GPO Change-over - KiXtart.org

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » KiXtart FAQ & How to's » GPO Change-over

Page 1 of 1

Topic Options

#138756 - 2005-04-26 11:07 PM GPO Change-over
Kdyer Kdyer KiX Supporter Registered: 2001-01-03 Posts: 6241 Loc: Tigard, OR	There have been quite a number of questions with regard to GPO and KiX and hopefully, this will help. Please provide any feedback, criticisms, etc. Here goes: You MUST be a Domain Administrator or better to do this task This assumes that you have Group Policy Management Console. (1) Find the user(s) you want to modify in the OU and remove under Profile, the Login Script, or you can remove this using an AD script: Code: Break ON CLS $groupobj = GetObject("WinNT://"+@ldomain+"/Domain Users") For Each $userobjg in $groupobj.members $userobj = GetObject("WinNT://YOUR_DC/"+$userobjg.name) If InStr($userobjg.loginscript,'ntlogon') ?$userobjg.name+','+$userobjg.fullname LOGGER('H:\scriptchange.txt',$userobjg.name+', '+$userobjg.fullname+@crlf) $UserObjg.LoginScript = "" $UserObjg.SetInfo $UserObjg="" LOGGER('H:\scriptchange.txt',$userobjg.name+@crlf) EndIf $userobjg.name="" Next ?'process is complete.. press a key' Get $ ;Function LOGGER($logfil,$logdat) ; ;Author Kent Dyer (leptonator@hotmail.com) ; ;Contributors MBrecht on CramSession.com ; http://infocenter.cramsession.com/TechLibrary/GetHtml.asp?ID=721&GetDes=&CatID=293 ; "Create Loginlog" ; Jooel (Lonkero) - Code cleanup ; Howard Bullock ; ;Action Writes to a Server Log ; ;Syntax LOGGER($logfile,$logdata) ; ;Version 1.2 - Recommendation by Howard Bullock ; 1.1 - Clean-up by Lonkero ; ;Parameters $logfile - Specify what server, share, and file is needed ; $logdata - Data to be written to the log ; ;Remarks This script addresses an issue with writing to logs if the file is open by ; another user it waits until they are done and has the log file closed. ; It does a 1 second wait until ready to write to the log till a maximum of 6 seconds and then exits the routine. ; The 5x3 wait routine is not used anymore. ; ;Returns Writes to a file. No visible user output. ; ;Dependencies All Domain Users being able to write to a server share ; ;KiXtart Ver 4.02 ; ;Example(s) ; -- Data ; $logshare='\\SERVER\LOGINFO' ; $logfile=$logshare+'\HOTBAR.TXT' ; $logdata=@date + ',' + @time + ',' + @userid + ',WinNT,' + @wksta + @CRLF ; ; -- Example ; LOGGER($logfile,$logdata) ; FUNCTION LOGGER($logfile,$logdata) DIM $n While Open(1,$logfile,5)<>0 If $n '.' Else ? 'Please wait' EndIf $n=$n+1 If $n=6 Exit(1) Endif Sleep 1 LOOP $n=WriteLine(1, $logdata) $n=Close(1) ENDFUNCTION (2) In Active Directory Users and Computers, go into the OU that you want to modify and open Group Policy Management.. (3) In Group Policy Management, right-click on the OU and Select "Create and link a GPO Here" (4) In the New GPO, provide a Name: Login Script Click OK (5) In the Right Pane, right-click on the newly created GPO and choose edito Note: Scripts can be defined in GPO in one of two locations - Computer Configuration/Windows Settings/Scripts (Startup/Shutdown) << This should be by machine Note: a per-machine script runs under SYSTEM context (meaning admin privs). But not network access unlesss SYSTEM is specifically granted network access. User Configuration/Windows Settings/Scripts (Logon/Logofft) << This is by user and is the preferred method (6) Open the Logon by double-clicking on it. (7) Click the Add.. Button and add the needed files. We will just add in one batch file - NTLOGON.BAT and it contains the following: \\domain.tld\netlogon\WKiX32.exe \\domain.tld\netlogon\script.KiX Note: You can still keep your W/KIX32.EXE in the Netlogon folder.. If you choose to do: \\domain.tld\netlogon\WKiX32.exe \\domain.tld\netlogon\OU\script.KiX Then \\domain.tld\netlogon\OU needs to exist, for example: \\domain.tld\netlogon\Accounting \\domain.tld\netlogon\Marketing \\domain.tld\netlogon\Sales \\domain.tld\netlogon\HR etc. Or, better yet: \\domain.tld\netlogon\CompanyA \\domain.tld\netlogon\CompanyB \\domain.tld\netlogon\CompanyC \\domain.tld\netlogon\CompanyD etc. and this makes it pretty easy to maintain/manage. Also, Enterprise-wide, changes are not as high-profile. The other advantage to this model is that you can have Representatives from IT in each of these areas maintain their own scripts. (8)Click OK and close out of Group Policy and then close out of Group Policy Management Note: You may not see immediate results as replication between your DCs has to occur Thanks, Kent _________________________ Utilize these resources: UDFs (Full List) KiXtart FAQ & How to's
Top

#138757 - 2005-04-26 11:32 PM Re: GPO Change-over RFC for the FAQ Section
masken masken MM club member Registered: 2000-11-27 Posts: 1222 Loc: Gothenburg, Sweden	Quote: Possible enhancements, provide example scripts and where to place WKIX32.EXE, etc. Thanks, Kent That is the single most interesting part, so it definetly should be added Note: a per-machine script (computer configuration - Startup/Shutdown) runs under SYSTEM context (meaning admin privs). Must admit that I've never even tried running KiX via GPO, don't know if it even works Edited by masken (2005-04-26 11:35 PM) _________________________ The tart is out there
Top

#138758 - 2005-04-26 11:54 PM Re: GPO Change-over RFC for the FAQ Section
Kdyer Kdyer KiX Supporter Registered: 2001-01-03 Posts: 6241 Loc: Tigard, OR	My apologies, I have made some changes Kent _________________________ Utilize these resources: UDFs (Full List) KiXtart FAQ & How to's
Top

#138759 - 2005-04-27 01:29 AM Re: GPO Change-over RFC for the FAQ Section
Sealeopard Sealeopard KiX Master Registered: 2001-04-25 Posts: 11165 Loc: Boston, MA, USA	Quote: Note: a per-machine script (computer configuration - Startup/Shutdown) runs under SYSTEM context (meaning admin privs). But not network access unlesss SYSTEM is specifically granted network access, so I remember. _________________________ There are two types of vessels, submarines and targets.
Top

#138760 - 2005-04-27 02:00 AM Re: GPO Change-over RFC for the FAQ Section
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	Good job, Kent. Not sure I follow what you are trying to say with the OU path example, {AAAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE}. In my company, when we came up with an OU design, I designed the NetLogon folder structure to follow that same OU tree structure. We delegate rights to OU_Administrators to both their OU and matching folder in NetLogon and to make it simple, we setup a hidden share on their local DC to the NetLogon subfolder for admin access only. OU_Admins are free to choose whether to deploy legacy logon scripts and/or GPO scripts. I recall from past discussions, that Startup scripts do have limited network access to NetLogon without fiddling with any perms. _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#138761 - 2005-04-27 02:21 AM Re: GPO Change-over RFC for the FAQ Section
Kdyer Kdyer KiX Supporter Registered: 2001-01-03 Posts: 6241 Loc: Tigard, OR	Jens/Les - Changes implemented. Sorry, kind of threw this together at the end of the day. Thanks! Kent _________________________ Utilize these resources: UDFs (Full List) KiXtart FAQ & How to's
Top

#138762 - 2005-04-27 03:08 PM Re: GPO Change-over RFC for the FAQ Section
Kdyer Kdyer KiX Supporter Registered: 2001-01-03 Posts: 6241 Loc: Tigard, OR	Made one minor change with regard to company. Kent _________________________ Utilize these resources: UDFs (Full List) KiXtart FAQ & How to's
Top

Page 1 of 1

Previous Topic View All Topics

Index Next Topic

Moderator: Jochen, Radimus, Glenn Barnas, Allen, Arend_, ShaneEP, Mart

Hop to:

Shout Box

Search the board with:
superb Board Search
or try with google:

	Web kixtart.org