Welcome Services Getting Started Support and Tools Documentation  
 
 

Assigning a Logon Script to Student Accounts

Created: 03/14/2003 Version 0.0.0.3

I. Overview
II. Enable Loopback Processing
III. Create Group Policy
IV. Filter Group Policy
V. Troubleshooting
VI. Conclusion

I. Overview

Within CalNetAD, student accounts are maintained in the Users container in the top-level Students Organizational Unit (OU). Permissions are set to allow only domain administrators access to the Students OU. This configuration raises an issue for OU administrators. How can they assign user settings using Group Policy Objects (GPOs) to student accounts when the students log on to machines managed by the OU administrator?

A specific example would be executing logon scripts whenever students log on to a machine managed by the administrator. Creating and linking a GPO to the Student OU is not an option, since OU administrators do not have rights to the OU.

There are 2 nodes in a GPO, User Configuration and Computer Configuration, which apply to user and computer objects, respectively. For a GPO linked to a computer's OU, only the Computer Configuration node settings are applied during computer startup, shutdown and the policy refresh interval. For a GPO linked to a user's OU, only the User Configuration settings are applied during logon, logoff and the policy refresh interval. To override this default behavior, enable and configure the loopback processing mode. Loopback processing enables processing of the User Configuration node settings of a GPO linked to the computer OU, which is normally ignored during user logon, logoff or refresh cycle.

Before proceeding, verify that you have everything that you need:

  • a valid OU administrator account and password
  • Windows 2000 Server Support Tools installed on your machine.
  • identified computers used for student logon and put the computers in an OU
  • a valid logon script stored on a network share accessible to target users. A sample script is shown below:

    :
    : This is a sample script
    :
    @echo off

    :----------------------------------------------------------------
    : Map User Home Directory
    :----------------------------------------------------------------
    net use * \\filesrv.college.berkeley.edu\home\%username% /per:no

    :----------------------------------------------------------------
    : Map Printer using Con2Prt (Resource Kit)     :
    :----------------------------------------------------------------
    con2prt /c \\prtsrv.college.berkeley.edu\printer1
    :end

II. Enable Loopback Processing

  1. Log in with OU administrator privileges.
  2. Go to Administrative Tools and launch Active Directory Users and Computers.
  3. Navigate to the computers' OU.
  4. Select the OU, right-click and select Properties.
  5. Select the Group Policy tab.
  6. Click on the New button.
  7. Enter an appropriate name for the loopback policy, for example, CollegeA-Loopback Policy, following recommended naming convention.
  8. Highlight the new policy and click on the Edit button. This will open a separate window for the Group Policy Editor console.
  9. In the Computer Configuration node, drill down to Administrative Templates\System\Group Policy.
  10. Right-click on the User Group Policy Loopback processing mode and select Properties.
  11. From the properties windows, select Enabled.
  12. In the Mode drop-down box, select Merge or Replace mode. If you need a detailed explanation of the 2 modes, select the Explain tab or refer to the Microsoft KB article 231287 - Loopback Processing of Group Policy.
  • Merge - apply user settings from User GPOs first, then user settings from Computer GPOs
  • Replace - apply user settings from Computer GPOs only, ignore User GPOs

III. Create Group Policy

  1. Log in with OU administrator privileges.
  2. Go to Administrative Tools and launch Active Directory Users and Computers.
  3. Navigate to the computers' OU.
  4. Select the OU, right-click and select Properties.
  5. Select the Group Policy tab.
  6. Click on the New button.
  7. Enter an appropriate name for the policy, for example, CollegeA-Student Logon Script-Loopback, following recommended naming convention.
  8. Highlight the new policy and click on the Edit button. This will open a separate window for the Group Policy Editor.
  9. In the User Configuration node, go to Windows Settings\Scripts.
  10. Right-click on the Logon icon and select Properties.
  11. Click on the Add button.
  12. In the Script Name text box, type the full UNC path to the script. For example, \\filesrv.collegeA.berkeley.edu\scripts\logonscript.cmd, if you have a script named logonscript.cmd stored in the scripts share of filesrv.collegeA.berkeley.edu.
  13. In the Script Parameters text box, type any parameters required for the script.
  14. Click OK twice when done.

IV. Filter Group Policy

Introduction

By default, Authenticated Users are granted Read and Apply Group Policy rights to new GPOs so everyone gets the GPO settings. Filtering Group Policy Objects allows administrators to control who are affercted by the GPO settings.

If the administrator needs to limit the effects of the GPO to a target group of users/computers, filtering should be used. There are 2 methods for filtering:

  1. Explicitly deny GPO permissions to groups
  2. Grant GPO permissions to groups

Method 1: Explicit Deny: Deny GPO permissions to groups

Example: The GPO applies to all users logging to computers in the OU except for members of the OU admin group (CollegeA-OU Admins-gs).

  1. Right-click on the OU where the GPO is linked.
  2. Select Properties.
  3. Click on the Group Policy tab.
  4. Highlight the specific GPO and click on the Properties button.
  5. Click on the Security tab.
  6. Verify that Authenticated Users have Allow permissions for Read and Apply Group Policy.
  7. Click on the Add button.
  8. Type the name of the group you want to deny access to the GPO, for example, CollegeA-OU Admins-gs. If you are specifying multiple groups, use semi-colon (;) as a delimiter.
  9. Click Check Names button and make corrections, if necessary.
  10. In the Permission box, click on the Deny box for the Apply Group Policy permission.
  11. You are done. Members of the selected group(s) will not get the GPO settings.

Method 2: Grant rights to GPO: Apply GPO to members of specific group(s)

Example: The GPO applies to members of specific groups logging on to the computers in the OU, not all members of Authenticated Users. This assumes that you have identified the groups to be granted Read and Apply Group Policy permission.

  1. Right-click on the OU where the GPO is linked.
  2. Select Properties.
  3. Click on the Group Policy tab.
  4. Highlight the specific GPO and click on the Properties button.
  5. Click on the Security tab.
  6. Select the Authenticated Users and click on the Remove button. This disables GPO application for Authenticated Users.
  7. Now, click on the Add button.
  8. Type the name of the group you want to grant Apply Group Policy right. If you are specifying multiple groups, use semi-colon (;) as a delimiter.
  9. Click on the Check Names button and make corrections, if necessary.
  10. For each group, in the Permissions box, check the Allow boxes for the Read and Apply Group Policy permissions.
  11. You are done. Only the specific groups will get the GPO.

This completes the section on GPO and loopback processing. If you are having problems with GPO application, refer to the troubleshooting section.

V. Troubleshooting

Use GPRESULT.EXE to track Group Policy application

GPRESULT.EXE, a Windows 2000 Resource Kit utility, displays information about the user and computer domain, group memberships and enumerates the group-policy related settings applied to the user and computer. Running this utility allows tracking of GPO application.

If you need more details displayed during computer startup/shutdown or user logon/logoff, go to the next tip.

Showing more detail during startup, shutdown, logon and logoff

To get more details on the dialog boxes displayed during startup, shutdown, logon and logoff, enable the group policy setting Verbose vs normal status messages under Administrative Templates\System of the Computer Configuration node.

This enables the display additional information such as the names of GPO being applied and scripts executed, thus showing a more detailed view of events occuring during startup/shutdown/logon/logoff events.

For more details, User Environment Debug Logging can be turned on as shown in the next tip.

Enable "user environment debug logging" for detailed tracking of GPO application

There is a registry key that enables creation of a log file that records detailed information about Group Policy processing on a machine. This registry key is documented in the Microsoft Knowledge Base article 221833.

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
Value: UserEnvDebugLevel
Type : REG_DWORD
Data : 10002 (Hex)

The log file will be created in %SystemRoot%\Debug\UserMode\userenv.log.

Once the issues have been resolved, make sure to disable the logging and verbose messages settings. Otherwise, it can negatively impact system performance and user experience.

VI. Conclusion

This document illustrates a process for assigning logon scripts to student accounts. Using a GPO linked to the computer OU, instead of the student account OU, and enabling loopback processing settings, activates processing of the user configuration settings of the computer GPO, which is normally ignored during user logon. By enabling loopback processing, any user setting available in the User Configuration node can be applied even if the GPO is linked to the computer OU.

  
Contact Us