id.


3) Login scripts - I've a bunch of various apps I need installed on
each testlaptop, everything from Office 2k to mcafee to DrTcpIp. I've
written some .bat login scripts that will do the job of installing,
logging and uninstalling/running the setup.exe, etc. But I'm wondering
if its worth my while trying to put these into .zap scripts. I don't
have any 95/98/NT4 clients, 2000 and XP only. Opinions??
BTW: When do .msi/.zap installations run - at login only ??

If the apps are already .msi files deploy them via GPO. .zap is another
good way of doing this. When you deploy apps using GPOs you have a few
options: publish to a user, assign to a user and assign to a computer.

Publishing to a user means that a user goes into add/ remove and the add
programs part and any published apps will show up in here. The user
selectes the app he/ she wants and it gets installed using a set of elevated
credentials

Assigning to a user will install the app upon logon. Note. If the user
logs onto multiple computers the app will be installed on each computer.

Assigning to a computer will deploy when gpo is applied before the winlogon
screen.
Using "assign to computer ", what happens if there are prompts in the setup - "Press Ok to continue.. "etc?

Generally it'll fail. Although, it may just use the defaults sometimes. I've seen it fail, and accept the defaults. I guess it all comes down to the .msi file and how the author has configured it. For office, you use the resource kit tools to create transform files if you want to do anything other than the default configuration, as the .msi will install the defaul options.

And for Assign to user, does that mean that - for example - Office 2K would get installed twice if two users login to the same PC ??

No, I believe it's clever enough to realise that it's already there and stop (but haven't actually tested this).

4) Start vs CMD - My initial script will be "hidden" so that I can
guarantee the sub-scripts run. My Logon scripts execute Start "with
params" to install the above apps, actually running another .bat script
first. This leaves the CMD window open at a prompt (because Start calls
CMD with a /K option). If I put an "exit" at the end of the Start'ed
.bat script then the window closes in error (I hear a beep when Login
finishes). I want my master login script to kick off "about to
install..." messages windows before kicking off the actual setup.exe
runs- whats the best method? I can live with the beeps, but I must be
missing something...

Yes, there's a way of hiding the windows, but I don't know it...somebody
else will have to answer that ;-)


Ta anyway.

5) Protected Windows - When the above .bat scripts are running, I see
that they can actually be "closed" by the user, prior to completion. Any
way of disabling the "close window" buttons during Logon ?

See above answer.


6) Disable local PC logins - I'd like to disable the ability to login
locally on a client PC, except with a Domain ID, but I think that'l
conflict with 2) above where users have admin rights. Once a PCs added
to the domain I'd like to remove the "testlaptopX" from the drop down
Domain selection list at the login prompt. If I can't do that, then I
need a way of automatically removing all logins except the Administrator
login, and then a way of changing the Administrator login password.

If you want to stop users logging on using local accounts either disable or
delete the local accounts.

I don't think you can remove anything from that drop-down list. The best
thing is to uncheck the options button so that the users cannot see that by
default.

Ok - do you know any tools/commands for removing accounts from scripts or remotely??

Not off the top of my head! I'm afraid I'm not much of a scripter (yet, although I intend to start learning before the end of the year...)

I would post another question here, and possibly link it to the scripting newsgroup for this. There are some real scripting guru's here that'll point you in the right direction (or even do it for you). I've seen bits and pieces of script floating around for removing users from an AD, I can't see a local machine being much different (probably easier actually).

7) Midnight scripts - Most of the PCs in the domain will remain logged
on. I'd like to have each PC run a script at midnight to check for
updated s/w installs. I've experimented with Scheduled tasks, but hit
authentication issues. Can AD help with this??

I don't understand what you mean here. Can you elaborate please? What kind
of s/w installs, and what kind of authentication issues?


Ok - some more detail - If I install apps via logon scripts, and the user never logs off, then that PC may not get the patches I need to install. So I thought the best way around that was to have the PC run a standard "re-fresh"ing script each day. Then I can put into that script any updates.

What kind of software are we talking about?? I would always use GPOs to install software over scripts. If you've got legacy clients, or wish to be quite granular about who gets the software, and at specific times, disabling reboots, etc. then you should look at SMS. I would probably use SMS over GPOs as well...

When I tried to do this, I tried to put the Scheduled Task in via "reg" update commands within the Login scripts. But in 2000/XP you have to also specify a user/password in the Scheduled Task. And thats where I hit a problem as I couldn't enter the user/password as part of the script. Is there an AD way of doing this??

This will depend on what you are trying to do. If you configure a task using the AT command or the scheduled tasks wizard, this will run as the SYSTEM account. Obviously, this doesn't help much if you are trying to access network resources. The first thing that springs to mind with this, is to configure the task via the runas command..

These links may help:

-- http://www.winnetmag.com/Windows/Article/ArticleID/23164/23164.html
-- http://support.microsoft.com/?id=300160
-- http://www.winnetmag.com/Windows/Article/ArticleID/20769/20769.html


8) Auto lock - Whats the GPO for having the PC auto-lock after xx
minutes?? - buggered if I can find it.

It's the screen saver time out and password protect screen saver options:

\User Configuration\ Administrative Templates\ Control Panel\ Display\
Password protect the screen saver
\User Configuration\ Administrative Templates\ Control Panel\ Display\
Screen Saver timeout

Ta.

9) Timezone - I've got the SNTP working, and I've put a net time /domain
/set /y command in the login scripts, but I can't figure out how to
force the clients to use a specific timezone - any advice ??

There's no need to do that in the logon scripts. Windows Time (w32time.exe)
automatically keeps your time synchronised. Only configure the forest root
domain PDCe to synchronise time with another source.

Timezone's are regional options. Either configure upon building the PC, or
have a look through the GPO.

Any idea where? I've looked but can't find it.
Not at the moment. I'll have a did. In the mean time, I'd hit google...



10) SUS Reboots - I've got SUS services and Autoinstall running. I can't
have the PCs auto-reboot straight after install, only when users aren't
doing critical work, so it'll pop-up with the "should reboot to
continue..." message at present. Is there any way of seeing which PCs
have been rebooted after install?? Or forcing a reboot if, say, that PC
hasn't been rebooted within 7 days after install. I'll be logging
within the Login scripts so I could tell manually which PCs have been
rebooted, but is there a way of automating it?

Here's a good place to have a look: www.susserver.com


11) SUS Reboots 2 - Within SUS, does the white-paper says the above
no-reboot settings apply when a user is logged in. Does that mean that
when a PC is left at the login screen that it will auto-reboot anyway??

No, I believe if you set it to not reboot it doesn't - period.


12) Finally - I'm trying to figure out which is the best starting point
for Microsoft training courses. I'm reading books, online, etc on AD,
DNS and DHCP, but when i try to see what course/certificate to try and
start with I get lost... MVP vs MSFT... and can anyone recommend a good
company for this in the UK?

An MVP isn't a certification as such. You cannot sit an exam and get it.
MS simply awards you one for being a real expert and helping people in these
newsgroups and public forums, etc.

Microsoft certifications are MCP, MCSA and MCSE for administrators (there's
also DBS and Developer ones). If you are planning on becoming an MCSA/E
then you will need to buy the books, read the books, work in an environment
that uses this technology, setup labs, and work very hard. Choose what you
want and then have a look at www.microsoft.com/learning for more info.

I'm currently heading towards both my MCSA and MCSE in Win2000. I then plan
to upgrade this to 2003. Some of my collegues who are NT4 MCSEs are simply
going for the 2003 certs as we've got a lot of work coming up with 2003...

As for courses, there are loads. I would use www.google.co.uk to try and
pin down what you want. Prices are usually fixed at a certain price and
then go up and up. You can barter these prices ;-)


Ok, thats all I can think of. Come on you MVPs and MSFTs... see if you
can meet the challenge...

Ta v. much.
Adrian

Maybe next time, you could try and post several different questions, eh??
;-)

I hope I've helped in some way, as that took ages to work through!!!


Your a star!
--


Hope this helps,

Paul Williams
_________________________________________
http://www.msresource.net

Join us in our new forums!
http://forums.msresource.net
_________________________________________