When nosotros are implementing RES Workspace Manager POC/Pilot’s on a customer’s site, i of the commencement things nosotros endeavor as well as practice is practice an novel AD arrangement unit of measurement (OU) where our examine PC’s or XenApp/RDS servers volition hold out placed. One of the reasons nosotros practice this is it allows us to block whatever existing AD grouping policies (GPOs) that mightiness impact the POC e.g. startup/shutdown/logon/logoff scripts; peculiarly equally these mightiness hold out the drive of dull logins that nosotros are trying meliorate using Workspace Manager.
For calculator related GPO’s nosotros role “block inheritance” on the novel OU. For user related GPO’s nosotros employ the “GPO loopback > replace” technique.
These methods operate real good but something I’ve come upwards across on customers sites, they receive got laid upwards the login script inwards the AD properties for each user as well as non inside whatever GPO that you lot are trying to block equally you lot tin come across inwards the enshroud shot below. Generally this is the “old school” method of doing this but its nevertheless out there!
This causes us roughly headaches inwards our POC/Pilot peculiarly when these users are asked to start testing the POC/Pilot as well as the commencement affair that happens is they start complaining that it takes an historic current to login. Why? Because the script is mapping 24 network drives as well as fifteen printers at logon!!
Therefore, nosotros demand to halt this script from running on our POC/Pilot environment. We could practice this past times only removing the draw of piece of work from their AD properties but what happens if they nevertheless desire to role the existing surroundings that relies on this script to map drives as well as printers? We demand to notice roughly other agency of doing it…in steps “Microsoft Software Restriction Policies”.
Using Software Restriction Policies volition permit us to block these logon scripts without affecting the users powerfulness to role the existing surroundings as well as hither is how.
Firstly nosotros demand to add together the Software Restriction Policy to a GPO which volition permit it to apply; the easiest agency to hit this would hold out to add together it to the novel GPO nosotros receive got created inwards the commencement instance that applies the calculator related settings.
Using the Group Policy Management Console (GPMC) edit the GPO as well as expand the “Computer Configuration/Windows Settings/Security Settings/Software Restriction Policies”
Right click on “Software Restriction Policies” as well as select “New Software Restriction Policies”.
At which betoken the you lot volition come across roughly additional settings available.
Right click on “Additional Rules” as well as select “New Path Rule”.
You at i time demand to country the policy what path to block scripts running from. Most lightly these scripts volition located inwards the NETLOGON portion on your domain controllers (DC); the occupation at i time existence which DC volition the script run from should you lot receive got to a greater extent than than i DC inwards your environment. Easy nosotros tin role the %LOGONSERVER% surroundings variable that is used to shop the logon DC used past times the user who is logging on. The Security marking should apparently hold out laid upwards to “Disallowed”.
That’s almost it!! Now when you lot logon to the POC/Pilot surroundings you lot tin hold out certain whatever unwanted logon/logoff scripts volition hold out blocked from running.
For calculator related GPO’s nosotros role “block inheritance” on the novel OU. For user related GPO’s nosotros employ the “GPO loopback > replace” technique.
These methods operate real good but something I’ve come upwards across on customers sites, they receive got laid upwards the login script inwards the AD properties for each user as well as non inside whatever GPO that you lot are trying to block equally you lot tin come across inwards the enshroud shot below. Generally this is the “old school” method of doing this but its nevertheless out there!
This causes us roughly headaches inwards our POC/Pilot peculiarly when these users are asked to start testing the POC/Pilot as well as the commencement affair that happens is they start complaining that it takes an historic current to login. Why? Because the script is mapping 24 network drives as well as fifteen printers at logon!!
Therefore, nosotros demand to halt this script from running on our POC/Pilot environment. We could practice this past times only removing the draw of piece of work from their AD properties but what happens if they nevertheless desire to role the existing surroundings that relies on this script to map drives as well as printers? We demand to notice roughly other agency of doing it…in steps “Microsoft Software Restriction Policies”.
Using Software Restriction Policies volition permit us to block these logon scripts without affecting the users powerfulness to role the existing surroundings as well as hither is how.
Firstly nosotros demand to add together the Software Restriction Policy to a GPO which volition permit it to apply; the easiest agency to hit this would hold out to add together it to the novel GPO nosotros receive got created inwards the commencement instance that applies the calculator related settings.
Using the Group Policy Management Console (GPMC) edit the GPO as well as expand the “Computer Configuration/Windows Settings/Security Settings/Software Restriction Policies”
Right click on “Software Restriction Policies” as well as select “New Software Restriction Policies”.
At which betoken the you lot volition come across roughly additional settings available.
Right click on “Additional Rules” as well as select “New Path Rule”.
You at i time demand to country the policy what path to block scripts running from. Most lightly these scripts volition located inwards the NETLOGON portion on your domain controllers (DC); the occupation at i time existence which DC volition the script run from should you lot receive got to a greater extent than than i DC inwards your environment. Easy nosotros tin role the %LOGONSERVER% surroundings variable that is used to shop the logon DC used past times the user who is logging on. The Security marking should apparently hold out laid upwards to “Disallowed”.
That’s almost it!! Now when you lot logon to the POC/Pilot surroundings you lot tin hold out certain whatever unwanted logon/logoff scripts volition hold out blocked from running.
