Group Policy Startup Script

Hi,
We have a requirement to delete some of the files from all the desktops in Domain. We have already created a script to achieve the same. But when we are applying the same as startup script for the PC's it is not deleting the files. If we apply as logon script
then it can delete some files because user does not have access to delete all the files. For this reason we want to apply it on startup so that it can run with SYSTEM privilege and delete files but it is not happening.
Please suggest if there is any reason for which the startup script is not able to delete the files. I have already checked by doing RSOP.MSC and GPRESULT and found the script to be present in the startup.
There is no log in the event viewer related to this.

Hi Sukhwin08,
According to your post, the gpresult showed the Startup script has been applied but the script could not run successfully. Right? Please follow the following step to narrow down the issue:
1. Change the script to the following command:
add > %SystemDrive%\Users\test.txt to the script.
2. Log on to a client with a regular user account, run
gpupdate/force, and then re-log on to this client.
3. Check if the test.txt file exists in this location
%SystemDrive%\Users.
If the test.txt file exists, Startup script is applied successfully. But the result of running logon script achieves the goal we expect or not which is still not sure.
Regards,
Lany Zhang

Similar Messages

Group Policy Startup Script Applies My Policy But Does Not Run The Acual Scripts

I have created a basic batch file with msiexec.exe to uninstall a program on startup and then another separate .bat script to install the same program but the newer version. The software I'm referring to has to be completely uninstalled BEFORE
I install the "newer" version of the same program, it cannot just be overwritten. If I run a gpupdate /force on the client computer and restart, the scripts run as they are supposed to and everything works but the problem is that I can't get it to
run on first boot on a computer that has been turned off for months, even after multiple reboots it still doesn't run the scripts. The 3 policies apply to the different computers/users but the scripts don't run. I manage a theme park that is
only open 4 months of the year so the rest of the time the in park PC's are turned off. I have created my OU as "POS Computers & Users" which has all of the computers and users that will take this policy. I also have 3 Group Policy
Objects attached to this OU in Group Policy, 1 is the program uninstallation .bat script policy that runs on startup, 2 is the install .bat script policy that runs after the uninstallation script, and 3 is the Default Policy for the OU. I already have the
"Always wait for the network at computer startup and logon", "Run startup scripts visible"enabled, "Run startup scripts asynchronously" disabled, and "Run Logon Scripts Synchronously" enabled for all 3 of the
policies. They are all "link enabled" and security filtering is set to only the OU I mentioned earlier so that it doesn't affect anyone else. I have the link order set as the script I want to run first as the last and the one I want to run last first
because from what I understand inheritance is from bottom to top. The install file is accessible by everyone with full permissions on our "Shared" drive so I know its not a permissions issue because it runs after a gpupdate /force with a restart.
The scripts are in the proper folder for the policies they are attached to and permissions are fine.
Here is my uninstall .bat script (msiexec.exe /X{14324A6A-BDD1-4F40-8E77-664C8AEEA251} /forcerestart /qb-! ALLUSERS=1 REMOVE=ALL)
Here is my install .bat script (msiexec.exe /i {\\kksrvad\shared\Gatemaster\NewGatemaster.msi} /qb ALLUSERS=1)

Can't be done in a login script.
This is a Group Policy issue and not a scripting issue. You do not have a script. You have a command saved in a batch file and you are using a GPO. Not a scripting issue.
¯\_(ツ)_/¯

Group Policy Logon Script to create folder based on username, run as admin

Hello,
I'm at a loss as to how to make this work. I wrote the following PowerShell script that will check to see if the currently logged in user has a folder on a share, and if not it will create the folder and set appropriate permissions. I want to
run it as a Group Policy Logon Script, however I need to run this script as an administrator because users don't have any write/create access at the folder level of the file share. The problem with that then becomes $ENV:Username resolves to the admin
account the script is running under.
Any ideas?
Thanks!
Ryan
# Declare Variables
$strName = $env:USERNAME
$strDomain = $env:USERDOMAIN
If ($strDomain -eq "domain.org") {
# Split Username into 2 variables
$data = $strName.Split("_")
$fname = $data[0]
$lname = $data[1]
#Find first character of last name
$firstcharacter = $lname[0]
# Figure out if last name begins with A-M or N-Z
$A_M=$firstcharacter -match "[a-m]"
$N_Z=$firstcharacter -match "[n-z]"
# Checks to see if folder exists
If ($A_M -eq $true){$FolderExists = Test-Path "\\staff-files\staff\Last Name A-M\$strName"}
elseif ($N_Z -eq $true){$FolderExists = Test-Path "\\staff-files\staff\Last Name N-Z\$strName"}
# Creates folder if it doesn't exist
If (($FolderExists -eq $false) -and ($A_M -eq $true)){
New-Item "\\staff-files.domain.org\Staff\Last Name A-M\$strName" -type directory
$DirPath = "\\staff-files.domain.org\Staff\Last Name A-M\$strName"
elseif (($FolderExists -eq $false) -and ($N_Z -eq $true)){
New-Item "\\staff-files.domain.org\Staff\Last Name N-Z\$strName" -type directory
$DirPath = "\\staff-files.domain.org\Staff\Last Name N-Z\$strName"
ElseIf ($strDomain -eq "students.domain.org") {
# Pull 2 digit year from username and make 4 digit year
$4digityear = "20" + $strName.Substring(0,2)
# Checks to see if folder exists
$FolderExists = Test-Path "\\files.domain.org\students\$4digityear\$strName"
# Creates folder if it doesn't exist
If ($FolderExists -eq $false) {
New-Item "\\files.domain.org\students\$4digityear\$strName" -type directory
$DirPath = "\\files.domain.org\students\$4digityear\$strName"
# Assign Permissions
If ($FolderExists -eq $false){
$target = $DirPath
$acl = Get-Acl $target
$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
$propagation = [system.security.accesscontrol.PropagationFlags]"None"
$accessrule = new-object system.security.AccessControl.FileSystemAccessRule ("CREATOR OWNER","Modify",$inherit,$propagation,"Allow")
$acl.AddAccessRule($accessrule)
$accessrule = new-object system.security.AccessControl.FileSystemAccessRule ("NT AUTHORITY\SYSTEM","FullControl",$inherit,$propagation,"Allow")
$acl.AddAccessRule($accessrule)
$accessrule = new-object system.security.AccessControl.FileSystemAccessRule ("administrators","FullControl",$inherit,$propagation,"Allow")
$acl.AddAccessRule($accessrule)
If ($strDomain -eq "students.hempfieldsd.org"){
$accessrule = new-object system.security.AccessControl.FileSystemAccessRule ("DOMAIN\Domain Users","Modify",$inherit,$propagation,"Allow")
$acl.AddAccessRule($accessrule)
$accessrule = new-object system.security.AccessControl.FileSystemAccessRule ("DOMAIN\Staff_Tech","FullControl",$inherit,$propagation,"Allow")
$acl.AddAccessRule($accessrule)
$accessrule = new-object system.security.AccessControl.FileSystemAccessRule ("DOMAIN\Enterprise Admins","FullControl",$inherit,$propagation,"Allow")
$acl.AddAccessRule($accessrule)
$accessrule = new-object system.security.AccessControl.FileSystemAccessRule ($strName,"FullControl",$inherit,$propagation,"Allow")
$acl.AddAccessRule($accessrule)
$acl.SetAccessRuleProtection($true,$false)
$acl.SetOwner([System.Security.Principal.NTAccount]$strName)
Set-Acl -AclObject $acl $target
Ryan Breneman - Systems Administrator - Hempfield School District

Thanks jrv. That is kind of what I thought but wasn't sure. I think I will attack this a different way and modify the script to run through all the AD accounts and check for folder existence and create if needed. Perhaps I'll play
with System Center Orchestrator and run it inside there.
These folders aren't being used for profile storage, and we already have folder redirection pointing to them, however I don't want a user to login to citrix and not have anywhere to save if they didn't have a folder to redirect to.
Folders are supposed to be created when the staff member/student AD account is created, but it doesn't always happen.
Thanks for your help!
Ryan Breneman - Systems Administrator - Hempfield School District

Ssh install on solaris core group installation - startup scripts?

hi all,
i have a fresh "core group" installation of solaris 11/06 now up and running.
I have added the following pkg to get ssh running.
bash-3.00# pkginfo |grep ssh
system SUNWsshcu SSH Common, (Usr)
system SUNWsshdr SSH Server, (Root)
system SUNWsshdu SSH Server, (Usr)
system SUNWsshr SSH Client and utilities, (Root)
system SUNWsshu SSH Client and utilities, (Usr)
so it is installed. I have manually created ssh_host_keys and I can start and use sshd/sftp -server. However I'm in need to find the best way of starting this up at boot. I have followed a link to Sun Blueprints for open ssh startup scripts.
http://www.sun.com/blueprints/tools/ > secureshell-tools.tar.Z
however this relies on prng (psuedo random number generator). my "default installation" of solaris 10 11/06 does not have this installed and ssh works fine, so I am reluctant to go down prng path.
furthermore searching my "default installation" of solaris 10 11/06 i can not see any ssh startup scripts that I could heist
please advise best practice

fixed for now
http://www.sun.com/bigadmin/content/selfheal/smf-quickstart.html > Enabling and disabling services
since solaris 10, use "svcadm"
ie
mybox86# svcadm enable network/ssh:default
very nice.

Office 2010 setup thru computer startup script

I am trying to install Office 2010 (sp2 seperate in the updates folder) thru group policy startup script and configured with OCT .msp file. Also try to start Access Runtime 2010 with SP2 update in the updates folder.
In group policy set run scripts asynchronisely disabled and run scripts visible enabled otherwise i could not see what the system was doiing also not when configiguring OCT with full display. The gpo settings lets the screens show during install so the user
can see what happens.
There is another problem that rises however: I have made 2 batchfiles and both are starting as a computer startup script in seperate gpo's (that is in another post). First the Accessruntime is installing, after that Office 2010 is running. Both are installed
after login but only one of the 2 have SP2 installed (7015) in this case Accessruntime has it. When i run only the Office 2010 install and not the Accesruntime 2010 then Office 2010 standard has also SP2 installed (version 7015). When running both only Runtime
has this sp2 and Office has 4763 this is without sp2 i believe.
In both folders (Office en Runtime) are the update files .msp in the updates folder of the installation, so thats ok.
Why is only 1 of the 2 installing the SP2 when running both?
A second thing is when restarting the system and before the login screen appears a message: Upgradepatch cannot be installed by Windows installer becasue the upgraded program does not excist of the upgradepatch is not suitable for this program?
Here is part of the batchfile:
IF EXIST "c:\program files\Microsoft Office\Office14\WINWORD.EXE" (goto mkfile) ELSE (goto DeployOffice)
:mkfile
ECHO Office 2010 is reeds geinstalleerd>c:\temp\office.txt
goto end
:DeployOffice
call cscript \\sharename\office2010\Offscrub03.vbs ALL /bypass 1 /q /s /NoCancel
start /wait %DeployServer%\setup.exe /adminfile %DeployServer%\officeconfig.msp
echo %date% %time% Setup ended with error code %errorlevel%. >> %LogLocation%\%computername%.txt
Another batchfile
start \\sharename\accessruntime2010\setup.exe /config \\share\accessruntime2010\config.xml
REM echo %date% %time% Setup ended with error code %errorlevel%. >> %LogLocation%\%computername%.txt
freddie
after installing both runtime and office both have SP2 in updates folder:
runtime 4763
Office 2010: 7015
So in this example runtme is installed without the SP2. installing runtime alone gives with SP2...
The message is gone. There was a other policy inherited from above that caused the message. The only problem now is that when installing both, runtime 2010 with SP2 files and Office 2010 with SP2 files, then one of the two don't get the Sp2 installed, why
is that?

> In the bat file, I have a line that records if the install completes
> successfully or failed. I don't have any other logging in my
> script. Are you referring to something like GPO logging? I know that
> the script runs because when I am looking at one of the PCs, I can
So it is NOT GP related but rather your script fails?!? Put some "echo
%~n0 %date% %time%>>Log-File-Of-Your-Choice.txt" in it to check what's
going on. And put ">>Log-File-Of-Your-Choice.txt 2>&1" at the end of
critical commands to capture their output.
> I ran the gpresult /h command which shows all User Configuration
> policies, but NOTHING appears under the Computer Configuration section.
Admin commandline? If not, you don't see computer settings :)
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))
Martin,
I still did not figure out why the installation script did not work for some of the PCs, even though the PCs have the same image. For the ones that don't work, I will install manually. Can you please look at the screenshots of the GPO
settings I am using, and let me know if there is any settings that I need to remove or add?
Thanks

How can I disable IPv6 EUI randomization with group policy?

I need to turn off IPv6 EUI address randomization. It can be done in netsh (a few commands) or powershell (Set-NetIPv6Protocol -RandomizeIdentifiers Disabled). How can I do this in group policy without scripting?

Hi Jordan,
Before going further, I hope that the suggestion provided by Martin can be helpful.
It seems that we can't configure this setting via native policy.To configure IPv6 settings,
we need to download ADMX files for IPv6. However, per the following article, the IPv6 settings that can be configured are:
Enable all IPv6 components
(Windows default)
Disable all IPv6
components (the setting you probably want)
Disable 6to4
Disable ISATAP
Disable Teredo
Disable Teredo and 6to4
Disable all tunnel
interfaces
Disable all LAN and PPP
interfaces
Disable all LAN, PPP and tunnel
interfaces
Prefer IPv4 over IPv6
How to Disable IPv6 through Group Policy
http://social.technet.microsoft.com/wiki/contents/articles/5927.how-to-disable-ipv6-through-group-policy.aspx
TechNetSubscriber Support
If you are TechNetSubscription user and have any feedback on our support quality, please
send your feedback here
Best regards,
Frank Shen
Please read the question before marking things as answers.

Group policy - 'install pending - reboot required'

I have deployed software using GPO - Computer Configuration - Assigned software. This has worked with flying colors for most computers on our domain - all running Windows 7 x86. Only a select few computers have failed to get this software installed.
When I checked RSOP.msc, I get a message that the install is pending and awaiting reboot. These machines have rebooted many times and yet the same message appears on RSOP and the software has yet to actually install.
Where is it getting hung up? Is there some sort of install cache that I can clear on the PC so GPO will try to send the install from scratch?
We have tried several things to try to isolate variables:
Tried gpupdate /force - I am prompted to reboot, and when I do so the software does not install
Checked GP Result - shows that this software install policy was "applied" to the computer, yet it isn't installed
Checked RSOP.msc, I get a message that the install is pending and awaiting reboot - reboots do not resolve this
Added permissions for "everyone" at the distribution point NTFS and share (I doubt it's permissions anyway since installs were successful on most computers before we added more permissions)
Tried adding a Computer Configuration/Administrative Templates/System/Group Policy/Startup policy processing wait time - 20 seconds (I tried this after reading this forum question -
http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/2a2175bf-132f-46c2-bc5a-4c67932141e2/)
Furthermore, every test I try to manufacture grabs the GPO and installs the software with success. The only machines that fail are machines that aren't easy for me to access as people are using them during the workday.
I have grabbed the event viewer information for a failing PC "WOLF", these events show every time after logon as well:
Warning 1/11/2012 2:40:25 PM Application Management Group Policy 101 None
Log Name:      System
Source:        Application Management Group Policy
Date:          1/11/2012 2:40:25 PM
Event ID:      101
Task Category: None
Level:         Warning
Keywords:      Classic
User:          SYSTEM
Computer:      WOLF.domain.local
Description:
The assignment of application TeamViewer 6 (MSI Wrapper) from policy TeamViewer 6 MSI PDX failed. The error was : %%1274
Error 1/11/2012 2:40:25 PM Application Management Group Policy 103 None
Log Name:      System
Source:        Application Management Group Policy
Date:          1/11/2012 2:40:25 PM
Event ID:      103
Task Category: None
Level:         Error
Keywords:      Classic
User:          SYSTEM
Computer:      WOLF.domain.local
Description:
The removal of the assignment of application TeamViewer 6 (MSI Wrapper) from policy TeamViewer 6 MSI PDX failed. The error was : %%2
Warning 1/11/2012 2:40:25 PM Application Management Group Policy 108 None
Log Name:      System
Source:        Application Management Group Policy
Date:          1/11/2012 2:40:25 PM
Event ID:      108
Task Category: None
Level:         Warning
Keywords:      Classic
User:          SYSTEM
Computer:      WOLF.domain.local
Description:
Failed to apply changes to software installation settings. The installation of software deployed through Group Policy for this user has been delayed until the next logon because the changes must be applied before the user logon. The error was :
%%1274
Warning 1/11/2012 2:40:25 PM GroupPolicy 1112 None
Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          1/11/2012 2:40:25 PM
Event ID:      1112
Task Category: None
Level:         Warning
Keywords:
User:          SYSTEM
Computer:      WOLF.domain.local
Description:
The Group Policy Client Side Extension Software Installation was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish completely before the
next startup or logon for this user, and this may result in slow startup and boot performance.
Any help would be appreciated!
Thanks,
Elizabeth

> TeamViewer 6 MSI PDX failed. The error was : %%1274
Not really an error - more an information. Results from a "gpupdate" and
means "reboot now, please".
> from policy TeamViewer 6 MSI PDX failed. The error was : %%2
File not found. That's odd... May need further investigation.
> before the user logon. The error was : %%1274
See above - reboot required.
You may activate appmgmt debug logging and then post the resulting log
file: In HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics,
set AppmgmtDebugLevel (REG_DWORD) to 0x9b and examine
%windir%\debug\usermode\appmgmt.log after the next reboot.
If no other solution, you may try to cleanup the appmgmt history key so
that all SW deployment GPOs will be processed again: Rename
HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt and
recreate empty.
sincerely, Martin
A bissle "Experience", a bissle GMV... Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!

Group Policy - Computer Startup Scripts - Add/Set Default printer

Good Morning.
Let's say we have 2 offices, A and B, and only 1 user. The user is using Roaming Profiles. Each office has its own printer.
What I am trying to do, is make a Startup script that is specific to the COMPUTER being logged into so when any user logs into that computer, they get the printer in that office defined and set as default.
I am able to do this successfully with my script but ONLY if i have the script be on the USER side of GP (i.e. in the Logon script section)
That is great that that is working however, when my user goes to Office B, they still get mapped to Office A's printer if I use that method.
So I figured I could just modify my GP and run the same script from the STARTUP section of the computer, rather than the LOGON section of the user. It does not work.
Here is my script:
Set WRFCUNetwork = CreateObject("Wscript.Network")
PrinterPath = "\\fileserver\MAINTELLER"
PrinterDriver = "PrinterDriver"
WRFCUNetwork.AddWindowsPrinterConnection PrinterPath, PrinterDriver
WRFCUNetwork.SetDefaultPrinter "\\fileserver\MAINTELLER"
This is where I Have the script placed:
     Computer Configuration -> Windows Settings -> Scripts(Startup/Shutdown)
Once i'm in there, I double click Startup, click Add, and select my script which is named:
     MainPrinterSetup.vbs
I have this GP applied to ONE OU, and that OU has ONE computer in it (my test computer)
I login with a brand new user called "testuser" (creative, huh?) and basically nothing happens
except they log in and have some Microsoft Document Image Writer printer set as default (which by the way sure does slow the PC down to the point of it almost being broke if anyone actually tries to print to that by accident)
No Main Teller Printer, no anything.
The strangest part about this is, if i apply this script to the user LOGON scripts, it works fine, the printer is there, and is set as default. (but see above why that wont work for my situation)
So obviously the script works fine, but I guess i'm missing something when it comes to applying GP's to Computers rather than Users.
Can anyone shed some light as to why the script is not running (i'm guessing the script isn't even attempting to run, rather than failing, but i have no way to know that)
Thank you in advance!!
Derek Conlon
Network Administrator
WRFCU
EDIT: Here are the PC's info that i'm working on:
     Server: Windows Server 2003 Standard Edition (where my GP's are created and managed with AD)
     Target PC: Windows XP Professional SP3
EDIT #2: I manually navigated to the Script file after logging in and "opened" it and it added and set the default printer no problem. the issue is definately with the script running at startup.

I wanted to clarify a few things:
1. While it is true that printer connections are usually per user, it is definitely possible to create "global printers". There are a number of ways to do this, but two methods that come to mind are using:
a. "Rundll32 printui.dll,PrintUIEntry" option with the "/ga" switch. The "/ga" switch is the key here since it allows you to deploy printers "per machine" instead of "per user". More information
about this is available at:
http://members.shaw.ca/bsanders/NetPrinterAllUsers.htm
http://technet.microsoft.com/en-us/library/ee624057%28WS.10%29.aspx
http://www.computerperformance.co.uk/Logon/logon_printer_computer.htm
http://www.robvanderwoude.com/2kprintcontrol.php
b. The Print Management console that is available in Windows 2003 R2 and higher can help you deploy printers "per machine" in addition to "per user". More information about this is available at:
http://www.czsolution.com/print-management/print-management/print-management-console.htm#DeployingPrintersByGroupPolicy
http://technet.microsoft.com/en-us/library/cc753109%28WS.10%29.aspx
2. As Guy mentioned, Group Policy Preferences can help set the default printer. But there is another way to accomplish this. The problem with the computer startup portion is that it runs before the user logs in. And applying this script
in the login script section would not work per computer unless you used loopback processing. So another way to do this is to place a script that sets the default printer into the "All Users" startup folder. Items in the "All Users"
startup folder run for any user that logs into the computer, but it runs in the user's context. So, this script would effectively set the default printer on a "per machine" basis. The script method is a cruder way to approach the problem,
but it will help get the job done. Here are some resources on setting the default printer via script:
http://www.intelliadmin.com/index.php/2007/08/set-default-printer-from-a-script
http://www.computerperformance.co.uk/ezine/ezine17.htm

Assign a local logon script using Group Policy

Is there a way to assign a local logon script using Group Policy? The reason I ask is that I wrote a logon/logoff script that will record the date/time, user, and computer for everyone who logs on to any machine in the domain. Right now it's set on a domain
GPO, so it works great for domain accounts, but I'd like to extend that functionality to local accounts as well. The only way I know how to do that would be to set my script to run using the local policy. Since I don't want to manually go around to all 400+
machines in my domain, I would rather find a simpler way of modifying the local policy. Any ideas?

Martin, thank you for your response. That's exactly the kind of out-of-the-box answer I was looking for, unfortunately, it looks like I can only do that for Logon scripts. I don't see an option for Logoff. (Maybe the took the Logoff functionality out?
This article says there should be a Logoff item in the GPO, but they're talking about Windows 2000 in that article.)
Matthias, I started playing around with what you said, and I noticed that the "Scripts" key only seems to show up on my Windows 7 clients. The XP workstations don't have that key. Plus I did some testing, and I think I can do it without having
to mess with the registry at all.
So I think I have a workable solution at the moment. I found
this article that talks about copying Local Polices from one computer to another. I tried manually setting the Logon/Logoff scripts in the Local policy on a fresh machine. From that reference computer I copied the Scripts folder out of the %SYSTEMROOT%\System32\GroupPolicy\User
directory. It also created a gpt.ini file in the %SYSTEMROOT%\System32\GroupPolicy directory. The gpt.ini file contained an attribute called gPCUserExtensionNames, and one called Version. The gPCUserExtensionNames attribute specified two GUIDs, which
I assumed to be the GUIDs that identify the Local Policy. I tried manually creating the Local policy on several different machines, with several different Operating Systems, and those GUIDs always seemed to be the same (not sure why). So I copied the gpt.ini
file off the reference machine as well. When I placed all of the files I copied from the reference machine on to a new machine, everything seemed to work just fine (no registry modification necessary), with one caveat. It seemed to be running the script twice.
So I went back into the gpt.ini file and deleted one of the GUIDs listed under gPCUserExtensionNames, and now the script runs just once!
So I think this solution will work ok for me. We don't have any other Local Policies in place, so demolishing all existing Local Policies is perfectly acceptable in my case. I'm just not sure if I'm doing any damage by copying the gpt.ini file from a reference
machine (if anyone can expand on how that works, I would appreciate the peace of mind that I'm not making things worse by doing this). So all I need now is to write a Startup script, or an SCCM package to deliver the Logon scripts and associated ini files
to the appropriate location on all the domain PCs. Easy enough to do on my own. If anyone knows of a reason why this method is a bad idea, please post here. I'll be testing it out on a handful of PCs in the mean time.
Hi Guys,
Will this solution work for my case? I have a forcereboot batch script that I need to load on the local policy (logoff script through GPEDIT) however I can only load it manually. I need to do it on multiple machines (approx 5000 computers). I am having
trouble doing it using powershell. Is there any other options to do it?
Will I have to use the same GUID's you mentioned on the gpt.ini file? (gPCUserExtensionNames=[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B66650-4972-11D1-A7CA-0000F87571E3}] since it refers to the local script and how about the version on the gpt.ini file?
Thanks in advance.
Dash
https://social.technet.microsoft.com/Forums/en-US/1f636042-bcff-498d-93c0-e1aa89f80961/how-to-load-a-script-on-the-local-group-policy-on-multiple-computers?forum=mdopagpm

How can I setup a scheduled task to run a Powershell Script delivered as a Group Policy Preference

I have a Powershell script I want to run only once when a user logs onto their system. This script would move all the PST files from the Local drive and the Home drive to a folder location within the users profile. I wanted to run this as a Windows 7 Scheduled Task using Group Policy Preferences. How can I get this to happen short of a logon script? I have updated all the machines to WMF 4.0 so could I use a Scheduled Job instead? I wanted to run the script as the logon user but elevated.#Start Outlook and Disconnect attached PST files.
$Outlook = New-Object -ComObject Outlook.Application
$namespace = $outlook.getnamespace("MAPI")
$folder = $namespace.GetDefaultFolder("olFolderInbox")
$explorer = $folder.GetExplorer()
$explorer.Display()
$myArray= @()
$outlook.Session.Stores | where{ ($_.FilePath -like'*.PST') } | foreach{[array]$myArray+= $_.FilePath}
for
($x=0;$x-le$myArray.length-1;$x++)
$PSTPath= $myArray[$x]
$PST= $namespace.Stores | ?{$_.FilePath -like$PSTPath}
$PSTRoot= $PST.GetRootFolder() #Get Root Folder name of PST
$PSTFolder= $Namespace.Folders.Item($PSTRoot.Name) #Bind to PST for disconnection
$Namespace.GetType().InvokeMember('RemoveStore',[System.Reflection.BindingFlags]::InvokeMethod,$null,$Namespace,($PSTFolder)) #Disconnect .PST
#Move All PST files to the default location while deleting the PST files from their original location.
$SourceList = ("$env:SystemDrive", "$env:HOMEDRIVE")
$Destination = ("$env:USERPROFILE\MyOutlookFiles")
(Get-ChildItem -Path $SourceList -Recurse -Filter *.PST) | Move-Item -Destination $Destination
#Attach all PST files from the default location.
Add-type -assembly "Microsoft.Office.Interop.Outlook" | out-null
$outlook = new-object -comobject outlook.application
$namespace = $outlook.GetNameSpace("MAPI")
dir “$env:USERPROFILE\MyOutlookFiles\*.pst” | % { $namespace.AddStore($_.FullName) }

Mike,
I do not understand what appears to be a regular expression above. I did add the PowerShell script to the HKCU RunOnce Key as suggested.
Windows Registry Editor Version 5.00
C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -noprofile -sta -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File "C:\scripts\Windows PowerShell\Move-PST.ps1"
I'm delivering this using Group Policy Preferences. It seems to fail or time out when run because the behavior is different if I run the script from within the PowerShell IDE. I added the parameters to the script and will try it again in the morning.

The Group Policy client-side extension Scripts failed ...

This is an error I've been seeing forever and it was always the impression that upgrading would resolve it, but it never has even in 10.3. 100% of our users get these errors in the Event Viewer:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1085
Date: 10/21/2010
Time: 8:04:52 AM
User: NT AUTHORITY\SYSTEM
Computer: XXXXXX
Description:
The Group Policy client-side extension Scripts failed to execute. Please look for any errors reported earlier by that extension.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
We also seem to have flakey policy issues where once in awhile a user will not be able to logon to Windows with Workstation Only while getting the " not allowed to logon interactively" message, other times the users report not being able to access the Windows Date and Time Properties and further sometimes they are unable to make system changes.
We have troubleshooted this and the only resolutions we've found are to run zac cc, zac ref, zac pl and sometimes it seems like deleting c:\windows\system32\grouppolicy will help.
In regards to the Event Viewer entry I posted, on any given machine I can issue the command gpupdate and it will put another entry into the Event Viewer (sometimes multiple ones). I've learned through research that if I "clean up" c:\windows\system32\grouppolicy\gpt.ini the errors go away, but once the policy is refreshed they come right back.
This is the version ZenWorks gives the users:
[General]
gPCFunctionalityVersion=2
gPCFunctionalityVersion=2
gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}][{3610EDA5-77EF-11D2-8DC5-00C04FA31A66}{0F6B957D-509E-11D1-A7CC-0000F87571E3}][{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}][{4CFB60C1-FAA6-47F1-89AA-0B18730C9FD3}{0F6B957D-509E-11D1-A7CC-0000F87571E3}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Version=6488106
gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B66650-4972-11D1-A7CA-0000F87571E3}][{4CFB60C1-FAA6-47F1-89AA-0B18730C9FD3}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}]
This is the version I cleaned up:
[General]
gPCFunctionalityVersion=2
gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{4CFB60C1-FAA6-47F1-89AA-0B18730C9FD3}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}]
gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}]
I'm not sure how to get Zenworks to use the cleaned up version nor and I too sure what those extra extensions are and how they got in there. I may need to contact Novell in regards to this, but since I'm already working on an SR with them I figured I'd go ahead and post here first.
Any help or advice would be greatly appreciated.

Here are the groups I'm using. NOTE: These have been in affect throughout the issues experienced. Users will work perfectly fine then suddenly the problem will start happening without any policy change on our side.
-Member of-
Network Configuration Operators+
Remote Desktop Users+
Users+
-Assigned Rights under a group I called "Other Rights"-
Access this computer from network
Change the system time
Log on locally
Shut down the system
The only condition I have is that these issues happen when logging in Workstation Only and I'm not able to recreate the problem on demand with tests.
Originally Posted by craig_wilson
The "Interactive Logon" is a Windows Security Permission.
It is generally assigned to certain local groups such as "User".
Which groups are assigned this right can be changed manually and
controlled by local security policies.
When user's get this error, it generally means their account is not in a
local group that has been assigned that right.
If using "DLU", make sure the user accounts are a member of "Users".
And If anyone was messing with security policies, make sure they did not
take away "Interactive Logons" from anyone.
On 10/29/2010 7:06 AM, jcsmith1 wrote:
>
> Thanks for replying craig.
>
> My policy woes have only grown since my first post. We are currently
> testing the removal of administrative rights and now we're having
> teleworkers (who login Workstation Only) getting the message "policy
> does not allow interactive login". What -seems- to fix it is a zac cc,
> zac ref and zac pl, however we just started getting call backs from
> users.
>
> I seem to have no further leads and Novell's ZenWorks tech supports
> seems to be going through some kind of painful-to-the-customer
> transition as one of my thoughts on resolving the issue is to go to 10.3
> or 10.3.1, but my Satellites appear to be upgrading but in reality do
> not upgrade (but the primary servers upgraded) (See SR 10655976331).
>
> Does anyone knows how to troubleshoot policy issues when the users
> aren't loggin into ZCM?
>
> craig_wilson;2036646 Wrote:
>> See: 'Group Policy Error: The Group Policy client-side extension Script
>> failed to execute.'
>> (Group Policy Error: The Group Policy client-side extension Script failed to execute.)
>>
>> This would never be fixed in any patch, since it would be the job of
>> GPEDIT to properly maintain the GPT.INI.
>>
>> Most of the Time these errors are cosmetic and caused by stray script
>> extensions.
>>
>> You may want to create an Enhancement Request to allow the creation of
>> "Filters" so certain errors are discarded and not sent to the DB/ZCC.
>> This way an Admin could choose to filter out various error messages
>> that
>> they deem are not actually of concern.
>>
>> On 10/21/2010 9:36 AM, jcsmith1 wrote:
>>>
>>> This is an error I've been seeing forever and it was always the
>>> impression that upgrading would resolve it, but it never has even in
>>> 10.3. 100% of our users get these errors in the Event Viewer:
>>>
>>> -Event Type: Error
>>> Event Source: Userenv
>>> Event Category: None
>>> Event ID: 1085
>>> Date: 10/21/2010
>>> Time: 8:04:52 AM
>>> User: NT AUTHORITY\SYSTEM
>>> Computer: XXXXXX
>>> Description:
>>> The Group Policy client-side extension Scripts failed to execute.
>>> Please look for any errors reported earlier by that extension.
>>>
>>> For more information, see Help and Support Center at
>>> http://go.microsoft.com/fwlink/events.asp.
>>> -
>>> We also seem to have flakey policy issues where once in awhile a
>> user
>>> will not be able to logon to Windows with Workstation Only while
>> getting
>>> the " not allowed to logon interactively" message, other times the
>> users
>>> report not being able to access the Windows Date and Time Properties
>> and
>>> further sometimes they are unable to make system changes.
>>>
>>> We have troubleshooted this and the only resolutions we've found are
>> to
>>> run zac cc, zac ref, zac pl and sometimes it seems like deleting
>>> c:\windows\system32\grouppolicy will help.
>>>
>>> In regards to the Event Viewer entry I posted, on any given machine
>> I
>>> can issue the command gpupdate and it will put another entry into
>> the
>>> Event Viewer (sometimes multiple ones). I've learned through
>> research
>>> that if I "clean up" c:\windows\system32\grouppolicy\gpt.ini the
>> errors
>>> go away, but once the policy is refreshed they come right back.
>>>
>>> This is the version ZenWorks gives the users:
>>>> [General]
>>>> gPCFunctionalityVersion=2
>>>> gPCFunctionalityVersion=2
>>>>
>> gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}][{3610EDA5-77EF-11D2-8DC5-00C04FA31A66}{0F6B957D-509E-11D1-A7CC-0000F87571E3}][{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}][{4CFB60C1-FAA6-47F1-89AA-0B18730C9FD3}{0F6B957D-509E-11D1-A7CC-0000F87571E3}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
>>>> Version=6488106
>>>>
>> gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B66650-4972-11D1-A7CA-0000F87571E3}][{4CFB60C1-FAA6-47F1-89AA-0B18730C9FD3}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}]
>>>>
>>>>
>>>
>>> This is the version I cleaned up:
>>>> [General]
>>>> gPCFunctionalityVersion=2
>>>>
>> gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{4CFB60C1-FAA6-47F1-89AA-0B18730C9FD3}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}]
>>>>
>> gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}]
>>>>
>>>>
>>>
>>> I'm not sure how to get Zenworks to use the cleaned up version nor
>> and
>>> I too sure what those extra extensions are and how they got in there.
>> I
>>> may need to contact Novell in regards to this, but since I'm already
>>> working on an SR with them I figured I'd go ahead and post here
>> first.
>>>
>>> Any help or advice would be greatly appreciated.
>>>
>>>
>>
>>
>> --
>> Craig Wilson - MCNE, MCSE, CCNA
>> Novell Knowledge Partner
>>
>> Novell does not officially monitor these forums.
>>
>> Suggestions/Opinions/Statements made by me are solely my own.
>> These thoughts may not be shared by either Novell or any rational
>> human.
>
>
Craig Wilson - MCNE, MCSE, CCNA
Novell Knowledge Partner
Novell does not officially monitor these forums.
Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human.

W7 client machine stuck on startup "Group Policy Files Policy"

we have some w7 machine getting stuck on boot up before ctrl-alt-del, once verbose message was turned on for troubleshooting, we noticed they were stuck at "applying group policy files policy".
we had let it wait for more than 60 minutes at time and it would still be stuck. (thou mouse / kb still responsive)
this problem however, is not re-produceable on demand, if we power off the machine, it boots back up with no issues.
checking the group policy log, we didn't find anything weird, but was not sure if that's the right place to look thou.
we do have two group policy preferences pushing out host files as well as desktop shortcuts, might that be the culprit?
thanks!

> we do have two group policy preferences pushing out host files as well
> as desktop shortcuts, might that be the culprit?
My recommendation: Use Group Policy Preferences as you like, but do NOT
use the "Files" extension.
Why? GP Processing at Boot/Logon is a synchronous foreground process
that cannot be interrupted (as you are already experiencing ;-)).
Replace GPP Files with a script that runs some robocopy commands. Start
this script through a scheduled task at boot or logon, so that it can
run asynchronously in the background, not disturbing the user experience.
regards, Martin
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!

How to force group policy update remotely in a bunch of desktops(computers name in a textfile) by using powershell script?

Hi,
I want to force group policy on a collection of computers remotely.The name of computers can be stored in a text file.
By using this info. (about computer names) , Could you please guide me writing a Powershell script for this.
Thanks in advance.
Daya

This requires that PSRemoting is enabled in your environment.
$Computers = Get-Content -Path 'C:\computers.txt'
Invoke-Command -ComputerName $Computers -ScriptBlock {
GPUpdate /Force

Script to override Group policy (Disable Addins and change default file type)

Hi there,
I am developing a solution for our customer that requires Office 2010 64-bit, which I have.
However my company's group policy, (I believe), keeps adding in a template manager for corporate documents, this template is 32-bit and is incompatible with my version of office. This means that everytime I open or close excel I get a warning of incompatibility.
This is irritating, as is the fact that the default new file type keeps switching back of xls, which causes me problems since my macro's need to create xlsx files, for the customer.
Now I believe that both of these are set by the group policy and while they a fine for most people, due to my unusual roll, it causes me irritations I would would rather avoid.
Since I know it will not be possible to change the group policy for the handful of people who are effected like this, I am looking for some help to, e.g. automatically run a script to adjust these settings on my local machine to make my life easier.
Thanks for your help,
Vincent.

Try using
Process Monitor for looking the key.
For example, you may set the required value through the group policy and see what windows registry keys are changed.

Shutdown Script / Group Policy

I need to implement a script that runs at shutdown on 2 labs in our
main office. I know that I can set this using Group Policy. My
question is, I already have policies associated with the container that
the group resides in. If I create a new group policy and apply it to
the workstation group, will it override the container policy where the
users reside? Or, if anyone knows a better way for me to do this, let
me know.
Basically, I have contextless logins associated with user containers at
each site. When those users come to the main office and use our
training lab, it sets the contextless login to search their old site.
The next time the computer reboots, the local context is replaced by
that of the last user. I figured if I run a regkey on shutdown that
sets it back, everything will be ok. Can I do this using a ZEN app, or
is the group policy my only option?

[email protected],
> I have contextless logins associated with user containers at
>each site. When those users come to the main office and use our
>training lab, it sets the contextless login to search their old site.
>The next time the computer reboots, the local context is replaced by
>that of the last user. I figured if I run a regkey on shutdown that
>sets it back, everything will be ok.
Why wont' contextless login put it back correctly?
If you want a policy, then I would add a action to a regular workstation
package, the policy being a "action" which would run the reg file on logout.
Jared Jennings
Data Technique, Inc.
Novell Support Forums Sysop
http://wiki.novell.com

Group Policy Startup Script

Similar Messages

Maybe you are looking for