Re: Login Scripts
- From: "Laura E. Hunter \(MVP\)" <laura(nospamplease)>
- Date: Fri, 13 May 2005 14:06:14 -0400
If I'm understanding your environment correctly, I think I would create a
GPO that's configured at the domain level (create a new one, don't edit the
Default Domain Policy) that contains the "baseline" settings that users
should receive regardless of which policies are applied. Since GPOs applied
at the OU level will override settings declared at the domain level, and GPO
applied at the OU that conflicts with the domain policy will override and
enforce the correct laptop/desktop policy settings over top of the
domain-wide settings.
--
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_
(http://tinyurl.com/7f8ll)
All information provided "AS-IS", no warranties expressed or implied.
Replies to newsgroup only.
"Jason Rogers" <JasonRogers@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F905F363-1568-4640-96FC-E3923700CB8D@xxxxxxxxxxxxxxxx
> One of our customers use two msi packages:
>
>
>
> Desktop.msi
>
> Laptop.msi
>
>
>
> They are installed on either a desktop or a laptop. The purpose of these
> is
> to define whether a user is logging onto a desktop or a laptop by using
> WMI
> filtering in a group policy. The group policies affected are:
>
>
>
> Laptop user policy (laptop.msi)
>
> Desktop user policy (desktop.msi)
>
>
>
> They are bound to the same OU that contains all normal user accounts. Some
> users use both types of machines so it is not possible to use OU's to
> separate the user types. Their base build does contain the correct package
> when new machines are built.
>
>
>
> The WMI filter checks if the OS is Windows XP in both case, and depending
> on
> the machine type it checks for the relevant msi package. Based on this,
> the
> correct group policy is applied.
>
>
>
> The question is - is it possible to prevent a user from logging onto the
> domain if no MSI package is found (or is there another way to do this).
> Currently this will cause them to receive no group policy and therefore an
> uncontrolled environment. I thought it may be possible to have a top level
> startup script which checks for a valid MSI package, if it is not found it
> sets some kind of registry key to prevent domain logons, but not local
> logons. Obviously if it prevented all types of logons you would not be
> able
> to get into the machine.
>
>
>
>
> --
> Jason Rogers
> Servo
.
- References:
- Login Scripts
- From: Jason Rogers
- Login Scripts
- Prev by Date: Re: Giving domain user credentials to local user...?
- Next by Date: Re: Child Domain
- Previous by thread: Login Scripts
- Next by thread: unwanted multiple copies printed
- Index(es):
Relevant Pages
|
