5

When on our W2k8-R2 DC I create a new GPO and configure

"Computer Configuration/Policies/Windows Settings/Administrative Templates/System/Logon/run these programs at user logon" to "c:\windows\system32\notepad.exe" (just for testing) it won't take effect on Win 7 SP1, no matter what the Security Filtering options are.

It seems other settings (in the very same GPO) become active but "run these programs at user login" from the computer policies section doesn't. I configure the very same setting in the section "user policies" instead and add "Authenticated Users" to Security Filtering, the program will be started. But that's not what I need.

I can reproduce the issue, here are the exact steps:

  • create a new group "group-a" for later security filtering
  • create a new GPO
  • set "Computer Configuration/Policies/Windows Settings/Administrative Templates/System/Logon/run these programs at user logon" to "c:\windows\system32\notepad.exe"
  • for setting the scope remove "authenticated users" from Security Filtering and add "group-a" instead
  • link the GPO to the domain root
  • make "test computer" a member of "group-a"
  • on "test computer" run "gpupdate /force", reboot, log in

Issue: notepad is not being started.

What I'm aiming for is obvious: Depending on the membership of group-a I want to configure certain programs that should be started whenever a user logs in.

gpresult /R returns that it would be applying the GPO. (It actually is but the setting "run these programs at user login" is not being applied.)

For debugging I started MMC / RSoP on one of the machines on which the GPO should have been applied and found that "run these programs at user login" is not set (which seems to be the reason why the GPO won't work on the machines).

Searching the web I found similar reports on technet but no solution was found and the user used a workaround instead.

If I change the GPO so that I use the very same setting in "user configuration" instead of "computer configuration" it works as long as I add "authenticated users" to the Security Filtering. But then the GPO is applied to all users and not only to the ones using computers which are members of group-a. According to "www.grouppolicy.biz/2010/05/how-to-apply-a-group-policy-object-to-individual-users-or-computer/" I should not remove "authenticated users" but alter the security setting instead, but under Win2k8 I cannot find security settings "apply" for "authenticated users" so I cannot remove that setting, there's only "read" or "read and modify".

So two questions: 1. Why doesn't it work when using "computer settings" 2. What about that Security Filtering with removing "authenticated users" and using group-a instead?

T.

user208383
  • 61
  • 1
  • 1
  • 6
  • 2
    loopback processing...btw, is your group-a a group of computers or users? I'm assuming users. – TheCleaner Feb 06 '14 at 17:21
  • I'm sorry, I don't understand "loopback processing". Should that tell me something? The group is a global security group. The group members are only computers. – user208383 Feb 07 '14 at 07:07
  • Thank you for that hint. I digged a little deeper and found that the default domain polica sets "run these programs at user logon". I expected that both settings would become active so that the program to be started from the default domain policy AND my new GPO would become active, but it seems the default domain policy exclusively "wins" so to say. I will have to take a deeper look into this. But now I know what to look for. Thanks again! – user208383 Feb 07 '14 at 12:22

3 Answers3

1

I agree that loopback processing is the answer, but my understanding is it is a PER GPO setting so only the GPO in question applies that way.

I know in my environment that is how it works.

'This policy directs the system to apply the set of GPOs for the computer to any user who logs on to a computer affected by this policy. This policy is intended for special-use computers where you must modify the user policy based on the computer that is being used. For example, computers in public areas, in laboratories, and in classrooms.'

Same link as above.
https://support.microsoft.com/en-us/help/231287/loopback-processing-of-group-policy

Add this setting to your existing GPO.

REC
  • 21
  • 4
0

I just ran into the same problem. I had filtered the GPO with a security group with all of the computers I wanted this GPO to apply to. However, upon login the application wouldn't load. I ended up realizing it probably had something to do with me filtering out users, even though it doesn't set anything in users. I added authenticated users back, and everything works. I only have the computer version of this group policy setting set, but for some reason it needs filtering for both computers and users.

aknewhope
  • 13
  • 2
0

What I'm aiming for is obvious: Depending on the membership of group-a I want to configure certain programs that should be started whenever a user logs in.

It's bad idea: your programs will be launched in Local System context.

How to suggest above, you can use Loopback Processing. But the work of this setting will affect all policies that apply to computers - please be careful with it.

And please note that the logon scripts can be processed with a significant delay (up to 15 minutes).

In my opinion the correct solution: use GPP to manage shortcuts in startup menu folder. Simply create a startup shortcuts.

Slipeer
  • 3,255
  • 2
  • 18
  • 32