Shutdown Script / Group Policy

I need to implement a script that runs at shutdown on 2 labs in our
main office. I know that I can set this using Group Policy. My
question is, I already have policies associated with the container that
the group resides in. If I create a new group policy and apply it to
the workstation group, will it override the container policy where the
users reside? Or, if anyone knows a better way for me to do this, let
me know.
Basically, I have contextless logins associated with user containers at
each site. When those users come to the main office and use our
training lab, it sets the contextless login to search their old site.
The next time the computer reboots, the local context is replaced by
that of the last user. I figured if I run a regkey on shutdown that
sets it back, everything will be ok. Can I do this using a ZEN app, or
is the group policy my only option?

[email protected],
> I have contextless logins associated with user containers at
>each site. When those users come to the main office and use our
>training lab, it sets the contextless login to search their old site.
>The next time the computer reboots, the local context is replaced by
>that of the last user. I figured if I run a regkey on shutdown that
>sets it back, everything will be ok.
Why wont' contextless login put it back correctly?
If you want a policy, then I would add a action to a regular workstation
package, the policy being a "action" which would run the reg file on logout.
Jared Jennings
Data Technique, Inc.
Novell Support Forums Sysop
http://wiki.novell.com

Similar Messages

Analyze and Write a log of windows logon/shutdown script and policy

Good Morning,
Is there a way to write a complete log of pc from when it start to receive the domain policy for the machine and user and for the startup/shutdown process?
Thanks for you help.
Salento.

Hi Salento,
Before going further, what do we want to do? Are we troubleshooting something?
If we want to troubleshoot group policy, we can collect group policy result to check if our policy settings get applied properly.
To collect group policy result:
1. On domain controller, click Start -> Run, type GPMC.MSC, it will load the GPMC console.
2. Right click on "Group Policy Result" and choose wizard to generate a report for the problematic computer and user account (please place appropriately). (Choose computer and select the proper
user in the wizard)
3. Right click the resulting group policy result and click the "Save Report…" => save report to save the report to a HTML file.
If we need more specific information for troubleshooting group policy, we can enable gpsvc logging for group policy processing.
To enable Gpsvc logging, the following blog can be referred to as reference.
Userenvlog for Windows Vista/2008/Win7
http://blogs.technet.com/b/mempson/archive/2010/01/10/userenvlog-for-windows-vista-2008-win7.aspx
In addition, regarding group policy debug log settings, the following article can be referred to for more information.
Group Policy Debug Log Settings
http://social.technet.microsoft.com/wiki/contents/articles/4506.group-policy-debug-log-settings.aspx
Best regards,
Frank Shen

Server 2008 R2 does not show Internet Explorer 10/11 Group Policy options

Hello,
I have a Windows Server 2008 R2 server that has IE11 installed. I am attempting to create a GPO to control Proxy settings for IE10/11 clients, however, when I go to User Config>Preferences> Control Panel Settings> Internet Settings and Right click,
I do not see an option for IE10, only IE5 and 6, IE7, and IE8.
I have downloaded and installed the Administrative Templates for Internet Explorer from
here, and followed the installation instructions, but still, the option does not show up. I have ensured that all the latest Windows Updates are installed on the server, and rebooted
the server a couple times.
What am I missing here?
Thanks in advance.

<meta content="text/html; charset=UTF-16" http-equiv="Content-Type" /><title>SFDN\testuser</title> <style type="text/css">body { background-color:#FFFFFF; border:1px solid #666666; color:#000000; font-size:68%;
font-family:MS Shell Dlg; margin:0,0,10px,0; word-break:normal; word-wrap:break-word; } table { font-size:100%; table-layout:fixed; width:100%; } td,th { overflow:visible; text-align:left; vertical-align:top; white-space:normal; } .title { background:#FFFFFF;
border:none; color:#333333; display:block; height:24px; margin:0px,0px,-1px,0px; padding-top:4px; ; table-layout:fixed; width:100%; z-index:5; } .he0_expanded { background-color:#FEF7D6; border:1px solid #BBBBBB; color:#3333CC; cursor:hand; display:block;
font-family:MS Shell Dlg; font-size:100%; font-weight:bold; height:2.25em; margin-bottom:-1px; margin-left:0px; margin-right:0px; padding-left:8px; padding-right:5em; padding-top:4px; ; width:100%; } .he1_expanded { background-color:#A0BACB; border:1px solid
#BBBBBB; color:#000000; cursor:hand; display:block; font-family:MS Shell Dlg; font-size:100%; font-weight:bold; height:2.25em; margin-bottom:-1px; margin-left:20px; margin-right:0px; padding-left:8px; padding-right:5em; padding-top:4px; ; width:100%; } .he1h_expanded
{ background-color: #7197B3; border: 1px solid #BBBBBB; color: #000000; cursor: hand; display: block; font-family: MS Shell Dlg; font-size: 100%; font-weight: bold; height: 2.25em; margin-bottom: -1px; margin-left: 10px; margin-right: 0px; padding-left: 8px;
padding-right: 5em; padding-top: 4px; ; width: 100%; } .he1 { background-color:#A0BACB; border:1px solid #BBBBBB; color:#000000; cursor:hand; display:block; font-family:MS Shell Dlg; font-size:100%; font-weight:bold; height:2.25em; margin-bottom:-1px; margin-left:20px;
margin-right:0px; padding-left:8px; padding-right:5em; padding-top:4px; ; width:100%; } .he2 { background-color:#C0D2DE; border:1px solid #BBBBBB; color:#000000; cursor:hand; display:block; font-family:MS Shell Dlg; font-size:100%; font-weight:bold; height:2.25em;
margin-bottom:-1px; margin-left:30px; margin-right:0px; padding-left:8px; padding-right:5em; padding-top:4px; ; width:100%; } .he3 { background-color:#D9E3EA; border:1px solid #BBBBBB; color:#000000; cursor:hand; display:block; font-family:MS Shell Dlg; font-size:100%;
font-weight:bold; height:2.25em; margin-bottom:-1px; margin-left:40px; margin-right:0px; padding-left:11px; padding-right:5em; padding-top:4px; ; width:100%; } .he4 { background-color:#E8E8E8; border:1px solid #BBBBBB; color:#000000; cursor:hand; display:block;
font-family:MS Shell Dlg; font-size:100%; font-weight:bold; height:2.25em; margin-bottom:-1px; margin-left:50px; margin-right:0px; padding-left:11px; padding-right:5em; padding-top:4px; ; width:100%; } .he4h { background-color:#E8E8E8; border:1px solid #BBBBBB;
color:#000000; cursor:hand; display:block; font-family:MS Shell Dlg; font-size:100%; font-weight:bold; height:2.25em; margin-bottom:-1px; margin-left:55px; margin-right:0px; padding-left:11px; padding-right:5em; padding-top:4px; ; width:100%; } .he4i { background-color:#F9F9F9;
border:1px solid #BBBBBB; color:#000000; display:block; font-family:MS Shell Dlg; font-size:100%; margin-bottom:-1px; margin-left:55px; margin-right:0px; padding-bottom:5px; padding-left:21px; padding-top:4px; ; width:100%; } .he5 { background-color:#E8E8E8;
border:1px solid #BBBBBB; color:#000000; cursor:hand; display:block; font-family:MS Shell Dlg; font-size:100%; font-weight:bold; height:2.25em; margin-bottom:-1px; margin-left:60px; margin-right:0px; padding-left:11px; padding-right:5em; padding-top:4px; ;
width:100%; } .he5h { background-color:#E8E8E8; border:1px solid #BBBBBB; color:#000000; cursor:hand; display:block; font-family:MS Shell Dlg; font-size:100%; padding-left:11px; padding-right:5em; padding-top:4px; margin-bottom:-1px; margin-left:65px; margin-right:0px;
; width:100%; } .he5i { background-color:#F9F9F9; border:1px solid #BBBBBB; color:#000000; display:block; font-family:MS Shell Dlg; font-size:100%; margin-bottom:-1px; margin-left:65px; margin-right:0px; padding-left:21px; padding-bottom:5px; padding-top:
4px; ; width:100%; } DIV .expando { color:#000000; text-decoration:none; display:block; font-family:MS Shell Dlg; font-size:100%; font-weight:normal; ; right:10px; text-decoration:underline; z-index: 0; } .he0 .expando { font-size:100%; } .info, .info3, .info4,
.disalign { line-height:1.6em; padding:0px,0px,0px,0px; margin:0px,0px,0px,0px; } .disalign TD { padding-bottom:5px; padding-right:10px; } .info TD { padding-right:10px; width:50%; } .info3 TD { padding-right:10px; width:33%; } .info4 TD, .info4 TH { padding-right:10px;
width:25%; } .info TH, .info3 TH, .info4 TH, .disalign TH { border-bottom:1px solid #CCCCCC; padding-right:10px; } .subtable, .subtable3 { border:1px solid #CCCCCC; margin-left:0px; background:#FFFFFF; margin-bottom:10px; } .subtable TD, .subtable3 TD { padding-left:10px;
padding-right:5px; padding-top:3px; padding-bottom:3px; line-height:1.1em; width:10%; } .subtable TH, .subtable3 TH { border-bottom:1px solid #CCCCCC; font-weight:normal; padding-left:10px; line-height:1.6em; } .subtable .footnote { border-top:1px solid #CCCCCC;
} .subtable3 .footnote, .subtable .footnote { border-top:1px solid #CCCCCC; } .subtable_frame { background:#D9E3EA; border:1px solid #CCCCCC; margin-bottom:10px; margin-left:15px; } .subtable_frame TD { line-height:1.1em; padding-bottom:3px; padding-left:10px;
padding-right:15px; padding-top:3px; } .subtable_frame TH { border-bottom:1px solid #CCCCCC; font-weight:normal; padding-left:10px; line-height:1.6em; } .subtableInnerHead { border-bottom:1px solid #CCCCCC; border-top:1px solid #CCCCCC; } .explainlink { color:#000000;
text-decoration:none; cursor:hand; } .explainlink:hover { color:#0000FF; text-decoration:underline; } .spacer { background:transparent; border:1px solid #BBBBBB; color:#FFFFFF; display:block; font-family:MS Shell Dlg; font-size:100%; height:10px; margin-bottom:-1px;
margin-left:43px; margin-right:0px; padding-top: 4px; ; } .filler { background:transparent; border:none; color:#FFFFFF; display:block; font:100% MS Shell Dlg; line-height:8px; margin-bottom:-1px; margin-left:53px; margin-right:0px; padding-top:4px; ; } .container
{ display:block; ; } .rsopheader { background-color:#A0BACB; border-bottom:1px solid black; color:#333333; font-family:MS Shell Dlg; font-size:130%; font-weight:bold; padding-bottom:5px; text-align:center; } .rsopname { color:#333333; font-family:MS Shell
Dlg; font-size:130%; font-weight:bold; padding-left:11px; } .gponame{ color:#333333; font-family:MS Shell Dlg; font-size:130%; font-weight:bold; padding-left:11px; } .gpotype{ color:#333333; font-family:MS Shell Dlg; font-size:100%; font-weight:bold; padding-left:11px;
} #uri { color:#333333; font-family:MS Shell Dlg; font-size:100%; padding-left:11px; } #dtstamp{ color:#333333; font-family:MS Shell Dlg; font-size:100%; padding-left:11px; text-align:left; width:30%; } #objshowhide { color:#000000; cursor:hand; font-family:MS
Shell Dlg; font-size:100%; font-weight:bold; margin-right:0px; padding-right:10px; text-align:right; text-decoration:underline; z-index:2; word-wrap:normal; } #gposummary { display:block; } #gpoinformation { display:block; } @media print { #objshowhide{ display:none;
} body { color:#000000; border:1px solid #000000; } .title { color:#000000; border:1px solid #000000; } .he0_expanded { color:#000000; border:1px solid #000000; } .he1h_expanded { color:#000000; border:1px solid #000000; } .he1_expanded { color:#000000; border:1px
solid #000000; } .he1 { color:#000000; border:1px solid #000000; } .he2 { color:#000000; background:#EEEEEE; border:1px solid #000000; } .he3 { color:#000000; border:1px solid #000000; } .he4 { color:#000000; border:1px solid #000000; } .he4h { color:#000000;
border:1px solid #000000; } .he4i { color:#000000; border:1px solid #000000; } .he5 { color:#000000; border:1px solid #000000; } .he5h { color:#000000; border:1px solid #000000; } .he5i { color:#000000; border:1px solid #000000; } } v\:* {behavior:url(#default#VML);}
</style> <script language="vbscript">  </script> <script language="javascript">
 </script>
Group Policy Management
body { font-size:68%;font-family:MS Shell Dlg; margin:0px,0px,0px,0px; border: 1px solid #666666; background:#F6F6F6; width:100%; word-break:normal; word-wrap:break-word; } .head { font-weight:bold; font-size:160%; font-family:MS
Shell Dlg; width:100%; color:#6587DC; background:#E3EAF9; border:1px solid #5582D2; padding- height:24px; } .path { margin- margin- margin-bottom:5px;width:100%; } .info { padding-width:100%; } table { font-size:100%; width:100%; border:1px solid #999999;
} th { border-bottom:1px solid #999999; text-align:left; padding- height:24px; } td { background:#FFFFFF; padding- padding-bottom:10px; padding- } .btn { width:100%; text-align:right; margin- } .hdr { font-weight:bold; border:1px solid #999999; text-align:left;
padding- padding- height:24px; margin-bottom:-1px; width:100%; } .bdy { width:100%; height:182px; display:block; background:#FFFFFF; padding- padding-bottom:10px; padding- border:1px solid #999999; } button { width:6.9em; height:2.1em; font-size:100%; font-family:MS
Shell Dlg; margin-right:15px; } @media print { .bdy { display:block; } button { display:none; } .head { color:#000000; background:#FFFFFF; border:1px solid #000000; } }
Setting Path:
Explanation
<button accesskey="P" name="Print" onclick="window.print()">Print</button>
<button accesskey="C" name="Close" onclick="window.close()">Close</button>
No explanation is available for this setting.
Supported On:
Not available
Group Policy Results
SFDN\testuser
Data collected on: 12/14/2014 1:00:12 PM
Summary
Computer Configuration Summary
No data available.
User Configuration Summary
General
User name
SFDN\testuser
Domain
SFD.local
Last time Group Policy was processed
12/14/2014 12:59:22 PM
Group Policy Objects
Applied GPOs
Name
Link Location
Revision
Local Group Policy
Local
AD (1), Sysvol (1)
Default Domain Policy
SFD.local
AD (6), Sysvol (6)
Test
SFD.local/SFD-Restricted-Users
AD (10), Sysvol (10)
Limit Downloads
SFD.local/SFD-Restricted-Users
AD (2), Sysvol (2)
SFD Restricted Users
SFD.local/SFD-Restricted-Users
AD (59), Sysvol (59)
Denied GPOs
Name
Link Location
Reason Denied
None
Security Group Membership when Group Policy was applied
SFDN\Domain Users
Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
LOCAL
Mandatory Label\Medium Mandatory Level
WMI Filters
Name
Value
Reference GPO(s)
None
Component Status <v:group alt="Warning" class="vmlimage" coordsize="100,100" style="width:15px;height:15px;vertical-align:middle;"><v:shape class="vmlimage" fillcolor="yellow"
strokecolor="yellow" style="width:100;height:100;"><v:path v="m 50,0 l 0,99 99,99 x e"></v:path></v:shape> <v:rect class="vmlimage" fillcolor="black" strokecolor="black" style="width:10;height:35;"></v:rect>
<v:rect class="vmlimage" fillcolor="black" strokecolor="black" style="width:10;height:5;"></v:rect> </v:group>
Component Name
Status
Last Process Time
Group Policy Infrastructure
Success
12/14/2014 12:59:46 PM
Folder Redirection
Failed
12/14/2014 12:59:46 PM
Folder Redirection failed due to the error listed below.
Cannot complete this function.
Additional information may have been logged. Review the Policy Events tab in the console or the application event log for events between 12/14/2014 12:59:23 PM and 12/14/2014 12:59:46 PM.
Group Policy Internet Settings
Success
12/14/2014 12:59:46 PM
Registry
Success
12/12/2014 10:28:23 AM
Computer Configuration
No data available.
User Configuration
Policies
Windows Settings
Security Settings
Software Restriction Policies
Winning GPO
SFD Restricted Users
Enforcement
Policy
Setting
Apply software restriction policies to the following
All software files except libraries (such as DLLs)
Apply software restriction policies to the following users
All users
When applying software restriction policies
Ignore certificate rules
Designated File Types
File Extension
File Type
ADE
Microsoft Access Project Extension
ADP
Microsoft Access Project
BAS
BAS File
BAT
Windows Batch File
CHM
Compiled HTML Help file
CMD
Windows Command Script
COM
MS-DOS Application
CPL
Control panel item
CRT
Security Certificate
EXE
Application
HLP
Help file
HTA
HTML Application
INF
Setup Information
INS
INS File
ISP
ISP File
LNK
Shortcut
MDB
Microsoft Access Database
MDE
Microsoft Access MDE Database
MSC
Microsoft Common Console Document
MSI
Windows Installer Package
MSP
Windows Installer Patch
MST
MST File
OCX
ActiveX control
PCD
PCD File
PIF
Shortcut to MS-DOS Program
REG
Registration Entries
SCR
Screen saver
SHS
SHS File
URL
Internet Shortcut
VB
VB File
WSC
Windows Script Component
Trusted Publishers
Trusted publisher management
Allow all administrators and users to manage user's own Trusted Publishers
Certificate verification
None
Software Restriction Policies/Security Levels
Policy
Setting
Winning GPO
Default Security Level
Unrestricted
SFD Restricted Users
Software Restriction Policies/Additional Rules
Path Rules
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
Security Level
Unrestricted
Description
Date last modified
9/30/2011 12:34:27 PM
Winning GPO
SFD Restricted Users
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
Security Level
Unrestricted
Description
Date last modified
9/30/2011 12:34:27 PM
Winning GPO
SFD Restricted Users
Administrative Templates
Policy definitions (ADMX files) retrieved from the local machine.
Control Panel
Policy
Setting
Winning GPO
Network/Network Connections
Policy
Setting
Winning GPO
This setting determines whether the Properties menu item is enabled, and thus, whether the Local Area Connection Properties dialog box is available to users.
If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties menu items are disabled for all users, and users cannot open the Local Area Connection Properties dialog box.
Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.
If you disable this setting or do not configure it, a Properties menu item appears when users right-click the icon representing a LAN connection. Also, when users select the connection, Properties is enabled on the File menu.
Note: This setting takes precedence over settings that manipulate the availability of features inside the Local Area Connection Properties dialog box. If this setting is enabled, nothing within the properties dialog box for a LAN connection is available to
users.
Note: Nonadministrators have the right to view the properties dialog box for a connection but not to make changes, regardless of this setting." gpmc_settingname="Prohibit access to properties of a LAN connection" gpmc_settingpath="User Configuration/Administrative
Templates/Network/Network Connections" gpmc_supported="At least Windows 2000 Service Pack 1" href="javascript:void();" onclick="javascript:showExplainText(this); return false;">Prohibit access to properties of a LAN connection
Enabled
SFD Restricted Users
If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the check boxes for enabling and disabling components are disabled. As a result, administrators cannot enable or disable the components that
a connection uses.
Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.
If you disable this setting or do not configure it, the Properties dialog box for a connection includes a check box beside the name of each component that the connection uses. Selecting the check box enables the component, and clearing the check box disables
the component.
Note: When the "Prohibit access to properties of a LAN connection" setting is enabled, users are blocked from accessing the check boxes for enabling and disabling the components of a LAN connection.
Note: Nonadministrators are already prohibited from enabling or disabling components for a LAN connection, regardless of this setting." gpmc_settingname="Prohibit Enabling/Disabling components of a LAN connection" gpmc_settingpath="User
Configuration/Administrative Templates/Network/Network Connections" gpmc_supported="Microsoft Windows Server 2003, Windows XP, and Windows 2000 Service Pack 1 operating systems only" href="javascript:void();" onclick="javascript:showExplainText(this);
return false;">Prohibit Enabling/Disabling components of a LAN connection
Enabled
SFD Restricted Users
Windows Components/Internet Explorer
Policy
Setting
Winning GPO
If you enable this policy setting, the user will not be able to configure proxy settings.
If you disable or do not configure this policy setting, the user can configure proxy settings." gpmc_settingname="Prevent changing proxy settings" gpmc_settingpath="User Configuration/Administrative Templates/Windows Components/Internet
Explorer" gpmc_supported="At least Internet Explorer 5.0" href="javascript:void();" onclick="javascript:showExplainText(this); return false;">Prevent changing proxy settings
Enabled
SFD Restricted Users
Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
Policy
Setting
Winning GPO
Allow file downloads
Disable
Extra Registry Settings
Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management.
Setting
State
Winning GPO
Software\Policies\Microsoft\office\14.0\outlook\ForceOSTPath
P:\My Documents\Outlook Files
SFD Restricted Users
Software\Policies\Microsoft\office\14.0\outlook\ForcePSTPath
P:\My Documents\Outlook Files
SFD Restricted Users

Group Policy - Computer Startup Scripts - Add/Set Default printer

Good Morning.
Let's say we have 2 offices, A and B, and only 1 user. The user is using Roaming Profiles. Each office has its own printer.
What I am trying to do, is make a Startup script that is specific to the COMPUTER being logged into so when any user logs into that computer, they get the printer in that office defined and set as default.
I am able to do this successfully with my script but ONLY if i have the script be on the USER side of GP (i.e. in the Logon script section)
That is great that that is working however, when my user goes to Office B, they still get mapped to Office A's printer if I use that method.
So I figured I could just modify my GP and run the same script from the STARTUP section of the computer, rather than the LOGON section of the user. It does not work.
Here is my script:
Set WRFCUNetwork = CreateObject("Wscript.Network")
PrinterPath = "\\fileserver\MAINTELLER"
PrinterDriver = "PrinterDriver"
WRFCUNetwork.AddWindowsPrinterConnection PrinterPath, PrinterDriver
WRFCUNetwork.SetDefaultPrinter "\\fileserver\MAINTELLER"
This is where I Have the script placed:
     Computer Configuration -> Windows Settings -> Scripts(Startup/Shutdown)
Once i'm in there, I double click Startup, click Add, and select my script which is named:
     MainPrinterSetup.vbs
I have this GP applied to ONE OU, and that OU has ONE computer in it (my test computer)
I login with a brand new user called "testuser" (creative, huh?) and basically nothing happens
except they log in and have some Microsoft Document Image Writer printer set as default (which by the way sure does slow the PC down to the point of it almost being broke if anyone actually tries to print to that by accident)
No Main Teller Printer, no anything.
The strangest part about this is, if i apply this script to the user LOGON scripts, it works fine, the printer is there, and is set as default. (but see above why that wont work for my situation)
So obviously the script works fine, but I guess i'm missing something when it comes to applying GP's to Computers rather than Users.
Can anyone shed some light as to why the script is not running (i'm guessing the script isn't even attempting to run, rather than failing, but i have no way to know that)
Thank you in advance!!
Derek Conlon
Network Administrator
WRFCU
EDIT: Here are the PC's info that i'm working on:
     Server: Windows Server 2003 Standard Edition (where my GP's are created and managed with AD)
     Target PC: Windows XP Professional SP3
EDIT #2: I manually navigated to the Script file after logging in and "opened" it and it added and set the default printer no problem. the issue is definately with the script running at startup.

I wanted to clarify a few things:
1. While it is true that printer connections are usually per user, it is definitely possible to create "global printers". There are a number of ways to do this, but two methods that come to mind are using:
a. "Rundll32 printui.dll,PrintUIEntry" option with the "/ga" switch. The "/ga" switch is the key here since it allows you to deploy printers "per machine" instead of "per user". More information
about this is available at:
http://members.shaw.ca/bsanders/NetPrinterAllUsers.htm
http://technet.microsoft.com/en-us/library/ee624057%28WS.10%29.aspx
http://www.computerperformance.co.uk/Logon/logon_printer_computer.htm
http://www.robvanderwoude.com/2kprintcontrol.php
b. The Print Management console that is available in Windows 2003 R2 and higher can help you deploy printers "per machine" in addition to "per user". More information about this is available at:
http://www.czsolution.com/print-management/print-management/print-management-console.htm#DeployingPrintersByGroupPolicy
http://technet.microsoft.com/en-us/library/cc753109%28WS.10%29.aspx
2. As Guy mentioned, Group Policy Preferences can help set the default printer. But there is another way to accomplish this. The problem with the computer startup portion is that it runs before the user logs in. And applying this script
in the login script section would not work per computer unless you used loopback processing. So another way to do this is to place a script that sets the default printer into the "All Users" startup folder. Items in the "All Users"
startup folder run for any user that logs into the computer, but it runs in the user's context. So, this script would effectively set the default printer on a "per machine" basis. The script method is a cruder way to approach the problem,
but it will help get the job done. Here are some resources on setting the default printer via script:
http://www.intelliadmin.com/index.php/2007/08/set-default-printer-from-a-script
http://www.computerperformance.co.uk/ezine/ezine17.htm

Shutdown oracle from group policy

I try to shutdown an Oracle 9i database as part of the shutdown script that runs when my Windows 2003 Server is being shutdown. I am getting a priviledge violation: This is my script
set oracle_sid=SID
set oracle_home=d:\oracle\SID\920
sqlplus sys/password@"SID as sysdba" @shutdownimmediate.sql
The script file contains:
shutdown immediate
exit
I have added the local system account to the ORA_DBA, ORA_DEV_DBA, ORA_DEV_OPER groups without success.
Has anyone out there successfully used the group policy editor (gpedit.msc) to make Oracle part of the shutdown procedure?

Hi,
You could use powershell command to enable this:
Step-By-Step: Enabling BranchCache in Microsoft Windows Server 2012
http://blogs.technet.com/b/canitpro/archive/2013/05/13/step-by-step-enabling-branchcache-in-microsoft-windows-server-2012.aspx
Or you could create another GPO to check the result.
More detail information:
http://technet.microsoft.com/library/hh848392.aspx
Regards.
Vivian Wang

How can I setup a scheduled task to run a Powershell Script delivered as a Group Policy Preference

I have a Powershell script I want to run only once when a user logs onto their system. This script would move all the PST files from the Local drive and the Home drive to a folder location within the users profile. I wanted to run this as a Windows 7 Scheduled Task using Group Policy Preferences. How can I get this to happen short of a logon script? I have updated all the machines to WMF 4.0 so could I use a Scheduled Job instead? I wanted to run the script as the logon user but elevated.#Start Outlook and Disconnect attached PST files.
$Outlook = New-Object -ComObject Outlook.Application
$namespace = $outlook.getnamespace("MAPI")
$folder = $namespace.GetDefaultFolder("olFolderInbox")
$explorer = $folder.GetExplorer()
$explorer.Display()
$myArray= @()
$outlook.Session.Stores | where{ ($_.FilePath -like'*.PST') } | foreach{[array]$myArray+= $_.FilePath}
for
($x=0;$x-le$myArray.length-1;$x++)
$PSTPath= $myArray[$x]
$PST= $namespace.Stores | ?{$_.FilePath -like$PSTPath}
$PSTRoot= $PST.GetRootFolder() #Get Root Folder name of PST
$PSTFolder= $Namespace.Folders.Item($PSTRoot.Name) #Bind to PST for disconnection
$Namespace.GetType().InvokeMember('RemoveStore',[System.Reflection.BindingFlags]::InvokeMethod,$null,$Namespace,($PSTFolder)) #Disconnect .PST
#Move All PST files to the default location while deleting the PST files from their original location.
$SourceList = ("$env:SystemDrive", "$env:HOMEDRIVE")
$Destination = ("$env:USERPROFILE\MyOutlookFiles")
(Get-ChildItem -Path $SourceList -Recurse -Filter *.PST) | Move-Item -Destination $Destination
#Attach all PST files from the default location.
Add-type -assembly "Microsoft.Office.Interop.Outlook" | out-null
$outlook = new-object -comobject outlook.application
$namespace = $outlook.GetNameSpace("MAPI")
dir “$env:USERPROFILE\MyOutlookFiles\*.pst” | % { $namespace.AddStore($_.FullName) }

Mike,
I do not understand what appears to be a regular expression above. I did add the PowerShell script to the HKCU RunOnce Key as suggested.
Windows Registry Editor Version 5.00
C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -noprofile -sta -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File "C:\scripts\Windows PowerShell\Move-PST.ps1"
I'm delivering this using Group Policy Preferences. It seems to fail or time out when run because the behavior is different if I run the script from within the PowerShell IDE. I added the parameters to the script and will try it again in the morning.

The Group Policy client-side extension Scripts failed ...

This is an error I've been seeing forever and it was always the impression that upgrading would resolve it, but it never has even in 10.3. 100% of our users get these errors in the Event Viewer:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1085
Date: 10/21/2010
Time: 8:04:52 AM
User: NT AUTHORITY\SYSTEM
Computer: XXXXXX
Description:
The Group Policy client-side extension Scripts failed to execute. Please look for any errors reported earlier by that extension.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
We also seem to have flakey policy issues where once in awhile a user will not be able to logon to Windows with Workstation Only while getting the " not allowed to logon interactively" message, other times the users report not being able to access the Windows Date and Time Properties and further sometimes they are unable to make system changes.
We have troubleshooted this and the only resolutions we've found are to run zac cc, zac ref, zac pl and sometimes it seems like deleting c:\windows\system32\grouppolicy will help.
In regards to the Event Viewer entry I posted, on any given machine I can issue the command gpupdate and it will put another entry into the Event Viewer (sometimes multiple ones). I've learned through research that if I "clean up" c:\windows\system32\grouppolicy\gpt.ini the errors go away, but once the policy is refreshed they come right back.
This is the version ZenWorks gives the users:
[General]
gPCFunctionalityVersion=2
gPCFunctionalityVersion=2
gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}][{3610EDA5-77EF-11D2-8DC5-00C04FA31A66}{0F6B957D-509E-11D1-A7CC-0000F87571E3}][{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}][{4CFB60C1-FAA6-47F1-89AA-0B18730C9FD3}{0F6B957D-509E-11D1-A7CC-0000F87571E3}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Version=6488106
gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B66650-4972-11D1-A7CA-0000F87571E3}][{4CFB60C1-FAA6-47F1-89AA-0B18730C9FD3}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}]
This is the version I cleaned up:
[General]
gPCFunctionalityVersion=2
gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{4CFB60C1-FAA6-47F1-89AA-0B18730C9FD3}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}]
gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}]
I'm not sure how to get Zenworks to use the cleaned up version nor and I too sure what those extra extensions are and how they got in there. I may need to contact Novell in regards to this, but since I'm already working on an SR with them I figured I'd go ahead and post here first.
Any help or advice would be greatly appreciated.

Here are the groups I'm using. NOTE: These have been in affect throughout the issues experienced. Users will work perfectly fine then suddenly the problem will start happening without any policy change on our side.
-Member of-
Network Configuration Operators+
Remote Desktop Users+
Users+
-Assigned Rights under a group I called "Other Rights"-
Access this computer from network
Change the system time
Log on locally
Shut down the system
The only condition I have is that these issues happen when logging in Workstation Only and I'm not able to recreate the problem on demand with tests.
Originally Posted by craig_wilson
The "Interactive Logon" is a Windows Security Permission.
It is generally assigned to certain local groups such as "User".
Which groups are assigned this right can be changed manually and
controlled by local security policies.
When user's get this error, it generally means their account is not in a
local group that has been assigned that right.
If using "DLU", make sure the user accounts are a member of "Users".
And If anyone was messing with security policies, make sure they did not
take away "Interactive Logons" from anyone.
On 10/29/2010 7:06 AM, jcsmith1 wrote:
>
> Thanks for replying craig.
>
> My policy woes have only grown since my first post. We are currently
> testing the removal of administrative rights and now we're having
> teleworkers (who login Workstation Only) getting the message "policy
> does not allow interactive login". What -seems- to fix it is a zac cc,
> zac ref and zac pl, however we just started getting call backs from
> users.
>
> I seem to have no further leads and Novell's ZenWorks tech supports
> seems to be going through some kind of painful-to-the-customer
> transition as one of my thoughts on resolving the issue is to go to 10.3
> or 10.3.1, but my Satellites appear to be upgrading but in reality do
> not upgrade (but the primary servers upgraded) (See SR 10655976331).
>
> Does anyone knows how to troubleshoot policy issues when the users
> aren't loggin into ZCM?
>
> craig_wilson;2036646 Wrote:
>> See: 'Group Policy Error: The Group Policy client-side extension Script
>> failed to execute.'
>> (Group Policy Error: The Group Policy client-side extension Script failed to execute.)
>>
>> This would never be fixed in any patch, since it would be the job of
>> GPEDIT to properly maintain the GPT.INI.
>>
>> Most of the Time these errors are cosmetic and caused by stray script
>> extensions.
>>
>> You may want to create an Enhancement Request to allow the creation of
>> "Filters" so certain errors are discarded and not sent to the DB/ZCC.
>> This way an Admin could choose to filter out various error messages
>> that
>> they deem are not actually of concern.
>>
>> On 10/21/2010 9:36 AM, jcsmith1 wrote:
>>>
>>> This is an error I've been seeing forever and it was always the
>>> impression that upgrading would resolve it, but it never has even in
>>> 10.3. 100% of our users get these errors in the Event Viewer:
>>>
>>> -Event Type: Error
>>> Event Source: Userenv
>>> Event Category: None
>>> Event ID: 1085
>>> Date: 10/21/2010
>>> Time: 8:04:52 AM
>>> User: NT AUTHORITY\SYSTEM
>>> Computer: XXXXXX
>>> Description:
>>> The Group Policy client-side extension Scripts failed to execute.
>>> Please look for any errors reported earlier by that extension.
>>>
>>> For more information, see Help and Support Center at
>>> http://go.microsoft.com/fwlink/events.asp.
>>> -
>>> We also seem to have flakey policy issues where once in awhile a
>> user
>>> will not be able to logon to Windows with Workstation Only while
>> getting
>>> the " not allowed to logon interactively" message, other times the
>> users
>>> report not being able to access the Windows Date and Time Properties
>> and
>>> further sometimes they are unable to make system changes.
>>>
>>> We have troubleshooted this and the only resolutions we've found are
>> to
>>> run zac cc, zac ref, zac pl and sometimes it seems like deleting
>>> c:\windows\system32\grouppolicy will help.
>>>
>>> In regards to the Event Viewer entry I posted, on any given machine
>> I
>>> can issue the command gpupdate and it will put another entry into
>> the
>>> Event Viewer (sometimes multiple ones). I've learned through
>> research
>>> that if I "clean up" c:\windows\system32\grouppolicy\gpt.ini the
>> errors
>>> go away, but once the policy is refreshed they come right back.
>>>
>>> This is the version ZenWorks gives the users:
>>>> [General]
>>>> gPCFunctionalityVersion=2
>>>> gPCFunctionalityVersion=2
>>>>
>> gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}][{3610EDA5-77EF-11D2-8DC5-00C04FA31A66}{0F6B957D-509E-11D1-A7CC-0000F87571E3}][{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}][{4CFB60C1-FAA6-47F1-89AA-0B18730C9FD3}{0F6B957D-509E-11D1-A7CC-0000F87571E3}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
>>>> Version=6488106
>>>>
>> gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B66650-4972-11D1-A7CA-0000F87571E3}][{4CFB60C1-FAA6-47F1-89AA-0B18730C9FD3}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}]
>>>>
>>>>
>>>
>>> This is the version I cleaned up:
>>>> [General]
>>>> gPCFunctionalityVersion=2
>>>>
>> gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{4CFB60C1-FAA6-47F1-89AA-0B18730C9FD3}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}]
>>>>
>> gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}]
>>>>
>>>>
>>>
>>> I'm not sure how to get Zenworks to use the cleaned up version nor
>> and
>>> I too sure what those extra extensions are and how they got in there.
>> I
>>> may need to contact Novell in regards to this, but since I'm already
>>> working on an SR with them I figured I'd go ahead and post here
>> first.
>>>
>>> Any help or advice would be greatly appreciated.
>>>
>>>
>>
>>
>> --
>> Craig Wilson - MCNE, MCSE, CCNA
>> Novell Knowledge Partner
>>
>> Novell does not officially monitor these forums.
>>
>> Suggestions/Opinions/Statements made by me are solely my own.
>> These thoughts may not be shared by either Novell or any rational
>> human.
>
>
Craig Wilson - MCNE, MCSE, CCNA
Novell Knowledge Partner
Novell does not officially monitor these forums.
Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human.

How to force group policy update remotely in a bunch of desktops(computers name in a textfile) by using powershell script?

Hi,
I want to force group policy on a collection of computers remotely.The name of computers can be stored in a text file.
By using this info. (about computer names) , Could you please guide me writing a Powershell script for this.
Thanks in advance.
Daya

This requires that PSRemoting is enabled in your environment.
$Computers = Get-Content -Path 'C:\computers.txt'
Invoke-Command -ComputerName $Computers -ScriptBlock {
GPUpdate /Force

Group Policy Logon Script to create folder based on username, run as admin

Hello,
I'm at a loss as to how to make this work. I wrote the following PowerShell script that will check to see if the currently logged in user has a folder on a share, and if not it will create the folder and set appropriate permissions. I want to
run it as a Group Policy Logon Script, however I need to run this script as an administrator because users don't have any write/create access at the folder level of the file share. The problem with that then becomes $ENV:Username resolves to the admin
account the script is running under.
Any ideas?
Thanks!
Ryan
# Declare Variables
$strName = $env:USERNAME
$strDomain = $env:USERDOMAIN
If ($strDomain -eq "domain.org") {
# Split Username into 2 variables
$data = $strName.Split("_")
$fname = $data[0]
$lname = $data[1]
#Find first character of last name
$firstcharacter = $lname[0]
# Figure out if last name begins with A-M or N-Z
$A_M=$firstcharacter -match "[a-m]"
$N_Z=$firstcharacter -match "[n-z]"
# Checks to see if folder exists
If ($A_M -eq $true){$FolderExists = Test-Path "\\staff-files\staff\Last Name A-M\$strName"}
elseif ($N_Z -eq $true){$FolderExists = Test-Path "\\staff-files\staff\Last Name N-Z\$strName"}
# Creates folder if it doesn't exist
If (($FolderExists -eq $false) -and ($A_M -eq $true)){
New-Item "\\staff-files.domain.org\Staff\Last Name A-M\$strName" -type directory
$DirPath = "\\staff-files.domain.org\Staff\Last Name A-M\$strName"
elseif (($FolderExists -eq $false) -and ($N_Z -eq $true)){
New-Item "\\staff-files.domain.org\Staff\Last Name N-Z\$strName" -type directory
$DirPath = "\\staff-files.domain.org\Staff\Last Name N-Z\$strName"
ElseIf ($strDomain -eq "students.domain.org") {
# Pull 2 digit year from username and make 4 digit year
$4digityear = "20" + $strName.Substring(0,2)
# Checks to see if folder exists
$FolderExists = Test-Path "\\files.domain.org\students\$4digityear\$strName"
# Creates folder if it doesn't exist
If ($FolderExists -eq $false) {
New-Item "\\files.domain.org\students\$4digityear\$strName" -type directory
$DirPath = "\\files.domain.org\students\$4digityear\$strName"
# Assign Permissions
If ($FolderExists -eq $false){
$target = $DirPath
$acl = Get-Acl $target
$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
$propagation = [system.security.accesscontrol.PropagationFlags]"None"
$accessrule = new-object system.security.AccessControl.FileSystemAccessRule ("CREATOR OWNER","Modify",$inherit,$propagation,"Allow")
$acl.AddAccessRule($accessrule)
$accessrule = new-object system.security.AccessControl.FileSystemAccessRule ("NT AUTHORITY\SYSTEM","FullControl",$inherit,$propagation,"Allow")
$acl.AddAccessRule($accessrule)
$accessrule = new-object system.security.AccessControl.FileSystemAccessRule ("administrators","FullControl",$inherit,$propagation,"Allow")
$acl.AddAccessRule($accessrule)
If ($strDomain -eq "students.hempfieldsd.org"){
$accessrule = new-object system.security.AccessControl.FileSystemAccessRule ("DOMAIN\Domain Users","Modify",$inherit,$propagation,"Allow")
$acl.AddAccessRule($accessrule)
$accessrule = new-object system.security.AccessControl.FileSystemAccessRule ("DOMAIN\Staff_Tech","FullControl",$inherit,$propagation,"Allow")
$acl.AddAccessRule($accessrule)
$accessrule = new-object system.security.AccessControl.FileSystemAccessRule ("DOMAIN\Enterprise Admins","FullControl",$inherit,$propagation,"Allow")
$acl.AddAccessRule($accessrule)
$accessrule = new-object system.security.AccessControl.FileSystemAccessRule ($strName,"FullControl",$inherit,$propagation,"Allow")
$acl.AddAccessRule($accessrule)
$acl.SetAccessRuleProtection($true,$false)
$acl.SetOwner([System.Security.Principal.NTAccount]$strName)
Set-Acl -AclObject $acl $target
Ryan Breneman - Systems Administrator - Hempfield School District

Thanks jrv. That is kind of what I thought but wasn't sure. I think I will attack this a different way and modify the script to run through all the AD accounts and check for folder existence and create if needed. Perhaps I'll play
with System Center Orchestrator and run it inside there.
These folders aren't being used for profile storage, and we already have folder redirection pointing to them, however I don't want a user to login to citrix and not have anywhere to save if they didn't have a folder to redirect to.
Folders are supposed to be created when the staff member/student AD account is created, but it doesn't always happen.
Thanks for your help!
Ryan Breneman - Systems Administrator - Hempfield School District

How to use Group Policy to remove the shutdown button on the logon screen

Environment: Shared use computers running Window 7 Professional and MS office Suite; Windows 2008 Standard server, Windows 7 EC Domain Policy and MS Office 2007 ADML Template downloaded from Microsoft. WIndows 7 Accounts OU.
I am in the process of developing a shared use computer lockdown policy for several Windows 7 computers that will made available in my client's computer lab. I need to use a group policy setting to remove the Shut Down button on
the logon screen of the Windows 7 client computers. I am editing the Windows 7 EC Domain Policy to user accounts in a Windows 7 Accounts OU that I created. I am using the Group Policy editor in the Group Policy Management Console.
Please let me know the best practice for accomplishing this using Group Policy editor.
Thanks.
P.S. I tried a setting recommended in the following link in the Windows 7 EC Domain Policy which did not seem to work.
http://www.windowsitpro.com/article/group-policy/can-i-use-group-policy-to-display-or-remove-the-shut-down-button-on-the-logon-screen-.aspx

Hi Vernon,
I tried the group policy you mentioned (Computer Configuration, Windows Settings, Security Settings, Local Policies, and select Security Options, "Shutdown: Allow system to be shut down without having to log on") and it worked on a Windows 7 client.
Thus you may need to check if the group policy you created is actually applied to clients.
A screenshot can be found here:
http://cid-b7ed40feb32ba29f.office.live.com/self.aspx/.Public/desktop/Capture.JPG

Group Policy Startup Script Applies My Policy But Does Not Run The Acual Scripts

I have created a basic batch file with msiexec.exe to uninstall a program on startup and then another separate .bat script to install the same program but the newer version. The software I'm referring to has to be completely uninstalled BEFORE
I install the "newer" version of the same program, it cannot just be overwritten. If I run a gpupdate /force on the client computer and restart, the scripts run as they are supposed to and everything works but the problem is that I can't get it to
run on first boot on a computer that has been turned off for months, even after multiple reboots it still doesn't run the scripts. The 3 policies apply to the different computers/users but the scripts don't run. I manage a theme park that is
only open 4 months of the year so the rest of the time the in park PC's are turned off. I have created my OU as "POS Computers & Users" which has all of the computers and users that will take this policy. I also have 3 Group Policy
Objects attached to this OU in Group Policy, 1 is the program uninstallation .bat script policy that runs on startup, 2 is the install .bat script policy that runs after the uninstallation script, and 3 is the Default Policy for the OU. I already have the
"Always wait for the network at computer startup and logon", "Run startup scripts visible"enabled, "Run startup scripts asynchronously" disabled, and "Run Logon Scripts Synchronously" enabled for all 3 of the
policies. They are all "link enabled" and security filtering is set to only the OU I mentioned earlier so that it doesn't affect anyone else. I have the link order set as the script I want to run first as the last and the one I want to run last first
because from what I understand inheritance is from bottom to top. The install file is accessible by everyone with full permissions on our "Shared" drive so I know its not a permissions issue because it runs after a gpupdate /force with a restart.
The scripts are in the proper folder for the policies they are attached to and permissions are fine.
Here is my uninstall .bat script (msiexec.exe /X{14324A6A-BDD1-4F40-8E77-664C8AEEA251} /forcerestart /qb-! ALLUSERS=1 REMOVE=ALL)
Here is my install .bat script (msiexec.exe /i {\\kksrvad\shared\Gatemaster\NewGatemaster.msi} /qb ALLUSERS=1)

Can't be done in a login script.
This is a Group Policy issue and not a scripting issue. You do not have a script. You have a command saved in a batch file and you are using a GPO. Not a scripting issue.
¯\_(ツ)_/¯

Script to override Group policy (Disable Addins and change default file type)

Hi there,
I am developing a solution for our customer that requires Office 2010 64-bit, which I have.
However my company's group policy, (I believe), keeps adding in a template manager for corporate documents, this template is 32-bit and is incompatible with my version of office. This means that everytime I open or close excel I get a warning of incompatibility.
This is irritating, as is the fact that the default new file type keeps switching back of xls, which causes me problems since my macro's need to create xlsx files, for the customer.
Now I believe that both of these are set by the group policy and while they a fine for most people, due to my unusual roll, it causes me irritations I would would rather avoid.
Since I know it will not be possible to change the group policy for the handful of people who are effected like this, I am looking for some help to, e.g. automatically run a script to adjust these settings on my local machine to make my life easier.
Thanks for your help,
Vincent.

Try using
Process Monitor for looking the key.
For example, you may set the required value through the group policy and see what windows registry keys are changed.

Assign a local logon script using Group Policy

Is there a way to assign a local logon script using Group Policy? The reason I ask is that I wrote a logon/logoff script that will record the date/time, user, and computer for everyone who logs on to any machine in the domain. Right now it's set on a domain
GPO, so it works great for domain accounts, but I'd like to extend that functionality to local accounts as well. The only way I know how to do that would be to set my script to run using the local policy. Since I don't want to manually go around to all 400+
machines in my domain, I would rather find a simpler way of modifying the local policy. Any ideas?

Martin, thank you for your response. That's exactly the kind of out-of-the-box answer I was looking for, unfortunately, it looks like I can only do that for Logon scripts. I don't see an option for Logoff. (Maybe the took the Logoff functionality out?
This article says there should be a Logoff item in the GPO, but they're talking about Windows 2000 in that article.)
Matthias, I started playing around with what you said, and I noticed that the "Scripts" key only seems to show up on my Windows 7 clients. The XP workstations don't have that key. Plus I did some testing, and I think I can do it without having
to mess with the registry at all.
So I think I have a workable solution at the moment. I found
this article that talks about copying Local Polices from one computer to another. I tried manually setting the Logon/Logoff scripts in the Local policy on a fresh machine. From that reference computer I copied the Scripts folder out of the %SYSTEMROOT%\System32\GroupPolicy\User
directory. It also created a gpt.ini file in the %SYSTEMROOT%\System32\GroupPolicy directory. The gpt.ini file contained an attribute called gPCUserExtensionNames, and one called Version. The gPCUserExtensionNames attribute specified two GUIDs, which
I assumed to be the GUIDs that identify the Local Policy. I tried manually creating the Local policy on several different machines, with several different Operating Systems, and those GUIDs always seemed to be the same (not sure why). So I copied the gpt.ini
file off the reference machine as well. When I placed all of the files I copied from the reference machine on to a new machine, everything seemed to work just fine (no registry modification necessary), with one caveat. It seemed to be running the script twice.
So I went back into the gpt.ini file and deleted one of the GUIDs listed under gPCUserExtensionNames, and now the script runs just once!
So I think this solution will work ok for me. We don't have any other Local Policies in place, so demolishing all existing Local Policies is perfectly acceptable in my case. I'm just not sure if I'm doing any damage by copying the gpt.ini file from a reference
machine (if anyone can expand on how that works, I would appreciate the peace of mind that I'm not making things worse by doing this). So all I need now is to write a Startup script, or an SCCM package to deliver the Logon scripts and associated ini files
to the appropriate location on all the domain PCs. Easy enough to do on my own. If anyone knows of a reason why this method is a bad idea, please post here. I'll be testing it out on a handful of PCs in the mean time.
Hi Guys,
Will this solution work for my case? I have a forcereboot batch script that I need to load on the local policy (logoff script through GPEDIT) however I can only load it manually. I need to do it on multiple machines (approx 5000 computers). I am having
trouble doing it using powershell. Is there any other options to do it?
Will I have to use the same GUID's you mentioned on the gpt.ini file? (gPCUserExtensionNames=[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B66650-4972-11D1-A7CA-0000F87571E3}] since it refers to the local script and how about the version on the gpt.ini file?
Thanks in advance.
Dash
https://social.technet.microsoft.com/Forums/en-US/1f636042-bcff-498d-93c0-e1aa89f80961/how-to-load-a-script-on-the-local-group-policy-on-multiple-computers?forum=mdopagpm

Hit with Virus that executed via PowerShell Scripting. Can I disable Powershell on my network via Group Policy and what implications does that have for me.

Our network was hit recently with virus previously unknown, O97M.Crigent. It is a nasty Macro virus that targets Microsoft Office Documents & Spreadsheets and uses a combination of Macros and Scripts via Powershell.
How do I disable PowerShell scripting via Group Policy?
Will this raise any issues such as random application or network failures or other issues?
Can I apply it to the entire domain or should I be selective and only apply it to the workstations?
Network Summary: Windows 2008 Active Directoy Server, 75% Windows 7, 25% Windows XP workstations.
DouglasOfSanMarcos

Disabling Windows PowerShell can be done with GPO:
Computer Configuration | Administrative Templates | Windows Components | Windows PowerShell
From GPO Description: "This setting exists under both "Computer Configuration" and "User Configuration" in the group policy editor. The "Computer Configuration" has precedence over "User Configuration."
By default this option is restricted any way on computers.
I would be very selective when apply it at all:
Workstations - I would apply to test group of workstations first, just to see that there are no side effects before applying to all computers.
Server - I wouldn't apply it at all. I have seen too many issues when setting this policy on Exchange and other systems.
If you are using a Group Policy to define a PowerShell logon, logoff or computer script, that script will disregard any execution policy set locally or through a GPO.
http://4sysops.com/archives/set-powershell-execution-policy-with-group-policy/
http://technet.microsoft.com/en-us/library/hh849812.aspx
Please take a moment to Vote as Helpful and/or Mark as Answer where applicable. Thanks.

MSI not installing via Group Policy - Insists location does not exist

Hi
I am creating a group policy object whereby I am pointing my software package installation to \\192.168.1.3\GPO\MSOCached32bit.msi
The location has permissions for the machine accounts on both the share and the ntfs permissions with read only access.
I have created an OU and moved a Windows XP machine into it, linked the GPO and made sure that the XP machine is not using optimised log on.
From the machine I can reach the share and see the file from the path above.
However each time I reboot the machine I am testing on the installation fails, the exact error being:
The install of application MSO from policy MSO Installation failed. The error was : The installation source for this product is not available. Verify that the source exists and that you can access it.
This is rather odd, since I can see it, the machine account has permissions to see it and I cannot see what the problem is.
I have then gone on to enable verbose logging of the MSI installer which has produced the following:
=== Verbose logging started: 18/08/2011 15:36:18 Build type: SHIP UNICODE 3.01.4001.5512 Calling process: \??\C:\WINDOWS\system32\winlogon.exe ===
MSI (c) (AC:B0) [15:36:18:666]: Resetting cached policy values
MSI (c) (AC:B0) [15:36:18:666]: Machine policy value 'Debug' is 7
MSI (c) (AC:B0) [15:36:18:666]: ******* RunEngine:
           ******* Product: {96b77fe2-a045-4f3f-9a73-1bf359d0eaaf}
           ******* Action:
           ******* CommandLine:
MSI (c) (AC:B0) [15:36:18:666]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (AC:B0) [15:36:18:666]: Grabbed execution mutex.
MSI (c) (AC:B0) [15:36:18:736]: Cloaking enabled.
MSI (c) (AC:B0) [15:36:18:736]: Attempting to enable all disabled priveleges before calling Install on Server
MSI (c) (AC:B0) [15:36:18:736]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (B4:CC) [15:36:18:756]: Grabbed execution mutex.
MSI (s) (B4:D0) [15:36:18:766]: Resetting cached policy values
MSI (s) (B4:D0) [15:36:18:766]: Machine policy value 'Debug' is 7
MSI (s) (B4:D0) [15:36:18:766]: ******* RunEngine:
           ******* Product: {96b77fe2-a045-4f3f-9a73-1bf359d0eaaf}
           ******* Action:
           ******* CommandLine: CURRENTDIRECTORY="C:\WINDOWS\system32" CLIENTUILEVEL=3 CLIENTPROCESSID=940
MSI (s) (B4:D0) [15:36:18:766]: Machine policy value 'DisableUserInstalls' is 0
MSI (s) (B4:D0) [15:36:18:766]: User policy value 'SearchOrder' is 'nmu'
MSI (s) (B4:D0) [15:36:18:766]: User policy value 'DisableMedia' is 0
MSI (s) (B4:D0) [15:36:18:766]: Machine policy value 'AllowLockdownMedia' is 0
MSI (s) (B4:D0) [15:36:18:766]: SOURCEMGMT: Media enabled only if package is safe.
MSI (s) (B4:D0) [15:36:18:766]: SOURCEMGMT: Looking for sourcelist for product {96b77fe2-a045-4f3f-9a73-1bf359d0eaaf}
MSI (s) (B4:D0) [15:36:18:766]: SOURCEMGMT: Adding {96b77fe2-a045-4f3f-9a73-1bf359d0eaaf}; to potential sourcelist list (pcode;disk;relpath).
MSI (s) (B4:D0) [15:36:18:766]: SOURCEMGMT: Now checking product {96b77fe2-a045-4f3f-9a73-1bf359d0eaaf}
MSI (s) (B4:D0) [15:36:18:766]: SOURCEMGMT: Media is enabled for product.
MSI (s) (B4:D0) [15:36:18:766]: SOURCEMGMT: Attempting to use LastUsedSource from source list.
MSI (s) (B4:D0) [15:36:18:766]: SOURCEMGMT: Processing net source list.
MSI (s) (B4:D0) [15:36:18:766]: SOURCEMGMT: Trying source \\192.168.1.3\GPO\.
MSI (s) (B4:D0) [15:36:19:427]: Note: 1: 1314 2: \\192.168.1.3\GPO\
MSI (s) (B4:D0) [15:36:19:427]: ConnectToSource: CreatePath/CreateFilePath failed with: -2147483648 1314 -2147483648
MSI (s) (B4:D0) [15:36:19:427]: ConnectToSource (con't): CreatePath/CreateFilePath failed with: -2147483648 -2147483648
MSI (s) (B4:D0) [15:36:19:427]: SOURCEMGMT: net source '\\192.168.1.3\GPO\' is invalid.
MSI (s) (B4:D0) [15:36:19:427]: Note: 1: 1706 2: -2147483647 3: MSOCached32bit.msi
MSI (s) (B4:D0) [15:36:19:427]: SOURCEMGMT: Processing media source list.
MSI (s) (B4:D0) [15:36:19:437]: Note: 1: 2203 2: 3: -2147287037
MSI (s) (B4:D0) [15:36:19:437]: SOURCEMGMT: Source is invalid due to missing/inaccessible package.
MSI (s) (B4:D0) [15:36:19:437]: Note: 1: 1706 2: -2147483647 3: MSOCached32bit.msi
MSI (s) (B4:D0) [15:36:19:437]: SOURCEMGMT: Processing URL source list.
MSI (s) (B4:D0) [15:36:19:437]: Note: 1: 1402 2: UNKNOWN\URL 3: 2
MSI (s) (B4:D0) [15:36:19:437]: Note: 1: 1706 2: -2147483647 3: MSOCached32bit.msi
MSI (s) (B4:D0) [15:36:19:437]: Note: 1: 1706 2: 3: MSOCached32bit.msi
MSI (s) (B4:D0) [15:36:19:437]: SOURCEMGMT: Failed to resolve source
MSI (s) (B4:D0) [15:36:19:437]: MainEngineThread is returning 1612
MSI (c) (AC:B0) [15:36:19:437]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied. Counter after decrement: -1
MSI (c) (AC:B0) [15:36:19:437]: MainEngineThread is returning 1612
=== Verbose logging stopped: 18/08/2011 15:36:19 ===
As you can see from the above highlighted line, it says its invalid, but I cannot for the life of me understand why?
Thanks in advance for any help!

Hi,
This is not something related to the GPO issue. The issue is with MSI and the packaging. Condition the ResolveSource action.
Try Copying the MSI to local machine using a script and execute it.
ResolveSource actually requires that the original installation source is available whenever it is called. If your installer package is authored correctly, source must only be resolve in cases where the original RTM files are missing or during some patch
uninstall scenarios.
http://blogs.msdn.com/b/heaths/archive/2007/10/25/resolvesource-requires-source.aspx
http://msdn.microsoft.com/en-us/library/aa371232%28VS.85%29.aspx
http://www.appdeploy.com/messageboards/printable.asp?m=48703
If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before
implementing!

Shutdown Script / Group Policy

Similar Messages

Maybe you are looking for