Discussion:
Login Script
(too old to reply)
Rowland Costin
2007-04-10 14:49:19 UTC
Permalink
Hi
Not sure if this is the correct Newsgroup. I have a problem with my login
script. Is this controlled by group policy at all?

Basically, I have a Win2K3 Terminal server in a small domain with 2 domain
controllers all under :active directory, no workstations. The LOGIN.BAT
file is stored in the folder

C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logon

The batch file simply maps up a series of drives for the users.

The problem I have is I am trying to set up a new batch file that does
different drive mappings for a couple of users. I have created a new batch
file LOGIN2.BAT and stored it in the same folder as above, then pick this
up in the user profile, in the same way that the other users pick up the
first login file. Trouble is, it still runs the first batch file. If I
leave the profile path and file name blank, it still runs the first batch
file, so there must be something else controlling it.

Any ideas

PS, I am not that familiar with group policy, (There is one) so please guide
me gently if this is the issue.
Thanks
Rowland
Mark Heitbrink [MVP]
2007-04-10 15:45:46 UTC
Permalink
Hi,
Post by Rowland Costin
Basically, I have a Win2K3 Terminal server in a small domain with 2 domain
controllers all under :active directory, no workstations. The LOGIN.BAT
file is stored in the folder
C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logon
You are working with local policies, so all things you manipulate are
effecting all users.
Work with GroupPolicy in your AD, not with the local one.

- Install the GPMC
- create a OU, move the TS into it
- create an link a GPO to that OU
- Enable Loopback http://support.microsoft.com/kb/231287
- remove auth.Users from the GPO and add: your TS and your TS
sec.group/user

To use different loginscripts, you can use different GPOs, filtered
by Security Group, or use ifmember.exe inside your batch.

Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy

Homepage: www.gruppenrichtlinien.de - deutsch
Blog: gpupdate.spaces.live.com - english
Rowland Costin
2007-04-10 16:34:13 UTC
Permalink
How do I install GPMC?
Post by Mark Heitbrink [MVP]
Hi,
Post by Rowland Costin
Basically, I have a Win2K3 Terminal server in a small domain with 2 domain
controllers all under :active directory, no workstations. The LOGIN.BAT
file is stored in the folder
C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logon
You are working with local policies, so all things you manipulate are
effecting all users.
Work with GroupPolicy in your AD, not with the local one.
- Install the GPMC
- create a OU, move the TS into it
- create an link a GPO to that OU
- Enable Loopback http://support.microsoft.com/kb/231287
- remove auth.Users from the GPO and add: your TS and your TS
sec.group/user
To use different loginscripts, you can use different GPOs, filtered
by Security Group, or use ifmember.exe inside your batch.
Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy
Homepage: www.gruppenrichtlinien.de - deutsch
Blog: gpupdate.spaces.live.com - english
Rowland Costin
2007-04-10 16:41:16 UTC
Permalink
Scratch That. I found it and installed it, How do I run it? where will it
have put it?

Thanks
Rowland
Post by Rowland Costin
How do I install GPMC?
Post by Mark Heitbrink [MVP]
Hi,
Post by Rowland Costin
Basically, I have a Win2K3 Terminal server in a small domain with 2 domain
controllers all under :active directory, no workstations. The LOGIN.BAT
file is stored in the folder
C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logon
You are working with local policies, so all things you manipulate are
effecting all users.
Work with GroupPolicy in your AD, not with the local one.
- Install the GPMC
- create a OU, move the TS into it
- create an link a GPO to that OU
- Enable Loopback http://support.microsoft.com/kb/231287
- remove auth.Users from the GPO and add: your TS and your TS
sec.group/user
To use different loginscripts, you can use different GPOs, filtered
by Security Group, or use ifmember.exe inside your batch.
Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy
Homepage: www.gruppenrichtlinien.de - deutsch
Blog: gpupdate.spaces.live.com - english
Rowland Costin
2007-04-10 16:50:58 UTC
Permalink
Nah, This is getting far too complex for me.

I need to resolve this simply as this network is live with a 100 clients
logging in all the time. And the network will be scrapped as we are building
a new one, so that will be set up correctly.

I found the setting in a scripts.INI that was running LOGIN.BAT.
Took that out and now it doesn't run this file on newly created logins,
though the old logins still run the LOGIN.BAT file. So far so good.

All I want to do is somehow run a specific batch file at login for a
specific user. Can anyone tell me how to do that simply.

Many thanks
Rowland
Post by Rowland Costin
Scratch That. I found it and installed it, How do I run it? where will it
have put it?
Thanks
Rowland
Post by Rowland Costin
How do I install GPMC?
Post by Mark Heitbrink [MVP]
Hi,
Post by Rowland Costin
Basically, I have a Win2K3 Terminal server in a small domain with 2 domain
controllers all under :active directory, no workstations. The LOGIN.BAT
file is stored in the folder
C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logon
You are working with local policies, so all things you manipulate are
effecting all users.
Work with GroupPolicy in your AD, not with the local one.
- Install the GPMC
- create a OU, move the TS into it
- create an link a GPO to that OU
- Enable Loopback http://support.microsoft.com/kb/231287
- remove auth.Users from the GPO and add: your TS and your TS
sec.group/user
To use different loginscripts, you can use different GPOs, filtered
by Security Group, or use ifmember.exe inside your batch.
Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy
Homepage: www.gruppenrichtlinien.de - deutsch
Blog: gpupdate.spaces.live.com - english
Norbert Fehlauer [MVP]
2007-04-10 22:29:58 UTC
Permalink
Rowland Costin wrote:
Hi,
Post by Rowland Costin
Nah, This is getting far too complex for me.
It won't get easier with local policies applying. Get used to GPOs instead
of local policies.

Bye
Norbert
--
Dilbert's words of wisdom #18: Never argue with an idiot. They drag you
down to their level then beat you with experience.
Mark Heitbrink [MVP]
2007-04-11 09:01:20 UTC
Permalink
Hi,
Post by Rowland Costin
Nah, This is getting far too complex for me.
With LGPO is much more complex ...
Post by Rowland Costin
I need to resolve this simply as this network is live with a 100 clients
logging in all the time. And the network will be scrapped as we are building
a new one, so that will be set up correctly.
Forget about all possibilities of centralized Management wit AD and GPO.
Use one single script with ifmember.exe

Or just run gpmc.msc and see where it took you, after creating a OU,
after linking a few GPOs to it, filtered by SecGroup, enabled Loopback
and after you move the TS into it ...


Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy

Homepage: www.gruppenrichtlinien.de - deutsch
Blog: gpupdate.spaces.live.com - english
Rowland Costin
2007-04-11 11:06:29 UTC
Permalink
Hi Mark

Thanks for the Advice. Don't have time to fully investigate your suggestion
here for GPO, I'll look at it with the New Domain. Bottom line, this domain
is with one hosting company and the new domain is with a different company,
so I can take my time and set that one up right. Any good suggested reading
material on GPO is welcome.

Meantime, the existing network is creaking at the seams. But I am intrigued
by your ifmember.exe approach as I think this could be a good interim
approach.

Basically, I have one login script for all at the moment and different
drives are mapped for different users. But now I need to switch the share
mapped to T drive based on security group membership, so I am hoping this
might do the job.

eg at the moment the batch file says

net use T: /DELETE
net use T: \\Server_Name\TS_Share_Name$ /persistent:yes

Can you give an example of how this would be written.

eg
net use T: /DELETE
ifmember == TS_Share_Name
net use T: \\Server_Name\TS_Share_Name$ /persistent:yes
End if

I am sure the above is not right as I have never used it before, but I
assume the principles are correct. If so, this would suit me down to the
ground at the moment as I can have a section for each share that I need to
map to T drive.



Many thanks
Rowland
Post by Mark Heitbrink [MVP]
Hi,
Post by Rowland Costin
Nah, This is getting far too complex for me.
With LGPO is much more complex ...
Post by Rowland Costin
I need to resolve this simply as this network is live with a 100 clients
logging in all the time. And the network will be scrapped as we are building
a new one, so that will be set up correctly.
Forget about all possibilities of centralized Management wit AD and GPO.
Use one single script with ifmember.exe
Or just run gpmc.msc and see where it took you, after creating a OU,
after linking a few GPOs to it, filtered by SecGroup, enabled Loopback
and after you move the TS into it ...
Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy
Homepage: www.gruppenrichtlinien.de - deutsch
Blog: gpupdate.spaces.live.com - english
Mark Heitbrink [MVP]
2007-04-11 14:17:51 UTC
Permalink
Hi,
[...] Basically, I have one login script for all at the moment and different
drives are mapped for different users. But now I need to switch the share
mapped to T drive based on security group membership, so I am hoping this
might do the job.
eg at the moment the batch file says
net use T: /DELETE
net use T: \\Server_Name\TS_Share_Name$ /persistent:yes
Why "/delete"? it´s only connected during the session, if you would
change "persistent:yes" into "persistent:no"
Can you give an example of how this would be written.
ifmember == TS_Share_Name
net use T: \\Server_Name\TS_Share_Name$ /persistent:yes
End if
e.g You have 3 different SecGroups, called: Sec1, Sec2 and Sec3
and 3 different shares, that depend on the SecGroups
\\server\share_sec1, \\server\share_sec2, and \\server\share_sec3

a script with ifmember xould look like this:

---- cut ----
ifmember Sec1
if errorlevel 1 net use T: \\server\share_sec1 /persistent:no

ifmember Sec2
if errorlevel 1 net use T: \\server\share_sec2 /persistent:no

ifmember Sec3
if errorlevel 1 net use T: \\server\share_sec3 /persistent:no

---- cut ----

The only problem is, if a user is in more than one SecGroup ...
you should avoid it ;-)

Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy

Homepage: www.gruppenrichtlinien.de - deutsch
Blog: gpupdate.spaces.live.com - english
mfarr
2007-04-11 20:21:04 UTC
Permalink
On Apr 11, 10:17 am, "Mark Heitbrink [MVP]" <spam-
Post by Mark Heitbrink [MVP]
Hi,
[...] Basically, I have one login script for all at the moment and different
drives are mapped for different users. But now I need to switch the share
mapped to T drive based on security group membership, so I am hoping this
might do the job.
eg at the moment the batch file says
net use T: /DELETE
net use T: \\Server_Name\TS_Share_Name$ /persistent:yes
Why "/delete"? it´s only connected during the session, if you would
change "persistent:yes" into "persistent:no"
Can you give an example of how this would be written.
ifmember == TS_Share_Name
net use T: \\Server_Name\TS_Share_Name$ /persistent:yes
End if
e.g You have 3 different SecGroups, called: Sec1, Sec2 and Sec3
and 3 different shares, that depend on the SecGroups
\\server\share_sec1, \\server\share_sec2, and \\server\share_sec3
---- cut ----
ifmember Sec1
if errorlevel 1 net use T: \\server\share_sec1 /persistent:no
ifmember Sec2
if errorlevel 1 net use T: \\server\share_sec2 /persistent:no
ifmember Sec3
if errorlevel 1 net use T: \\server\share_sec3 /persistent:no
---- cut ----
The only problem is, if a user is in more than one SecGroup ...
you should avoid it ;-)
Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy
Homepage:www.gruppenrichtlinien.de- deutsch
Blog: gpupdate.spaces.live.com - english
Check out Desktop Authority from Scriptlogic, it will solve all your
drive mapping and GPO needs without you having to spend time creating
login scripts and working around AD to apply specific policies.

Cheers.

www.scriptlogic.com
Mark Heitbrink [MVP]
2007-04-12 09:36:57 UTC
Permalink
Hi,
Post by mfarr
Check out Desktop Authority from Scriptlogic, it will solve all your
drive mapping and GPO needs without you having to spend time creating
login scripts and working around AD to apply specific policies.
... the problem is: he is not using GPO in the way we both would
like to have him to use it :-)

Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy

Homepage: www.gruppenrichtlinien.de - deutsch
Blog: gpupdate.spaces.live.com - english
Loading...