Discussion:
AD Group Policy logon/logoff scripts not working
(too old to reply)
m***@gmail.com
2007-03-01 17:13:26 UTC
Permalink
Strangest problem...

I've written a Group Policy that will automatically deploy the a
utility to any server inside the OU it is assigned to in AD. I created
a 'test' OU folder in AD at and put two servers into it. I linked the
GPO to the test OU. It worked great. The software automatically
deployed.

So I modified the Group Policy and added a User Logoff script to run
the program. It doesn't work. I added a logon script to run
notepad.exe to test - it doesn't work. The policy is getting picked up
because it is installing the software. Why isn't it running the logon/
logoff scripts? I created a new GPO with logon/logoff scripts,
assigned it to the OU, and they don't run.

I don't see any related errors in the event viewer.

If I log into the servers and edit the LOCAL group policy, logon/
logoff scripts work perfect.


Why won't logon/logoff scripts run from the Active Directory group
policy?
mtstream
2007-03-01 23:36:05 UTC
Permalink
Your software installation policy is a computer policy - you mentioned
testing with two computers in an OU.

The logoff policy is a user policy.

Since the computer policy is working and the user policy is not - It sounds
like the GPOs are applied to an OU that contains computer accounts but not
the appropriate user accounts.

From one of the systems in question - run GPResult to see what Computer and
User policies are being applied.
Post by m***@gmail.com
Strangest problem...
I've written a Group Policy that will automatically deploy the a
utility to any server inside the OU it is assigned to in AD. I created
a 'test' OU folder in AD at and put two servers into it. I linked the
GPO to the test OU. It worked great. The software automatically
deployed.
So I modified the Group Policy and added a User Logoff script to run
the program. It doesn't work. I added a logon script to run
notepad.exe to test - it doesn't work. The policy is getting picked up
because it is installing the software. Why isn't it running the logon/
logoff scripts? I created a new GPO with logon/logoff scripts,
assigned it to the OU, and they don't run.
I don't see any related errors in the event viewer.
If I log into the servers and edit the LOCAL group policy, logon/
logoff scripts work perfect.
Why won't logon/logoff scripts run from the Active Directory group
policy?
m***@gmail.com
2007-03-02 02:10:05 UTC
Permalink
I ran GPResult.

The GPO that has the deployment AND the logoff script is getting
applied.

The GPO that was a test and only has logon/logoff scrits IS NOT
getting applied.

So you are probably correct where there are no Users defined in the
OU. But my question then is why does it work if set it up the same way
using Local Group Policy instead of a Group Policy Object linked to an
OU?
Post by mtstream
Your software installation policy is a computer policy - you mentioned
testing with two computers in an OU.
The logoff policy is a user policy.
Since the computer policy is working and the user policy is not - It sounds
like the GPOs are applied to an OU that contains computer accounts but not
the appropriate user accounts.
From one of the systems in question - run GPResult to see what Computer and
User policies are being applied.
Post by m***@gmail.com
Strangest problem...
I've written a Group Policy that will automatically deploy the a
utility to any server inside the OU it is assigned to in AD. I created
a 'test' OU folder in AD at and put two servers into it. I linked the
GPO to the test OU. It worked great. The software automatically
deployed.
So I modified the Group Policy and added a User Logoff script to run
the program. It doesn't work. I added a logon script to run
notepad.exe to test - it doesn't work. The policy is getting picked up
because it is installing the software. Why isn't it running the logon/
logoff scripts? I created a new GPO with logon/logoff scripts,
assigned it to the OU, and they don't run.
I don't see any related errors in the event viewer.
If I log into the servers and edit the LOCAL group policy, logon/
logoff scripts work perfect.
Why won't logon/logoff scripts run from the Active Directory group
policy?- Hide quoted text -
- Show quoted text -
Florian Frommherz
2007-03-02 09:36:34 UTC
Permalink
Howdie!
Post by m***@gmail.com
So you are probably correct where there are no Users defined in the
OU. But my question then is why does it work if set it up the same way
using Local Group Policy instead of a Group Policy Object linked to an
OU?
This is because the settings in the policy you apply need to take effect
on Active Directory objects. Like mtstream wrote before, you need to
have the appropriate target objects in your OU in order to have the
settings applied correctly.

When you define USer Configuration settings in a GP and you apply it to
an OU, you need to make sure there are user objects/accounts inside the
OU that can be targeted by the policy. If there are no user accounts,
which objects should apply the policy then? Same thing with Computer
configuration policies. If there are no computer accounts within an OU
to which you apply a GP with Computer Configuration settings, nothing
will happen. Users apply user configuration settings, computers apply
computer configuration settings. That's default behavior.

This whole thing works on Local Group Policy, because you do not have
objects and OUs on a local machine. The policysettings you make just
apply to all users that would log in. That is by design.

If yu wanted to set User Configuration settings depending on the
computer a user logs in, let's say a Terminal Server environment or any
other computer environment on which a specific User Configuration shall
take place, no matter which user logs on to that machine, you'll have to
give "Loopback" processing a try. It "forces" computer accounts to apply
the User Configuration portion of a policy.

cheers,

Florian
--
Nachwuschsadmin aus dem Süddeutschen/Germany.
eMail: Vorname [bei] frickelsoft [Punkt] net.
blog: http://www.frickelsoft.net/blog.
mtstream
2007-03-02 16:03:07 UTC
Permalink
Florian,

You always confuse me :)

Whenever I open your posts the first thing to catch my eye is the german
e-mail address - so I think "may be a difficult post to understand". But you
write exceptionally well (I've been reading your blog as well)! You don't
have anything in the "about me" page so my mind just can't build a picture.
So what's the story? I'm confused :)

You don't have to answer that - this is really meant to be a humorous
compliment on your posts/writing skills.
Post by Florian Frommherz
Howdie!
Post by m***@gmail.com
So you are probably correct where there are no Users defined in the
OU. But my question then is why does it work if set it up the same way
using Local Group Policy instead of a Group Policy Object linked to an
OU?
This is because the settings in the policy you apply need to take effect
on Active Directory objects. Like mtstream wrote before, you need to
have the appropriate target objects in your OU in order to have the
settings applied correctly.
When you define USer Configuration settings in a GP and you apply it to
an OU, you need to make sure there are user objects/accounts inside the
OU that can be targeted by the policy. If there are no user accounts,
which objects should apply the policy then? Same thing with Computer
configuration policies. If there are no computer accounts within an OU
to which you apply a GP with Computer Configuration settings, nothing
will happen. Users apply user configuration settings, computers apply
computer configuration settings. That's default behavior.
This whole thing works on Local Group Policy, because you do not have
objects and OUs on a local machine. The policysettings you make just
apply to all users that would log in. That is by design.
If yu wanted to set User Configuration settings depending on the
computer a user logs in, let's say a Terminal Server environment or any
other computer environment on which a specific User Configuration shall
take place, no matter which user logs on to that machine, you'll have to
give "Loopback" processing a try. It "forces" computer accounts to apply
the User Configuration portion of a policy.
cheers,
Florian
--
Nachwuschsadmin aus dem Süddeutschen/Germany.
eMail: Vorname [bei] frickelsoft [Punkt] net.
blog: http://www.frickelsoft.net/blog.
Florian Frommherz
2007-03-03 13:43:23 UTC
Permalink
Howdie!
Post by mtstream
Florian,
You always confuse me :)
I'm sorry for confusing you. ;)
Post by mtstream
Whenever I open your posts the first thing to catch my eye is the german
e-mail address - so I think "may be a difficult post to understand". But you
write exceptionally well (I've been reading your blog as well)! You don't
have anything in the "about me" page so my mind just can't build a picture.
So what's the story? I'm confused :)
The blog is currently sleeping as I'm a little busy at work. But as soon
as I get a little air to breathe I'll fill it with news. Maybe I'll put
some info into the "About me" section as well.

The thing with my English writing is pretty easy: after I passed my
a-level with English as a primary subject, I "forced" myself to watch
DVDs and read technical documentations always in English language to
still improve ;) So hearing that my written English sounds "well" is
good to hear, thank you ;)

cheers,

Florian
--
Nachwuschsadmin aus dem Süddeutschen/Germany.
eMail: Vorname [bei] frickelsoft [Punkt] net.
blog: http://www.frickelsoft.net/blog.
m***@gmail.com
2007-03-06 21:04:59 UTC
Permalink
Your suggestion of Loopback Processing for Group Policy was the
solution that worked for me.

http://support.microsoft.com/kb/231287

Only admins login to the servers in that specific OU anyways, so it is
ok if the User Configuration applies to any User logging on to a
server in that OU.

Thank You

On Mar 2, 1:36 am, Florian Frommherz
Post by Florian Frommherz
Howdie!
Post by m***@gmail.com
So you are probably correct where there are no Users defined in the
OU. But my question then is why does it work if set it up the same way
using Local Group Policy instead of a Group Policy Object linked to an
OU?
This is because the settings in the policy you apply need to take effect
on Active Directory objects. Like mtstream wrote before, you need to
have the appropriate target objects in your OU in order to have the
settings applied correctly.
When you define USer Configuration settings in a GP and you apply it to
an OU, you need to make sure there are user objects/accounts inside the
OU that can be targeted by the policy. If there are no user accounts,
which objects should apply the policy then? Same thing with Computer
configuration policies. If there are no computer accounts within an OU
to which you apply a GP with Computer Configuration settings, nothing
will happen. Users apply user configuration settings, computers apply
computer configuration settings. That's default behavior.
This whole thing works on Local Group Policy, because you do not have
objects and OUs on a local machine. The policysettings you make just
apply to all users that would log in. That is by design.
If yu wanted to set User Configuration settings depending on the
computer a user logs in, let's say a Terminal Server environment or any
other computer environment on which a specific User Configuration shall
take place, no matter which user logs on to that machine, you'll have to
give "Loopback" processing a try. It "forces" computer accounts to apply
the User Configuration portion of a policy.
cheers,
Florian
--
Nachwuschsadmin aus dem Süddeutschen/Germany.
eMail: Vorname [bei] frickelsoft [Punkt] net.
blog:http://www.frickelsoft.net/blog.
Andrew S
2011-01-13 01:36:04 UTC
Permalink
Hello,

I would just like to thank you on this post. I have been researching for GPO answers on a very simular issue for about a week now and your post has helped me IMMENSELY.

Very pleased with your answer.

thanks again!
Post by m***@gmail.com
Strangest problem...
I've written a Group Policy that will automatically deploy the a
utility to any server inside the OU it is assigned to in AD. I created
a 'test' OU folder in AD at and put two servers into it. I linked the
GPO to the test OU. It worked great. The software automatically
deployed.
So I modified the Group Policy and added a User Logoff script to run
the program. It doesn't work. I added a logon script to run
notepad.exe to test - it doesn't work. The policy is getting picked up
because it is installing the software. Why isn't it running the logon/
logoff scripts? I created a new GPO with logon/logoff scripts,
assigned it to the OU, and they don't run.
I don't see any related errors in the event viewer.
If I log into the servers and edit the LOCAL group policy, logon/
logoff scripts work perfect.
Why won't logon/logoff scripts run from the Active Directory group
policy?
Post by mtstream
Your software installation policy is a computer policy - you mentioned
testing with two computers in an OU.
The logoff policy is a user policy.
Since the computer policy is working and the user policy is not - It sounds
like the GPOs are applied to an OU that contains computer accounts but not
the appropriate user accounts.
From one of the systems in question - run GPResult to see what Computer and
User policies are being applied.
Post by m***@gmail.com
I ran GPResult.
The GPO that has the deployment AND the logoff script is getting
applied.
The GPO that was a test and only has logon/logoff scrits IS NOT
getting applied.
So you are probably correct where there are no Users defined in the
OU. But my question then is why does it work if set it up the same way
using Local Group Policy instead of a Group Policy Object linked to an
OU?
Post by Florian Frommherz
Howdie!
This is because the settings in the policy you apply need to take effect
on Active Directory objects. Like mtstream wrote before, you need to
have the appropriate target objects in your OU in order to have the
settings applied correctly.
When you define USer Configuration settings in a GP and you apply it to
an OU, you need to make sure there are user objects/accounts inside the
OU that can be targeted by the policy. If there are no user accounts,
which objects should apply the policy then? Same thing with Computer
configuration policies. If there are no computer accounts within an OU
to which you apply a GP with Computer Configuration settings, nothing
will happen. Users apply user configuration settings, computers apply
computer configuration settings. That's default behavior.
This whole thing works on Local Group Policy, because you do not have
objects and OUs on a local machine. The policysettings you make just
apply to all users that would log in. That is by design.
If yu wanted to set User Configuration settings depending on the
computer a user logs in, let's say a Terminal Server environment or any
other computer environment on which a specific User Configuration shall
take place, no matter which user logs on to that machine, you'll have to
give "Loopback" processing a try. It "forces" computer accounts to apply
the User Configuration portion of a policy.
cheers,
Florian
--
Nachwuschsadmin aus dem S?ddeutschen/Germany.
eMail: Vorname [bei] frickelsoft [Punkt] net.
blog: http://www.frickelsoft.net/blog.
Post by mtstream
Florian,
You always confuse me :)
Whenever I open your posts the first thing to catch my eye is the german
e-mail address - so I think "may be a difficult post to understand". But you
write exceptionally well (I've been reading your blog as well)! You don't
have anything in the "about me" page so my mind just can't build a picture.
So what's the story? I'm confused :)
You don't have to answer that - this is really meant to be a humorous
compliment on your posts/writing skills.
Post by Florian Frommherz
Howdie!
I'm sorry for confusing you. ;)
The blog is currently sleeping as I'm a little busy at work. But as soon
as I get a little air to breathe I'll fill it with news. Maybe I'll put
some info into the "About me" section as well.
The thing with my English writing is pretty easy: after I passed my
a-level with English as a primary subject, I "forced" myself to watch
DVDs and read technical documentations always in English language to
still improve ;) So hearing that my written English sounds "well" is
good to hear, thank you ;)
cheers,
Florian
--
Nachwuschsadmin aus dem S??ddeutschen/Germany.
eMail: Vorname [bei] frickelsoft [Punkt] net.
blog: http://www.frickelsoft.net/blog.
Post by m***@gmail.com
Your suggestion of Loopback Processing for Group Policy was the
solution that worked for me.
http://support.microsoft.com/kb/231287
Only admins login to the servers in that specific OU anyways, so it is
ok if the User Configuration applies to any User logging on to a
server in that OU.
Thank You
On Mar 2, 1:36 am, Florian Frommherz
Submitted via EggHeadCafe
ASP.NET Generic Cookie Utility Class
http://www.eggheadcafe.com/tutorials/aspnet/e7108c33-1cc6-48ae-9f65-cc391c8b66a7/aspnet-generic-cookie-utility-class.aspx
Loading...