Discussion:
multiple logon scripts
(too old to reply)
Cary Shultz
2009-09-01 10:08:26 UTC
Permalink
Good morning!

We just inherited a new client and I was looking at AD and GPOs last night
and noticed that they have several logon scripts linked to each of the OUs.
It most cases there are two or three different, distinct logon scripts per
OU: one does drive mapping and one does printer mapping and the third one
calls other applications. All logon script files are .vbs and all are
delivered via GPO. There are several OUs - each of which contain a sub-OU
for users and another sub-OU for computers. The single GPO is linked to the
"parent" OU. So, there is a "ACME" OU (with the corresponding 'users' and
'computers' sub-OUs) and there is a "WIDGET" OU (with the corresponding
'users' and 'computers' sub-OUs) and there is the "ACME GPO" and the "WIDGET
GPO". Each GPO holds both user-side and computer-side settings.....since
we are talking only about logon scripts we are looking at the user-side.....

Is it *normal* (whatever that word might mean) for there to be multiple
Logon Scripts? There does not appear to be any overlapping of "content"....

Now, I also noticed that several of the users in one specific OU have a
'logon.bat' associated with their user profile -IN ADDITION TO- the multiple
logon scripts that are delivered via GPO.

Now, things - as best I can tell - are working (from the end-user
perspective). But we just took over yesterday (well, in part....today is
officially 'Day 1').

I am asking because I - in all my years - have never really seen this
situation before. I guess, technically speaking, you could have multiple
logon scripts (delivered via different means). Seems more like a mess to
me....but what do I know? ;-)

Thanks,

Cary
Meinolf Weber [MVP-DS]
2009-09-01 10:27:21 UTC
Permalink
Hello Cary,

You can configure your policies as you like. I assume the login.bat will
contain some global settings and then as you said the OU specific ones.

This is not a faulty setup, just different. And as you can see it works.

The planning and deployment of GPOs/scripts is always a decision of the people
themself and you have many ways to achive the goal. As a basic rule you should
deploy them to use as less resources as possible.
http://technet.microsoft.com/en-us/magazine/2008.01.gpperf.aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Post by Cary Shultz
Good morning!
We just inherited a new client and I was looking at AD and GPOs last
night and noticed that they have several logon scripts linked to each
of the OUs. It most cases there are two or three different, distinct
logon scripts per OU: one does drive mapping and one does printer
mapping and the third one calls other applications. All logon script
files are .vbs and all are delivered via GPO. There are several OUs -
each of which contain a sub-OU for users and another sub-OU for
computers. The single GPO is linked to the "parent" OU. So, there is
a "ACME" OU (with the corresponding 'users' and 'computers' sub-OUs)
and there is a "WIDGET" OU (with the corresponding 'users' and
'computers' sub-OUs) and there is the "ACME GPO" and the "WIDGET GPO".
Each GPO holds both user-side and computer-side settings.....since we
are talking only about logon scripts we are looking at the
user-side.....
Is it *normal* (whatever that word might mean) for there to be
multiple Logon Scripts? There does not appear to be any overlapping
of "content"....
Now, I also noticed that several of the users in one specific OU have
a 'logon.bat' associated with their user profile -IN ADDITION TO- the
multiple logon scripts that are delivered via GPO.
Now, things - as best I can tell - are working (from the end-user
perspective). But we just took over yesterday (well, in part....today
is officially 'Day 1').
I am asking because I - in all my years - have never really seen this
situation before. I guess, technically speaking, you could have
multiple logon scripts (delivered via different means). Seems more
like a mess to me....but what do I know? ;-)
Thanks,
Cary
Cary Shultz
2009-09-01 11:53:19 UTC
Permalink
Meinolf - Guten Morgen!

Das habe ich mir gedacht, wollte aber erst Mal fragen!

I really could not come up with any reasons why this was "wrong" other than
it "looked funny". How is that for technical observation?!!!!!
Technically, I was wondering if having multiple logon scripts was
problematic in the processing at the client level. Does not appear to be
(from the end-user perspective) but will look further into this.

And, SORRY - WIN2003 SP2 Domain Controllers with WINXP SP2/SP3 clients.

I really like the article that you included. I was betting with my
colleague yesterday that things were set up this way for purposes of
delegation at the OU level. They have a TON of Domain Admins (really going
to try to change that) and they do have another interesting set up: Domain
Users is a member of the built-in Administrators! Gotta love that. Going
to 'correct' that situation as well. I will have a look with dsacls today
(regarding the delegation question).

As always - Thanks!
Post by Meinolf Weber [MVP-DS]
Hello Cary,
You can configure your policies as you like. I assume the login.bat will
contain some global settings and then as you said the OU specific ones.
This is not a faulty setup, just different. And as you can see it works.
The planning and deployment of GPOs/scripts is always a decision of the
people themself and you have many ways to achive the goal. As a basic rule
you should deploy them to use as less resources as possible.
http://technet.microsoft.com/en-us/magazine/2008.01.gpperf.aspx
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Post by Cary Shultz
Good morning!
We just inherited a new client and I was looking at AD and GPOs last
night and noticed that they have several logon scripts linked to each
of the OUs. It most cases there are two or three different, distinct
logon scripts per OU: one does drive mapping and one does printer
mapping and the third one calls other applications. All logon script
files are .vbs and all are delivered via GPO. There are several OUs -
each of which contain a sub-OU for users and another sub-OU for
computers. The single GPO is linked to the "parent" OU. So, there is
a "ACME" OU (with the corresponding 'users' and 'computers' sub-OUs)
and there is a "WIDGET" OU (with the corresponding 'users' and
'computers' sub-OUs) and there is the "ACME GPO" and the "WIDGET GPO".
Each GPO holds both user-side and computer-side settings.....since we
are talking only about logon scripts we are looking at the
user-side.....
Is it *normal* (whatever that word might mean) for there to be
multiple Logon Scripts? There does not appear to be any overlapping
of "content"....
Now, I also noticed that several of the users in one specific OU have
a 'logon.bat' associated with their user profile -IN ADDITION TO- the
multiple logon scripts that are delivered via GPO.
Now, things - as best I can tell - are working (from the end-user
perspective). But we just took over yesterday (well, in part....today
is officially 'Day 1').
I am asking because I - in all my years - have never really seen this
situation before. I guess, technically speaking, you could have
multiple logon scripts (delivered via different means). Seems more
like a mess to me....but what do I know? ;-)
Thanks,
Cary
Meinolf Weber [MVP-DS]
2009-09-01 12:37:01 UTC
Permalink
Hello Cary,

Seems you have a lot work with that network to understand all the configuration,
especially if you try to remove them the admin permissions i wish you luck
and a good boss who will support this. The same applies for the tons of domain
admins, maybe the boss is open for delegating control on OU base for most
of them.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Post by Cary Shultz
Meinolf - Guten Morgen!
Das habe ich mir gedacht, wollte aber erst Mal fragen!
I really could not come up with any reasons why this was "wrong" other
than it "looked funny". How is that for technical observation?!!!!!
Technically, I was wondering if having multiple logon scripts was
problematic in the processing at the client level. Does not appear to
be (from the end-user perspective) but will look further into this.
And, SORRY - WIN2003 SP2 Domain Controllers with WINXP SP2/SP3 clients.
I really like the article that you included. I was betting with my
colleague yesterday that things were set up this way for purposes of
delegation at the OU level. They have a TON of Domain Admins (really
going to try to change that) and they do have another interesting set
up: Domain Users is a member of the built-in Administrators! Gotta
love that. Going to 'correct' that situation as well. I will have a
look with dsacls today (regarding the delegation question).
As always - Thanks!
Post by Meinolf Weber [MVP-DS]
Hello Cary,
You can configure your policies as you like. I assume the login.bat
will contain some global settings and then as you said the OU
specific ones.
This is not a faulty setup, just different. And as you can see it works.
The planning and deployment of GPOs/scripts is always a decision of
the people themself and you have many ways to achive the goal. As a
basic rule you should deploy them to use as less resources as
possible.
http://technet.microsoft.com/en-us/magazine/2008.01.gpperf.aspx
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Post by Cary Shultz
Good morning!
We just inherited a new client and I was looking at AD and GPOs last
night and noticed that they have several logon scripts linked to
each of the OUs. It most cases there are two or three different,
distinct logon scripts per OU: one does drive mapping and one does
printer mapping and the third one calls other applications. All
logon script files are .vbs and all are delivered via GPO. There
are several OUs - each of which contain a sub-OU for users and
another sub-OU for computers. The single GPO is linked to the
"parent" OU. So, there is a "ACME" OU (with the corresponding
'users' and 'computers' sub-OUs) and there is a "WIDGET" OU (with
the corresponding 'users' and 'computers' sub-OUs) and there is the
"ACME GPO" and the "WIDGET GPO". Each GPO holds both user-side and
computer-side settings.....since we are talking only about logon
scripts we are looking at the user-side.....
Is it *normal* (whatever that word might mean) for there to be
multiple Logon Scripts? There does not appear to be any overlapping
of "content"....
Now, I also noticed that several of the users in one specific OU
have a 'logon.bat' associated with their user profile -IN ADDITION
TO- the multiple logon scripts that are delivered via GPO.
Now, things - as best I can tell - are working (from the end-user
perspective). But we just took over yesterday (well, in
part....today is officially 'Day 1').
I am asking because I - in all my years - have never really seen
this situation before. I guess, technically speaking, you could
have multiple logon scripts (delivered via different means). Seems
more like a mess to me....but what do I know? ;-)
Thanks,
Cary
Cary Shultz
2009-09-01 14:03:22 UTC
Permalink
Meinolf....

Just a little bit. I am actually going to speak with the former consultants
(my colleague down here in BEAUTIFUL Roanoke, VA tells me that they are a
really nice set of guys...we usually deal with, er, the opposite of them!)
to see what the thought process was with all of the Domain Admins and the
use of restricted groups (I really love that tool! Just not in this
specific case) Domain Users | Built-in Administrators.....I betcha that
Delegation will be a part of the answer (but not all of it...being a Domain
Admin does not necessarily require any 'delegation', right?).....

We recently took over another client who was a complete mess and I fixed
that up right quick! Made use of Delegation for one of the remote
offices....everyone is happy now. The client was informed by the previous
consultant that the environment, well, let's just say that what the client
was told and what I saw did not jive - at all! Problem solved in about 45
minutes.

It looks like this is going to be a similar case......but the environment is
much larger (150 people compared to 15). Still, no worries!

Thanks for the help! I guess that I get stuck in my ways sometimes.

Cary
Post by Meinolf Weber [MVP-DS]
Hello Cary,
Seems you have a lot work with that network to understand all the
configuration, especially if you try to remove them the admin permissions
i wish you luck and a good boss who will support this. The same applies
for the tons of domain admins, maybe the boss is open for delegating
control on OU base for most of them.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Post by Cary Shultz
Meinolf - Guten Morgen!
Das habe ich mir gedacht, wollte aber erst Mal fragen!
I really could not come up with any reasons why this was "wrong" other
than it "looked funny". How is that for technical observation?!!!!!
Technically, I was wondering if having multiple logon scripts was
problematic in the processing at the client level. Does not appear to
be (from the end-user perspective) but will look further into this.
And, SORRY - WIN2003 SP2 Domain Controllers with WINXP SP2/SP3 clients.
I really like the article that you included. I was betting with my
colleague yesterday that things were set up this way for purposes of
delegation at the OU level. They have a TON of Domain Admins (really
going to try to change that) and they do have another interesting set
up: Domain Users is a member of the built-in Administrators! Gotta
love that. Going to 'correct' that situation as well. I will have a
look with dsacls today (regarding the delegation question).
As always - Thanks!
Post by Meinolf Weber [MVP-DS]
Hello Cary,
You can configure your policies as you like. I assume the login.bat
will contain some global settings and then as you said the OU
specific ones.
This is not a faulty setup, just different. And as you can see it works.
The planning and deployment of GPOs/scripts is always a decision of
the people themself and you have many ways to achive the goal. As a
basic rule you should deploy them to use as less resources as
possible.
http://technet.microsoft.com/en-us/magazine/2008.01.gpperf.aspx
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Post by Cary Shultz
Good morning!
We just inherited a new client and I was looking at AD and GPOs last
night and noticed that they have several logon scripts linked to
each of the OUs. It most cases there are two or three different,
distinct logon scripts per OU: one does drive mapping and one does
printer mapping and the third one calls other applications. All
logon script files are .vbs and all are delivered via GPO. There
are several OUs - each of which contain a sub-OU for users and
another sub-OU for computers. The single GPO is linked to the
"parent" OU. So, there is a "ACME" OU (with the corresponding
'users' and 'computers' sub-OUs) and there is a "WIDGET" OU (with
the corresponding 'users' and 'computers' sub-OUs) and there is the
"ACME GPO" and the "WIDGET GPO". Each GPO holds both user-side and
computer-side settings.....since we are talking only about logon
scripts we are looking at the user-side.....
Is it *normal* (whatever that word might mean) for there to be
multiple Logon Scripts? There does not appear to be any overlapping
of "content"....
Now, I also noticed that several of the users in one specific OU
have a 'logon.bat' associated with their user profile -IN ADDITION
TO- the multiple logon scripts that are delivered via GPO.
Now, things - as best I can tell - are working (from the end-user
perspective). But we just took over yesterday (well, in
part....today is officially 'Day 1').
I am asking because I - in all my years - have never really seen
this situation before. I guess, technically speaking, you could
have multiple logon scripts (delivered via different means). Seems
more like a mess to me....but what do I know? ;-)
Thanks,
Cary
Ace Fekay [MCT]
2009-09-01 12:55:45 UTC
Permalink
"Cary Shultz" <***@outsourceit.com> wrote in message news:%***@TK2MSFTNGP03.phx.gbl...

Sounds more of a complicated mess between the GPO scripts and the logon
scripts in AD properties, that I think can be consolidated into one script
using conditional variables (if one group, then whatever, etc).

As Meinolf did, I wish you luck, too, and hope your boss is understanding.
:-)

Ace
Post by Cary Shultz
Meinolf - Guten Morgen!
Das habe ich mir gedacht, wollte aber erst Mal fragen!
I really could not come up with any reasons why this was "wrong" other
than it "looked funny". How is that for technical observation?!!!!!
Technically, I was wondering if having multiple logon scripts was
problematic in the processing at the client level. Does not appear to be
(from the end-user perspective) but will look further into this.
And, SORRY - WIN2003 SP2 Domain Controllers with WINXP SP2/SP3 clients.
I really like the article that you included. I was betting with my
colleague yesterday that things were set up this way for purposes of
delegation at the OU level. They have a TON of Domain Admins (really
Domain Users is a member of the built-in Administrators! Gotta love
that. Going to 'correct' that situation as well. I will have a look with
dsacls today (regarding the delegation question).
As always - Thanks!
Post by Meinolf Weber [MVP-DS]
Hello Cary,
You can configure your policies as you like. I assume the login.bat will
contain some global settings and then as you said the OU specific ones.
This is not a faulty setup, just different. And as you can see it works.
The planning and deployment of GPOs/scripts is always a decision of the
people themself and you have many ways to achive the goal. As a basic
rule you should deploy them to use as less resources as possible.
http://technet.microsoft.com/en-us/magazine/2008.01.gpperf.aspx
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Post by Cary Shultz
Good morning!
We just inherited a new client and I was looking at AD and GPOs last
night and noticed that they have several logon scripts linked to each
of the OUs. It most cases there are two or three different, distinct
logon scripts per OU: one does drive mapping and one does printer
mapping and the third one calls other applications. All logon script
files are .vbs and all are delivered via GPO. There are several OUs -
each of which contain a sub-OU for users and another sub-OU for
computers. The single GPO is linked to the "parent" OU. So, there is
a "ACME" OU (with the corresponding 'users' and 'computers' sub-OUs)
and there is a "WIDGET" OU (with the corresponding 'users' and
'computers' sub-OUs) and there is the "ACME GPO" and the "WIDGET GPO".
Each GPO holds both user-side and computer-side settings.....since we
are talking only about logon scripts we are looking at the
user-side.....
Is it *normal* (whatever that word might mean) for there to be
multiple Logon Scripts? There does not appear to be any overlapping
of "content"....
Now, I also noticed that several of the users in one specific OU have
a 'logon.bat' associated with their user profile -IN ADDITION TO- the
multiple logon scripts that are delivered via GPO.
Now, things - as best I can tell - are working (from the end-user
perspective). But we just took over yesterday (well, in part....today
is officially 'Day 1').
I am asking because I - in all my years - have never really seen this
situation before. I guess, technically speaking, you could have
multiple logon scripts (delivered via different means). Seems more
like a mess to me....but what do I know? ;-)
Thanks,
Cary
Cary Shultz
2009-09-01 14:04:40 UTC
Permalink
No worries! I will take my time "seeing" everything and then correct what
is wrong.

My boss pretty much let's me do my thing.....so no worries on that front,
either. My main concern is with the client!

Cary
Post by Ace Fekay [MCT]
Sounds more of a complicated mess between the GPO scripts and the logon
scripts in AD properties, that I think can be consolidated into one script
using conditional variables (if one group, then whatever, etc).
As Meinolf did, I wish you luck, too, and hope your boss is understanding.
:-)
Ace
Post by Cary Shultz
Meinolf - Guten Morgen!
Das habe ich mir gedacht, wollte aber erst Mal fragen!
I really could not come up with any reasons why this was "wrong" other
than it "looked funny". How is that for technical observation?!!!!!
Technically, I was wondering if having multiple logon scripts was
problematic in the processing at the client level. Does not appear to be
(from the end-user perspective) but will look further into this.
And, SORRY - WIN2003 SP2 Domain Controllers with WINXP SP2/SP3 clients.
I really like the article that you included. I was betting with my
colleague yesterday that things were set up this way for purposes of
delegation at the OU level. They have a TON of Domain Admins (really
Domain Users is a member of the built-in Administrators! Gotta love
that. Going to 'correct' that situation as well. I will have a look
with dsacls today (regarding the delegation question).
As always - Thanks!
Post by Meinolf Weber [MVP-DS]
Hello Cary,
You can configure your policies as you like. I assume the login.bat will
contain some global settings and then as you said the OU specific ones.
This is not a faulty setup, just different. And as you can see it works.
The planning and deployment of GPOs/scripts is always a decision of the
people themself and you have many ways to achive the goal. As a basic
rule you should deploy them to use as less resources as possible.
http://technet.microsoft.com/en-us/magazine/2008.01.gpperf.aspx
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Post by Cary Shultz
Good morning!
We just inherited a new client and I was looking at AD and GPOs last
night and noticed that they have several logon scripts linked to each
of the OUs. It most cases there are two or three different, distinct
logon scripts per OU: one does drive mapping and one does printer
mapping and the third one calls other applications. All logon script
files are .vbs and all are delivered via GPO. There are several OUs -
each of which contain a sub-OU for users and another sub-OU for
computers. The single GPO is linked to the "parent" OU. So, there is
a "ACME" OU (with the corresponding 'users' and 'computers' sub-OUs)
and there is a "WIDGET" OU (with the corresponding 'users' and
'computers' sub-OUs) and there is the "ACME GPO" and the "WIDGET GPO".
Each GPO holds both user-side and computer-side settings.....since we
are talking only about logon scripts we are looking at the
user-side.....
Is it *normal* (whatever that word might mean) for there to be
multiple Logon Scripts? There does not appear to be any overlapping
of "content"....
Now, I also noticed that several of the users in one specific OU have
a 'logon.bat' associated with their user profile -IN ADDITION TO- the
multiple logon scripts that are delivered via GPO.
Now, things - as best I can tell - are working (from the end-user
perspective). But we just took over yesterday (well, in part....today
is officially 'Day 1').
I am asking because I - in all my years - have never really seen this
situation before. I guess, technically speaking, you could have
multiple logon scripts (delivered via different means). Seems more
like a mess to me....but what do I know? ;-)
Thanks,
Cary
Ace Fekay [MCT]
2009-09-01 14:38:08 UTC
Permalink
Post by Cary Shultz
No worries! I will take my time "seeing" everything and then correct what
is wrong.
My boss pretty much let's me do my thing.....so no worries on that front,
either. My main concern is with the client!
Cool. Good luck! -)
Florian Frommherz [MVP]
2009-09-01 11:56:30 UTC
Permalink
Howdie!
Post by Cary Shultz
Is it *normal* (whatever that word might mean) for there to be multiple
Logon Scripts? There does not appear to be any overlapping of
"content"....
Yeah, you can fly that without any problem. In fact I've seen a couple
of people do that. You get to seperate the scripts depending on their
purpose which rather than have one monster-script that does all work -
assumed that all those scripts have their own purpose.

Depending on what those scripts do (hard to tell from here), you may
replace them with GP Preferences.

Florian
Cary Shultz
2009-09-01 15:16:46 UTC
Permalink
Florian!

It looks like one of them maps network drives and then a second adds
printers. There are actually several OUs - each with this set up - so it
*might* be possible to use GP Preferences. I will take a look into that.
Might not work out, though, as we do not have a WIN2008 server or any
available Vista box in that environment - yet!

Thanks,

Cary
Post by Florian Frommherz [MVP]
Howdie!
Post by Cary Shultz
Is it *normal* (whatever that word might mean) for there to be multiple
Logon Scripts? There does not appear to be any overlapping of "content"....
Yeah, you can fly that without any problem. In fact I've seen a couple of
people do that. You get to seperate the scripts depending on their purpose
which rather than have one monster-script that does all work - assumed
that all those scripts have their own purpose.
Depending on what those scripts do (hard to tell from here), you may
replace them with GP Preferences.
Florian
Loading...