Re: scripted logon

Jeff:

I'm not sure what you mean by "Why run multiple scripts". The only script I
am running is the env-prep.vbs.

The problem is that I had to execute it from somewhere...and the only place
I knew of where I could execute it was in the Environment Properties for the
Terminal Server Configuration. Since I cannot launch both the ERP software
and the leftie script from the same field, I had to launch the ERP software
from the script. When I discovered that the script would not launch the ERP
software for Domain Users, I found that I could get around that by launching
both the leftie script and the ERP software from the same batch file.

Like I said, I may be way out in left field here, because I'm certainly no
expert. So, if I am missing something important here...please fill me in!

Thanks,

Jerry


"Jeff Pitsch" <Jeff@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23xHGD8unHHA.4132@xxxxxxxxxxxxxxxxxxxxxxx
This may be a dumb question but why didn't you simply have a login script
that runs for the left handed users to set it? Why run multiple scripts
at all if your original environment was working fine?

Jeff Pitsch
Microsoft MVP - Terminal Server
Citrix Technology Professional
Provision Networks VIP

Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com

CroiX wrote:
Greetings:

I may be way out in left field here, but recent events have drawn me
toward several questions that I cannot seem to find answers to. This
might turn out to be kind of a long story, but it only makes sense for me
to start at the beginning.

When I first setup our Terminal Servers, I put them in an OU and assigned
a Group Policy that uses the loopback processing mode (replace) to lock
them down pretty tight. I set them up to launch a specific application
using the Environment property *** for the RDP-Tcp Properties in the
Terminal Services Configuration. This server provides the user interface
to our new ERP system. So far, everything is fine, the server seems
secure enough and the ERP system is working just fine.

OK, so now our left-handed users want to be able to swap mouse buttons
around. However, since they have no taskbar, or anything else other than
the ERP system, there does not appear to be a quick and simple way for me
to address this problem. What I ended up doing is instead of having the
ERP system launch from the Environment Property ***, I launch a batch
file.

<= startup.bat =

start /min c:\login.bat

= startup.bat =>

## Startup.bat simply calls another minimized batch and then exits.

<= login.bat =

@echo off

cscript c:\env-prep.vbs

"C:\Program Files\MAPICS\SyteLine\WinStudio.exe" -aWinStudio

exit

= login.bat =>

The minimized batch file then executes a VBS script via cscript.exe, and
then launches the ERP software. Now, however, I have this little
minimized batch window that will not go away because there is no return
from the ERP software and the 'exit' statement never executes.

OK, now for the southpaws I created a group in AD. Then I scripted the
mouse swap:

<= env-prep.vbs =

On Error Resume Next

WScript.Echo "This window may be closed."

Set objSysInfo = CreateObject("ADSystemInfo")
Set wshShell = WScript.CreateObject("WScript.Shell")

strUserPath = "LDAP://"; & objSysInfo.UserName
Set objUser = GetObject(strUserPath)

For Each strGroup in objUser.MemberOf
strGroupPath = "LDAP://"; & strGroup
Set objGroup = GetObject(strGroupPath)
strGroupName = objGroup.CN

Select Case strGroupName
Case "SouthPaws"
Return = wshShell.Run("RUNDLL32 USER32.DLL,SwapMouseButton", 1, True)
End Select
Next

= env-prep.vbs =>

OK, now our left-handed friends are happy, but we still have this little
minimized batch window that won't go away. That bugs me, so I decided to
try loading the ERP software from the VBS script instead of the batch
file. I also got the bright idea that since I was using groups, maybe I
could make the terminal server a little more versatile by using it to
also provide a new interface for our kiosk machines:

<= revised env-prep.vbs =

On Error Resume Next

WScript.Echo("This window may be closed.")

Set objSysInfo = CreateObject("ADSystemInfo")
Set wshShell = WScript.CreateObject("WScript.Shell")

strUserPath = "LDAP://"; & objSysInfo.UserName
Set objUser = GetObject(strUserPath)

For Each strGroup in objUser.MemberOf
strGroupPath = "LDAP://"; & strGroup
Set objGroup = GetObject(strGroupPath)
strGroupName = objGroup.CN

Select Case strGroupName
Case "Kiosk-GRP"
Set objIE =
WScript.CreateObject("InternetExplorer.Application","objIE")
With objIE
.Visible = True
.TheaterMode = False
.Addressbar = False
.StatusBar = False
.MenuBar = False
.FullScreen = False
.Navigate "about:blank"
End With
Do Until objIE.ReadyState = 4
WScript.Sleep 100
Loop
wshShell.SendKeys "% X"
URL = "www.domain.local"
objIE.Navigate(URL)
Case "SLusers"
strAppExec = "C:\Program Files\MAPICS\SyteLine\WinStudio.exe"
Set objExec = wshShell.Exec(strAppExec & " -aWinStudio")
Case "SouthPaws"
Return = wshShell.Run("RUNDLL32 USER32.DLL,SwapMouseButton", 1, True)
End Select
Next

= revised env-prep.vbs =>

Alright, so next I test all of this stuff out and discover that my little
minimized batch window problem is gone, and the SouthPaws case works just
fine no matter what, but the SLusers case, and the Kiosk-GRP case only
work for Domain Admins.

I also tried using the wshShell.Run method for ERP software, but that
didn't even work for the Domain Admins.

Since everything seems to work just fine for Domain Admins, I conclude
that there must be something in my group policy that prevents the Domain
Users from executing the applications from the script. Funny thing is,
however, I can launch the ERP software from the batch file, but not the
script.

The only thing I could find in the policy that looked even remotely
possible is this:

User Configuration || Administrative Templates || System
--Prevent access to the command prompt (Enabled)
---Disable the command prompt script processing also? (No)

I tried setting 'Prevent access to the command prompt (Not configured)',
and then ran 'gpupdate /force', but that didn't seem to have any effect.

Here's the policy settings (I sure hope word wrap doesn't mess it up too
bad):

<= GPO =


Group Policy Management
GPO-Terminal Servers (SyteLine)
Data collected on: 5/24/2007 9:29:06 AM

General
Details
Domain domain.local
Owner DOMAIN\Domain Admins
Created 5/10/2006 12:45:22 PM
Modified 4/27/2007 3:36:48 PM
User Revisions 140 (AD), 140 (sysvol)
Computer Revisions 70 (AD), 70 (sysvol)
Unique ID {407B97CC-04C5-4A1A-9727-1A71448A7D8E}
GPO Status Enabled

Links
Location Enforced Link Status Path
Terminal Servers (SyteLine) No Enabled domain.local/Terminal
Servers (SyteLine)

This list only includes links in the domain of the GPO.
Security Filtering
The settings in this GPO can only apply to the following groups, users,
and computers:
Name
NT AUTHORITY\Authenticated Users

WMI Filtering
WMI Filter Name None
Description Not applicable

Delegation
These groups and users have the specified permission for this GPO
Name Allowed Permissions Inherited
DOMAIN\Domain Admins Custom No
DOMAIN\Enterprise Admins Custom No
DOMAIN\SL7Admin Custom No
NT AUTHORITY\Authenticated Users Read (from Security Filtering) No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No

Computer Configuration (Enabled)
Windows Settings
Security Settings
Local Policies/Security Options
Devices
Policy Setting
Devices: Restrict CD-ROM access to locally logged-on user only
Enabled
Devices: Restrict floppy access to locally logged-on user only
Enabled

Interactive Logon
Policy Setting
Interactive logon: Do not display last user name Enabled

Public Key Policies/Autoenrollment Settings
Policy Setting
Enroll certificates automatically Enabled
Renew expired certificates, update pending certificates, and
remove revoked certificates Disabled
Update certificates that use certificate templates Disabled


Public Key Policies/Encrypting File System
Properties
Policy Setting
Allow users to encrypt files using Encrypting File System (EFS)
Enabled

Public Key Policies/Trusted Root Certification Authorities
Properties
Policy Setting
Allow users to select new root certification authorities (CAs) to
trust Enabled
Client computers can trust the following certificate stores
Third-Party Root Certification Authorities and Enterprise Root
Certification Authorities
To perform certificate-based authentication of users and computers,
CAs must meet the following criteria Registered in Active Directory only

Administrative Templates
System/Group Policy
Policy Setting
User Group Policy loopback processing mode Enabled
Mode: Replace


Windows Components/Terminal Services/Client/Server data redirection
Policy Setting
Do not allow client printer redirection Enabled
Do not allow COM port redirection Enabled
Do not allow drive redirection Enabled
Do not allow LPT port redirection Enabled

Windows Components/Windows Installer
Policy Setting
Disable Windows Installer Enabled
Disable Windows Installer For non-managed apps only


User Configuration (Enabled)
Windows Settings
Folder Redirection
Application Data
Setting: Basic (Redirect everyone's folder to the same location)
Path: %USERPROFILE%\Application Data
Options
Grant user exclusive rights to Application Data Disabled
Move the contents of Application Data to the new location Disabled

Policy Removal Behavior Leave contents

Desktop
Setting: Basic (Redirect everyone's folder to the same location)
Path: %USERPROFILE%\Desktop
Options
Grant user exclusive rights to Desktop Disabled
Move the contents of Desktop to the new location Disabled

Policy Removal Behavior Leave contents

My Documents
Setting: Basic (Redirect everyone's folder to the same location)
Path: %USERPROFILE%\My Documents
Options
Grant user exclusive rights to My Documents Disabled
Move the contents of My Documents to the new location Disabled

Policy Removal Behavior Leave contents

Start Menu
Setting: Basic (Redirect everyone's folder to the same location)
Path: %USERPROFILE%\Start Menu
Options
Grant user exclusive rights to Start Menu Disabled
Move the contents of Start Menu to the new location Disabled

Policy Removal Behavior Leave contents

Administrative Templates
Control Panel
Policy Setting
Prohibit access to the Control Panel Enabled
Show only specified Control Panel applets Enabled
List of allowed Control Panel applets
main.cpl

To create a list of allowed Control Panel applets, click
Show,
then Add, and enter the Control Panel file name (ends with
.cpl)
or the name displayed under that item in the Control Panel.
(e.g., desk.cpl, powercfg.cpl, Printers)


Control Panel/Display
Policy Setting
Screen Saver Disabled
Screen Saver timeout Enabled
Number of seconds to wait to enable the Screen Saver

Seconds: 0


Desktop
Policy Setting
Don't save settings at exit Enabled
Hide Internet Explorer icon on desktop Enabled
Hide My Network Places icon on desktop Enabled
Prohibit user from changing My Documents path Enabled
Remove My Computer icon on the desktop Enabled
Remove My Documents icon on the desktop Enabled

Start Menu and Taskbar
Policy Setting
Add Logoff to the Start Menu Enabled
Do not display any custom toolbars in the taskbar Enabled
Do not keep history of recently opened documents Enabled
Lock the Taskbar Enabled
Prevent changes to Taskbar and Start Menu Settings Enabled
Remove access to the context menus for the taskbar Enabled
Remove All Programs list from the Start menu Enabled
Remove and prevent access to the Shut Down command Enabled
Remove common program groups from Start Menu Enabled
Remove Documents menu from Start Menu Enabled
Remove Favorites menu from Start Menu Enabled
Remove Help menu from Start Menu Enabled
Remove links and access to Windows Update Enabled
Remove My Documents icon from Start Menu Enabled
Remove My Music icon from Start Menu Enabled
Remove My Network Places icon from Start Menu Enabled
Remove My Pictures icon from Start Menu Enabled
Remove Network Connections from Start Menu Enabled
Remove programs on Settings menu Enabled
Remove Run menu from Start Menu Enabled
Remove Search menu from Start Menu Enabled
Remove Set Program Access and Defaults from Start menu Enabled
Remove user name from Start Menu Enabled
Turn off personalized menus Enabled

System
Policy Setting
Don't display the Getting Started welcome screen at logon Enabled
Prevent access to registry editing tools Enabled
Disable regedit from running silently? Yes

Policy Setting
Prevent access to the command prompt Enabled
Disable the command prompt script processing also? No


System/Ctrl+Alt+Del Options
Policy Setting
Remove Lock Computer Enabled
Remove Task Manager Enabled

Windows Components/Internet Explorer
Policy Setting
Disable "Configuring History" Enabled
Days to keep pages in History

Policy Setting
Disable changing accessibility settings Enabled
Disable changing Advanced page settings Enabled
Disable changing Automatic Configuration settings Enabled
Disable changing Calendar and Contact settings Enabled
Disable changing certificate settings Enabled
Disable changing color settings Enabled
Disable changing connection settings Enabled
Disable changing font settings Enabled
Disable changing home page settings Enabled
Home Page

Policy Setting
Disable changing language settings Enabled
Disable changing link color settings Enabled
Disable changing Messaging settings Enabled
Disable changing Profile Assistant settings Enabled
Disable changing proxy settings Enabled
Disable changing ratings settings Enabled
Disable changing Temporary Internet files settings Enabled
Disable external branding of Internet Explorer Enabled
Disable importing and exporting of favorites and feeds Enabled
Disable Internet Connection wizard Enabled
Disable the Reset Web Settings feature Enabled
Do not allow users to enable or disable add-ons Enabled
Identity Manager: Prevent users from using Identities Enabled
Search: Disable Find Files via F3 within the browser Enabled
Search: Disable Search Customization Enabled
Turn off Crash Detection Enabled

Windows Components/Internet Explorer/Browser menus
Policy Setting
Disable Context menu Enabled
Disable Save this program to disk option Enabled
File menu: Disable New menu option Enabled
File menu: Disable Open menu option Enabled
File menu: Disable Save As Web Page Complete Enabled
File menu: Disable Save As... menu option Enabled
Help menu: Remove 'For Netscape Users' menu option Enabled
Help menu: Remove 'Send Feedback' menu option Enabled
Help menu: Remove 'Tip of the Day' menu option Enabled
Help menu: Remove 'Tour' menu option Enabled
Hide Favorites menu Enabled
Tools menu: Disable Internet Options... menu option Enabled
View menu: Disable Full Screen menu option Enabled
View menu: Disable Source menu option Enabled

Windows Components/Internet Explorer/Internet Control Panel
Policy Setting
Disable the Advanced page Enabled
Disable the Connections page Enabled
Disable the Content page Enabled
Disable the General page Enabled
Disable the Privacy page Enabled
Disable the Programs page Enabled
Disable the Security page Enabled

Windows Components/Internet Explorer/Offline Pages
Policy Setting
Disable adding channels Enabled
Disable adding schedules for offline pages Enabled
Disable all scheduled offline pages Enabled
Disable channel user interface completely Enabled
Disable downloading of site subscription content Enabled
Disable editing and creating of schedule groups Enabled
Disable editing schedules for offline pages Enabled
Disable offline page hit logging Enabled
Disable removing channels Enabled
Disable removing schedules for offline pages Enabled

Windows Components/Internet Explorer/Toolbars
Policy Setting
Configure Toolbar Buttons Enabled
Show Back button Enabled
Show Forward button Enabled
Show Stop button Enabled
Show Refresh button Enabled
Show Home button Enabled
Show Search button Disabled
Show Favorites button Disabled
Show History button Enabled
Show Folders button Disabled
Show Fullscreen button Disabled
Show Tools button Disabled
Show Mail button Disabled
Show Font size button Disabled
Show Print button Enabled
Show Edit button Disabled
Show Discussions button Disabled
Show Cut button Disabled
Show Copy button Disabled
Show Paste button Disabled
Show Encoding button Disabled

Policy Setting
Disable customizing browser toolbar buttons Enabled
Disable customizing browser toolbars Enabled

Windows Components/Task Scheduler
Policy Setting
Prevent Task Run or End Enabled
Prohibit New Task Creation Enabled

Windows Components/Terminal Services/Sessions
Policy Setting
Sets a time limit for active but idle Terminal Services sessions
Enabled
Idle session limit: 1 hour

Policy Setting
Terminate session when time limits are reached Enabled

Windows Components/Windows Explorer
Policy Setting
Hide these specified drives in My Computer Enabled
Pick one of the following combinations Restrict A, B, C and D
drives only

Policy Setting
Hides the Manage item on the Windows Explorer context menu Enabled
Prevent access to drives from My Computer Enabled
Pick one of the following combinations Restrict A, B, C and D
drives only

Policy Setting
Remove "Map Network Drive" and "Disconnect Network Drive" Enabled
Remove Hardware tab Enabled
Remove Search button from Windows Explorer Enabled
Remove Windows Explorer's default context menu Enabled

Extra Registry Settings
Display names for some settings cannot be found. You might be able to
resolve this issue by updating the .ADM files used by Group Policy
Management.

Setting State
Software\Microsoft\Outlook Express\BlockExeAttachments 0


= GPO =>

Any thoughts on what I might be missing here? I sure would appreciate any
help that anyone can offer.

Thanks,

Jerry



.