Why user logon script won't work as Computer logon script?

[MrMMills]

Why will a script that works as a “user logon� script not work when used as a “computer logon� script with Group Policy?

I have 3 groups of specific PC's that have to print to 3 different groups of specific printers. My users may sign-on at PC-PrinterGroupA one day and PC-PrinterGroupB or PC-PrinterGroupC the next day. That being said I can't use EXAMPLE A. (Below) because the Group Policy needs to be computer specific not user specific. So I tried EXAMPLE B (below) thinking that since the printers that had to be assigned were Computer specific I would use the following Computer Configuration Group Policy setting location:

EXAMPLE A. (Group Policy Location below)
User Configuration
Windows Settings
Scripts
Logon (This VBscript to add printers here works fine but is not computer specific enough)

EXAMPLE B. (Group Policy Location below)
Computer Configuration
Windows Settings
Scripts
Startup
(The same VBscript to add printers here doesn’t work at all, but you can see the Group Policy
has been passed down to the computer by using gpresult)

I used the Group Policy Management Console (GPMC.msc), went to the Group Policy Object, then in the bottom right pane under "Security Filtering" added the computers objects I wanted to be able to run this script (bottom right pane, caption reads: "The settings in this GPO can only apply to the following groups, users, and computers." I even went to the specific directory where the startup script resides (way down under sysvol) and made sure that the PC's (Computer Object) had “security� and “share� access defined to reach and execute the script (by default the "authenticated users" did, the computer objects did not). I also made sure that the sysvol share – all the way down to the printer script gave the AD Computer Object rights to run the script. What am I missing?

Any clues? If you can tell me Jeremy's book answers this – I will go buy it right now! This is driving me nuts!!!

Here is an example of one of the VBScripts I’m running to add the printers. I have replaced the actual name of the server with “servername�. Let me add, it works fine as a user logon script, but doesn’t work as a computer logon script?

' Add and Set the default printer
' -----------------------------------------------'
Option Explicit
Dim objNetwork, strUNCPrinter8000
strUNCPrinter8000 = "\\servername\HP LaserJet 8000 Series PS"
Set objNetwork = CreateObject("WScript.Network")
objNetwork.AddWindowsPrinterConnection strUNCPrinter8000
' Here is where we set the default printer to strUNCPrinter
objNetwork.SetDefaultPrinter strUNCPrinter8000
'
' Adding second printer
' -----------------------------------------------'
Dim objNetwork8500, strUNCPrinter8500
strUNCPrinter8500 = "\\servername\HP Color LaserJet 8550 PS"
Set objNetwork8500 = CreateObject("WScript.Network")
objNetwork8500.AddWindowsPrinterConnection strUNCPrinter8500
Wscript.Quit

[AdamV]

Not sure why your particular script does not work. Personally I would use a 'regular' batch script (.cmd or .bat) using rundll32 to add the printers to the local machine, see my post in this thread:
http://www.gpanswers.com/community/viewtopic.php?t=622

So you could have a bunch of printers to add in each script and call the relevant one for the machines depending on the GPO allocation of the right script.

If there are lots of printers I would run a flag check in the script so it only runs once, but if only a few it is so quick with this method that I would not worry.

Are these "groups" of machines in different sites? if so you could get smarter and have one script but detect the site.

You should look at putting the computers into security groups and assigning these to the filtering, rather than one by one (which is harder to manage long term). Ideally, put the computers into separate OUs if you can (and other GPO design constraints allow).

Actually, now I think about it, is this just not working because you have not linked the policy with the computer settings to an OU containing the computers?

[MrMMills]

For the record I'm more of a batch script guy myself - don't really know to much VB. Regardless the same thing happens with DOS based batch scripts. They work as a "user" logon script, but the same script won't work as a "computer" logon script. - Yes I applied the new GPO, then when to the pc and ran GPUpdate, even rebooted, noticed the printers weren't there and ran GPRESULT. The policy showed as it was applied.

I used the Group Policy Management Console (GPMC.msc), went to the Group Policy Object, then in the bottom right pane under "Security Filtering" added the computers objects I wanted to be able to run this script (bottom right pane, caption reads: "The settings in this GPO can only apply to the following groups, users, and computers."

Any other options?

[AdamV]

Actually, now I think about it, is this just not working because you have not linked the policy with the computer settings to an OU containing the computers?

so where is it linked? what is in there (that OU for example) - users or computers? Since this is a computer startup script it need to be linked to an OU with computers in (which can't be the default computers container since it is not an OU, so you may have to move your computers).

[MrMMills]

Oops my bad, I forgot I hadn't shown you our AD OU structure.
As you can see below I have tried to make mgmt easy. For example: The accounting computers are at OU=Accounting Computers,OU=Computer Policies,OU=Active Group Policies,DC=desktop-assistance,DC=com

Group Policy Manangement
-------Forest: mydomain.com
------------Domains
------------------MyDomain.com
--------------------Default Domain Group Policy Object Link
----------------------Active Group Policies OU
-----------------------------Computer Policies OU
------------------------------------AccountingDept Computer OU
--------------------------------------- Computer -VBAddPrinter Script (Group Policy Object Link 1 )
--------------------------------------- Group Policy Object Link 2 (you get the idea..)
------------------------------------MarketingDept Computer OU
------------------------------------Programmer Conmputer OU (…OK you get the idea)
-----------------------------User Policies OU---------------------------------Enforced Group Policy Object Link
------------------------------------Accounting Dept OU
--------------------------------------- User Config Group Policy Object Link 1
--------------------------------------- User Config Group Policy Object Link 2 (you get the idea..)
------------------------------------MarketingDept Computer OU
------------------------------------Programmer Conmputer OU (…OK you get the idea)


Does this help?

[JerryC]

Why will a script that works as a “user logon� script not work when used as a “computer logon� script with Group Policy?

I have 3 groups of specific PC's that have to print to 3 different groups of specific printers. My users may sign-on at PC-PrinterGroupA one day and PC-PrinterGroupB or PC-PrinterGroupC the next day. That being said I can't use EXAMPLE A. (Below) because the Group Policy needs to be computer specific not user specific. So I tried EXAMPLE B (below) thinking that since the printers that had to be assigned were Computer specific I would use the following Computer Configuration Group Policy setting location:

EXAMPLE A. (Group Policy Location below)
User Configuration
Windows Settings
Scripts
Logon (This VBscript to add printers here works fine but is not computer specific enough)

EXAMPLE B. (Group Policy Location below)
Computer Configuration
Windows Settings
Scripts
Startup
(The same VBscript to add printers here doesn’t work at all, but you can see the Group Policy
has been passed down to the computer by using gpresult)

Hope I'm not missing the context here, but I believe that Network Printer information is stored/cached within the user's registry. I do not think you've been able to add them using a Computer Startup script because those run in the System's context. The user hasn't even had a chance to logon. I believe that's why you have success when running it as a user logon scripts and not otherwise.

I've not tried this specific type of thing before, but I would try to create a GPO which Enables Group Policy Loopback processing for these specific devices (using Merge mode in this case) and that targets the User Logon script you want to run to see if you can get that User Logon script to run in a GPO targeted at these specific devices.

[AdamV]

Personally I would use a 'regular' batch script (.cmd or .bat) using rundll32 to add the printers to the local machine, see my post in this thread:
http://www.gpanswers.com/community/viewtopic.php?t=622

Jerry, you are right that user printers can be stored in their settings in the registry (and therefore their profile) but it is also possible to add printer connections to machines instead. These are then available to all users of a machine (they are merged with their own, a bit like AllUser desktop shortcuts). If they delete a machine-based connection, it will re-spawn itself at next logon.

I have used this technique to apply startup scripts to install printers per site so every machine had printers which were nearby, including laptops which might belong to visitors from one site to another.