Page 1 of 1 1
Topic Options
#138756 - 2005-04-26 11:07 PM GPO Change-over
Kdyer Offline
KiX Supporter
*****

Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
There have been quite a number of questions with regard to GPO and KiX and hopefully, this will help. Please provide any feedback, criticisms, etc.

Here goes:

You ** MUST ** be a Domain Administrator or better to do this task
This assumes that you have Group Policy Management Console.
(1) Find the user(s) you want to modify in the OU and remove under Profile, the Login Script, or you can remove this using an AD script:
Code:

Break ON
CLS

$groupobj = GetObject("WinNT://"+@ldomain+"/Domain Users")
For Each $userobjg in $groupobj.members
$userobj = GetObject("WinNT://YOUR_DC/"+$userobjg.name)
If InStr($userobjg.loginscript,'ntlogon')
?$userobjg.name+','+$userobjg.fullname
LOGGER('H:\scriptchange.txt',$userobjg.name+', '+$userobjg.fullname+@crlf)
$UserObjg.LoginScript = ""
$UserObjg.SetInfo
$UserObjg=""
LOGGER('H:\scriptchange.txt',$userobjg.name+@crlf)
EndIf
$userobjg.name=""
Next
?'process is complete.. press a key'
Get $
;Function LOGGER($logfil,$logdat)
;
;Author Kent Dyer (leptonator@hotmail.com)
;
;Contributors MBrecht on CramSession.com
; http://infocenter.cramsession.com/TechLibrary/GetHtml.asp?ID=721&GetDes=&CatID=293
; "Create Loginlog"
; Jooel (Lonkero) - Code cleanup
; Howard Bullock
;
;Action Writes to a Server Log
;
;Syntax LOGGER($logfile,$logdata)
;
;Version 1.2 - Recommendation by Howard Bullock
; 1.1 - Clean-up by Lonkero
;
;Parameters $logfile - Specify what server, share, and file is needed
; $logdata - Data to be written to the log
;
;Remarks This script addresses an issue with writing to logs if the file is open by
; another user it waits until they are done and has the log file closed.
; It does a 1 second wait until ready to write to the log till a maximum of 6 seconds and then exits the routine.
; The 5x3 wait routine is not used anymore.
;
;Returns Writes to a file. No visible user output.
;
;Dependencies All Domain Users being able to write to a server share
;
;KiXtart Ver 4.02
;
;Example(s) ; -- Data
; $logshare='\\SERVER\LOGINFO'
; $logfile=$logshare+'\HOTBAR.TXT'
; $logdata=@date + ',' + @time + ',' + @userid + ',WinNT,' + @wksta + @CRLF
; ; -- Example
; LOGGER($logfile,$logdata)
;
FUNCTION LOGGER($logfile,$logdata)
DIM $n
While Open(1,$logfile,5)<>0
If $n
'.'
Else
? 'Please wait'
EndIf
$n=$n+1
If $n=6
Exit(1)
Endif
Sleep 1
LOOP
$n=WriteLine(1, $logdata)
$n=Close(1)
ENDFUNCTION



(2) In Active Directory Users and Computers, go into the OU that you want to modify and open Group Policy Management..
(3) In Group Policy Management, right-click on the OU and Select "Create and link a GPO Here"
(4) In the New GPO, provide a Name: Login Script
Click OK
(5) In the Right Pane, right-click on the newly created GPO and choose edito

Note: Scripts can be defined in GPO in one of two locations -
  • Computer Configuration/Windows Settings/Scripts (Startup/Shutdown) << This should be by machine
    Note: a per-machine script runs under SYSTEM context (meaning admin privs).
    But not network access unlesss SYSTEM is specifically granted network access.
  • User Configuration/Windows Settings/Scripts (Logon/Logofft) << This is by user and is the preferred method

(6) Open the Logon by double-clicking on it.
(7) Click the Add.. Button and add the needed files.
We will just add in one batch file - NTLOGON.BAT and it contains the following:
\\domain.tld\netlogon\WKiX32.exe \\domain.tld\netlogon\script.KiX
Note: You can still keep your W/KIX32.EXE in the Netlogon folder..

If you choose to do:
\\domain.tld\netlogon\WKiX32.exe \\domain.tld\netlogon\OU\script.KiX
Then \\domain.tld\netlogon\OU needs to exist, for example:
\\domain.tld\netlogon\Accounting
\\domain.tld\netlogon\Marketing
\\domain.tld\netlogon\Sales
\\domain.tld\netlogon\HR
etc.

Or, better yet:
\\domain.tld\netlogon\CompanyA
\\domain.tld\netlogon\CompanyB
\\domain.tld\netlogon\CompanyC
\\domain.tld\netlogon\CompanyD
etc.

and this makes it pretty easy to maintain/manage. Also, Enterprise-wide, changes are not as high-profile. The other advantage to this model is that you can have Representatives from IT in each of these areas maintain their own scripts.
(8)Click OK and close out of Group Policy and then close out of Group Policy Management

Note: You may not see immediate results as replication between your DCs has to occur

Thanks,

Kent
_________________________
Utilize these resources:
UDFs (Full List)
KiXtart FAQ & How to's

Top
#138757 - 2005-04-26 11:32 PM Re: GPO Change-over RFC for the FAQ Section
masken Offline
MM club member
*****

Registered: 2000-11-27
Posts: 1222
Loc: Gothenburg, Sweden
Quote:


Possible enhancements, provide example scripts and where to place WKIX32.EXE, etc.

Thanks,

Kent


That is the single most interesting part, so it definetly should be added

Note: a per-machine script (computer configuration - Startup/Shutdown) runs under SYSTEM context (meaning admin privs).

Must admit that I've never even tried running KiX via GPO, don't know if it even works


Edited by masken (2005-04-26 11:35 PM)
_________________________
The tart is out there

Top
#138758 - 2005-04-26 11:54 PM Re: GPO Change-over RFC for the FAQ Section
Kdyer Offline
KiX Supporter
*****

Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
My apologies, I have made some changes

Kent
_________________________
Utilize these resources:
UDFs (Full List)
KiXtart FAQ & How to's

Top
#138759 - 2005-04-27 01:29 AM Re: GPO Change-over RFC for the FAQ Section
Sealeopard Offline
KiX Master
*****

Registered: 2001-04-25
Posts: 11164
Loc: Boston, MA, USA
Quote:


Note: a per-machine script (computer configuration - Startup/Shutdown) runs under SYSTEM context (meaning admin privs).




But not network access unlesss SYSTEM is specifically granted network access, so I remember.
_________________________
There are two types of vessels, submarines and targets.

Top
#138760 - 2005-04-27 02:00 AM Re: GPO Change-over RFC for the FAQ Section
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
Good job, Kent. Not sure I follow what you are trying to say with the OU path example, {AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE}. In my company, when we came up with an OU design, I designed the NetLogon folder structure to follow that same OU tree structure. We delegate rights to OU_Administrators to both their OU and matching folder in NetLogon and to make it simple, we setup a hidden share on their local DC to the NetLogon subfolder for admin access only. OU_Admins are free to choose whether to deploy legacy logon scripts and/or GPO scripts.

I recall from past discussions, that Startup scripts do have limited network access to NetLogon without fiddling with any perms.
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#138761 - 2005-04-27 02:21 AM Re: GPO Change-over RFC for the FAQ Section
Kdyer Offline
KiX Supporter
*****

Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
Jens/Les - Changes implemented. Sorry, kind of threw this together at the end of the day.

Thanks!

Kent
_________________________
Utilize these resources:
UDFs (Full List)
KiXtart FAQ & How to's

Top
#138762 - 2005-04-27 03:08 PM Re: GPO Change-over RFC for the FAQ Section
Kdyer Offline
KiX Supporter
*****

Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
Made one minor change with regard to company.

Kent
_________________________
Utilize these resources:
UDFs (Full List)
KiXtart FAQ & How to's

Top
Page 1 of 1 1


Moderator:  Jochen, Radimus, Glenn Barnas, Allen, Arend_, ShaneEP, Mart 
Hop to:
Shout Box

Who's Online
0 registered and 920 anonymous users online.
Newest Members
Timothy, Jojo67, MaikSimon, kvn317, kixtarts2025
17874 Registered Users

Generated in 0.09 seconds in which 0.042 seconds were spent on a total of 12 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org