#138756 - 2005-04-26 11:07 PM
GPO Change-over
|
Kdyer
KiX Supporter
Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
|
There have been quite a number of questions with regard to GPO and KiX and hopefully, this will help. Please provide any feedback, criticisms, etc.
Here goes:
You ** MUST ** be a Domain Administrator or better to do this task This assumes that you have Group Policy Management Console. (1) Find the user(s) you want to modify in the OU and remove under Profile, the Login Script, or you can remove this using an AD script: Code:
Break ON CLS
$groupobj = GetObject("WinNT://"+@ldomain+"/Domain Users") For Each $userobjg in $groupobj.members $userobj = GetObject("WinNT://YOUR_DC/"+$userobjg.name) If InStr($userobjg.loginscript,'ntlogon') ?$userobjg.name+','+$userobjg.fullname LOGGER('H:\scriptchange.txt',$userobjg.name+', '+$userobjg.fullname+@crlf) $UserObjg.LoginScript = "" $UserObjg.SetInfo $UserObjg="" LOGGER('H:\scriptchange.txt',$userobjg.name+@crlf) EndIf $userobjg.name="" Next ?'process is complete.. press a key' Get $ ;Function LOGGER($logfil,$logdat) ; ;Author Kent Dyer (leptonator@hotmail.com) ; ;Contributors MBrecht on CramSession.com ; http://infocenter.cramsession.com/TechLibrary/GetHtml.asp?ID=721&GetDes=&CatID=293 ; "Create Loginlog" ; Jooel (Lonkero) - Code cleanup ; Howard Bullock ; ;Action Writes to a Server Log ; ;Syntax LOGGER($logfile,$logdata) ; ;Version 1.2 - Recommendation by Howard Bullock ; 1.1 - Clean-up by Lonkero ; ;Parameters $logfile - Specify what server, share, and file is needed ; $logdata - Data to be written to the log ; ;Remarks This script addresses an issue with writing to logs if the file is open by ; another user it waits until they are done and has the log file closed. ; It does a 1 second wait until ready to write to the log till a maximum of 6 seconds and then exits the routine. ; The 5x3 wait routine is not used anymore. ; ;Returns Writes to a file. No visible user output. ; ;Dependencies All Domain Users being able to write to a server share ; ;KiXtart Ver 4.02 ; ;Example(s) ; -- Data ; $logshare='\\SERVER\LOGINFO' ; $logfile=$logshare+'\HOTBAR.TXT' ; $logdata=@date + ',' + @time + ',' + @userid + ',WinNT,' + @wksta + @CRLF ; ; -- Example ; LOGGER($logfile,$logdata) ; FUNCTION LOGGER($logfile,$logdata) DIM $n While Open(1,$logfile,5)<>0 If $n '.' Else ? 'Please wait' EndIf $n=$n+1 If $n=6 Exit(1) Endif Sleep 1 LOOP $n=WriteLine(1, $logdata) $n=Close(1) ENDFUNCTION
(2) In Active Directory Users and Computers, go into the OU that you want to modify and open Group Policy Management.. (3) In Group Policy Management, right-click on the OU and Select "Create and link a GPO Here" (4) In the New GPO, provide a Name: Login Script Click OK (5) In the Right Pane, right-click on the newly created GPO and choose edito
Note: Scripts can be defined in GPO in one of two locations -
- Computer Configuration/Windows Settings/Scripts (Startup/Shutdown) << This should be by machine
Note: a per-machine script runs under SYSTEM context (meaning admin privs). But not network access unlesss SYSTEM is specifically granted network access.
- User Configuration/Windows Settings/Scripts (Logon/Logofft) << This is by user and is the preferred method
(6) Open the Logon by double-clicking on it. (7) Click the Add.. Button and add the needed files. We will just add in one batch file - NTLOGON.BAT and it contains the following: \\domain.tld\netlogon\WKiX32.exe \\domain.tld\netlogon\script.KiX Note: You can still keep your W/KIX32.EXE in the Netlogon folder..
If you choose to do: \\domain.tld\netlogon\WKiX32.exe \\domain.tld\netlogon\OU\script.KiX Then \\domain.tld\netlogon\OU needs to exist, for example: \\domain.tld\netlogon\Accounting \\domain.tld\netlogon\Marketing \\domain.tld\netlogon\Sales \\domain.tld\netlogon\HR etc.
Or, better yet: \\domain.tld\netlogon\CompanyA \\domain.tld\netlogon\CompanyB \\domain.tld\netlogon\CompanyC \\domain.tld\netlogon\CompanyD etc.
and this makes it pretty easy to maintain/manage. Also, Enterprise-wide, changes are not as high-profile. The other advantage to this model is that you can have Representatives from IT in each of these areas maintain their own scripts. (8)Click OK and close out of Group Policy and then close out of Group Policy Management
Note: You may not see immediate results as replication between your DCs has to occur
Thanks,
Kent
|
Top
|
|
|
|
#138758 - 2005-04-26 11:54 PM
Re: GPO Change-over RFC for the FAQ Section
|
Kdyer
KiX Supporter
Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
|
My apologies, I have made some changes
Kent
|
Top
|
|
|
|
#138761 - 2005-04-27 02:21 AM
Re: GPO Change-over RFC for the FAQ Section
|
Kdyer
KiX Supporter
Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
|
Jens/Les - Changes implemented. Sorry, kind of threw this together at the end of the day.
Thanks!
Kent
|
Top
|
|
|
|
#138762 - 2005-04-27 03:08 PM
Re: GPO Change-over RFC for the FAQ Section
|
Kdyer
KiX Supporter
Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
|
Made one minor change with regard to company.
Kent
|
Top
|
|
|
|
Moderator: Jochen, Radimus, Glenn Barnas, Allen, Arend_, ShaneEP, Mart
|
0 registered
and 920 anonymous users online.
|
|
|