Yet Another Logon Script Question 3

[HessA]

I have Markdmac's logon script edited for my use and I love it. However there are at least 2 things right now I would like to add.

How do I add a line to map a user's home directory as H: drive in Vbscript?

Is there a way to choose which printer that is connected via the logon script becomes the default? (at the moment whichever printer I have set to connect first is the one that becomes the default)

Thanks in advance,

Aaron

 

[HessA]

I have the GPMC installed on my workstation. So I use the full Group Policy editor tool to access my GPO's rather than using the GPO tab in AD. Right underneath my Site in the Group Policy Manager it lists the Default Domain Policy and I edited that one to apply my settings to block all IM programs. It is working for me. I think propagation of the Policy between DCs is a llittle slow because some users can still open an IM program and some already have it blocked. I think at the moment it depends which DC they authenticated to. I don't know if by using hte GPMC rather than the way you did it makes any difference.

Aaron

 

[QuarkIT]

I don't believe it should, as you do it via a console, I just tap directly into the server.

You didn't have to restart any services or anything did you? I'm going to go tinker with my test boxes that I can destroy if I need to, because I'm really in the mood to heh.

Appreciate the help man, I still think somethings fubared on my network.

 

[HessA]

AS of yet no I didn't restart anything. I did do gpupdate on my workstation because mine is one of the ones not being blocked yet. I am waiting an hour or so to see if I still have people that aren't using the policy. Propagation on my network is slow for some reason.

Aaron

 

[markdmac]

Guys, first off I have to advise AGAINST adding your login script or anything else for that matter to the Default Domain Policy. Ideally the only settings you should change there are related to password security (complex, history etc.)

So let's go by the assumption that you are putting this login script on in a new GPO and that the GPO is at an OU Level. Are your users and the groups at that same level? Have you applied any Apply rights to the GPO or are you just wanting to have it apply to the OU?

As the script is designed to work as a central cript for an entire domain, I would recommend placing it at the top level of your AD. Apply the GPO to Authenticated Users.

Sorry I've been away from the forums this week. In the tail end of another 65 hour week. Let me know if the above resolves the issues.



I hope you find this post helpful.

Regards,

Mark

 

[HessA]

Mark,

As of right now the only thing I added to the Default Domain Policy was the blocking of msmsgs.exe,aim.exe,icqlite.exe,mirc.exe,trillian.exe,and ypager.exe. Of course along with my password lockout, password length, password expiration, and not retaining the last username when logging in. My actual login script will be applied per OU as I create new ones specifically for the different versions of the script I tailor for different departmentss. Would it be better for me to block the IMs another way? I used the Default Domain Policy because it applies to all authenticated users and I wanted it blocked globally.

Thanks in advance,

Aaron

 

[markdmac]

Aaron,

If it is working then I would just not make further edits to the default. Any GPO can be applied the same way for the same permissions.

Supporting multiple scripts can be a daunting task, that is why my script has the section for cheking group memberships. I'd create some Global Groups and make your OU users members of those. Then you can do it all from within a single script.

I hope you find this post helpful.

Regards,

Mark

 

[HessA]

So could I use the same if then for the drive mapping for printers and such? I have 7 major OUs at the moment that are based on geographic location. All seven use different printers and shared drives (different servers same forest). Then on top of that I would have to do something different for my roaming users that need drives and printers in multiple locations. Is it still better to have one big script the emcompasses all or break it up to a few different scripts. Really they'd be copies of the same script tailored for each geographic location. I would like it to be a model of best practice so if it's still better to do it in one script I'd like to head in that direction.

Thanks,

Aaron

 

[QuarkIT]

Mark is right, you don't really want to edit your default domain policies ever.

My current problem here is that I'm the junior admin, and I can't get stuff corrected...so I have to sort of jerry rig it.

At the moment our AD is very very screwy, and all of our users and groups are in the root "Users" container of the AD.

I had to apply the script at the DC, which I really didn't want to do...but yeah.

It wasn't the script, it was the fact that I was trying to make it a GPO, but there were no containers to apply it to.

 

[markdmac]

As stated above, my suggestion would be to make each of these users a member of a Globabl Group (based on location or OU). You could then use the section for group checking to map drives and printers etc.

The advantage here is that you then only have to change a single script if you need to make a universal change. I think you are making life harder on yourself for the management and troubleshooting of your scripts if you a bunch out there.

I do want to point out that EITHER way will work and both methods could be considered SOP. Using my method you have to manage the Groups, using your method you have multiple scripts. Each way has a slight drawback, but I think managing groups is easier than multiple scripts spread accross multiple GPOs.

I hope you find this post helpful.

Regards,

Mark

 

[HessA]

Yeah I do agree. I guess being less than par with VBscript I am afraid I'll have one big spagetti script nobody will be able to understand a month form now lol. But I do agree it's the right way to go and maybe when it's said and done I will have a higher understanding of scripting all together anyway.

Thanks again,

Aaron

 

[QuarkIT]

Heh no fears Aaron, I have a basic understanding of it.

If you've done any programming, you'll be okay.

Appreciate the help guys, now to convince the boss man to do some major changes to the AD...oh joy

 

[markdmac]

At the moment our AD is very very screwy, and all of our users and groups are in the root "Users" container of the AD.

There is nothing wrong with this configuration. Simply create a GPO at the domain level. GPOs flow downward, so it would then hit all users in the domain.

I hope you find this post helpful.

Regards,

Mark