Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
GPO verify settings, policy not working

Unanswered GPO verify settings, policy not working

  • Monday, November 19, 2012 6:30 PM
     
     
    Sign In to Vote
    0

    Trying to execute a simple logon/logoff script within group policy.  But for some reason, the policy doesn't work.  The directories are still empty and not logging any data.  The configuration is very simple, yet I can't seem to get it working.  Any thoughts as to why this wouldn't be working.  I followed the directions shown below.

    Source: http://community.spiceworks.com/how_to/show/82-monitor-user-log-in-and-log-off-without-software

    This is a great little batch file that enables an admin to keep a log of where, when and what computer user log on to and when they log off.

    1.

    Set up a Share on the network.

    The batch file is actually two files. One runs at user log on and one runs at user log off. When the batch files run, they create a rolling log file with the details in a shared network folder.

    1) Create a shared folder on the network. Mine is called Logs. Everyone should have full access to this share.
    2) In that folder, create a folder called User and a folder called Computer.

    2.

    Create the batch files.

    Copy and Paste the following into two separate text files. When you save them, remember to change the file type to .bat

    Name: Log On.bat

    rem The following line creates a rolling log file of usage by workstation
    echo Log In %Date% %TIME% %USERNAME% >> \\servername\Logs\Computer\%COMPUTERNAME%.log

    rem The following line creates a rolling log file of usage by user
    echo Log In %Date% %TIME% %COMPUTERNAME% >> \\servername\Logs\User\%USERNAME%.log

    Name: Log Off.bat

    rem The following line creates a rolling log file of usage by workstation
    echo Log Off %Date% %TIME% %USERNAME% >> \\servername\Logs\Computer\%COMPUTERNAME%.log

    rem The following line creates a rolling log file of usage by user
    echo Log Off %Date% %TIME% %COMPUTERNAME% >> \\servername\Logs\User\%USERNAME%.log

    Put these files in the Logs folder.
    3.

    Add the batch files to group policy.

    You do this on your User Container GPO.

    User Configuration > Windows Settings > Scripts

    Add Log In.bat to the Logon scripts box and Log Off.bat to the Logoff scripts box

     

All Replies

  • Monday, November 19, 2012 7:02 PM
     
     
    Sign In to Vote
    0

    Hello,

    Try to log your two scripts like this (to see what's happening):

    This will create a logfine in %temp%.

    MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!


     
  • Monday, November 19, 2012 7:48 PM
     
     
    Sign In to Vote
    0

    I'm going to give this a shot. 

    Just out of curiosity, does the parameter field always need to be filled in?  For my particular scripts I do not have a parameter defined.  I wouldn't think you need to use it, but I want to be sure.

     
  • Monday, November 19, 2012 7:50 PM
     
     
    Sign In to Vote
    0

    For my particular scripts I do not have a parameter defined.  I wouldn't think you need to use it, but I want to be sure.

    This parameter is only for debugging.

    This is the same as redirecting a script to a file:

    http://support.microsoft.com/kb/110930/en-us

    MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!

     
  • Monday, November 19, 2012 8:50 PM
     
     
    Sign In to Vote
    0

    I see, makes sense.

    So I don't see that folder being created in the TEMP folder.

     
  • Monday, November 19, 2012 9:09 PM
     
     
    Sign In to Vote
    0
    I just noticed that about an hour ago, I had one Administrator login logged in the folder.  So it does appear it's working, but my question is why just this single log.  This is such a simple process, I don't know how I got it wrong.
     
  • Monday, November 19, 2012 11:01 PM
     
     
    Sign In to Vote
    0

    So I don't see that folder being created in the TEMP folder.

    There is no folder that is created. Only a file.

    You need to logon with a user (that the policy applies to).

    Then you goto Start > Run > %temp% > ENTER

    There should be your logfile.

    MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!

     
  • Tuesday, November 20, 2012 5:57 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi,

    As to how to assign user logon scripts, you can refer to:
    Assign user logon scripts
    http://technet.microsoft.com/en-us/library/cc781361(v=WS.10).aspx

    >>I had one Administrator login logged in the folder

    1. Make sure users have write permission on the log file.
    2. Make sure GPO has been applied to all users successfully. You can use gpresult /h report.html to verify.

    Regards,
    Cicely

     
  • Wednesday, November 21, 2012 7:53 PM
     
     
    Sign In to Vote
    0
    Am 19.11.2012 20:48, schrieb sheld0r:
    >
    > I'm going to give this a shot.
    >
    > Just out of curiosity, does the parameter field always need to be
    > filled in?  For my particular scripts I do not have a parameter
    > defined.  I wouldn't think you need to use it, but I want to be sure.
    >
     
    No, it doesn't. Matthias is using this to redirect any console output to
    a file.
     
    One question: What exactly did you enter in the command field? Log
    on.bat or "Log on.bat" or without a space? And where exactly did you put
    the "Log ON.bat" file?
     
    regards, Martin
     
    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
     
  • Wednesday, November 21, 2012 7:56 PM
     
     
    Sign In to Vote
    0
     
    > I just noticed that about an hour ago, I had one Administrator login
    > logged in the folder.  So it does appear it's working, but my question
    > is why just this single log.  This is such a simple process, I don't
    > know how I got it wrong.
     
    ACLs on the target share/folder sufficient for users to write?
     
    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
     
  • Wednesday, November 21, 2012 9:00 PM
     
     
    Sign In to Vote
    0

    I'm entering logon.bat

    The logon. bat file is sitting on another server in the Logs folder as the directions instructed.  The .bat files are also sitting on the domain controller in the Policies directory.  If you do a show file the exact path is \\company.local\SysVol\company.local\Policies\{69884JKLAKL;404KJLDSFJL}\User\Scripts\Logon

     
  • Wednesday, November 21, 2012 9:03 PM
     
     
    Sign In to Vote
    0
    Yes, they have permissions to write to the folder.
     
  • Wednesday, November 21, 2012 9:17 PM
     
     
    Sign In to Vote
    0







    3.

    Add the batch files to group policy.

    You do this on your User Container GPO.

    User Configuration > Windows Settings > Scripts

    Add Log In.bat to the Logon scripts box and Log Off.bat to the Logoff scripts box

    One more point - you cannot link GPOs to the "users" container - are you sure your GPO is applied to your users?
    gpresult /h report.html -> open report.html

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
     
  • Wednesday, November 21, 2012 9:36 PM
     
     
    Sign In to Vote
    0

    I believe they are applied to my users.  What I've done is created groups for each department and dropped my users in each group accordingly. 

    I have the report.html opened up, what info shall I provide to confirm? To much internal info to post online.

     
  • Thursday, November 22, 2012 9:03 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi,

    Where did you link the GPO? If you linked it to some OU, make sure put users into the OU.

    In report.html, you can check whether the GPO appeared under the Applied GPOs and logon scripts settings appeared under User configuration without any error.

    Regards,
    Cicely

     
  • Wednesday, November 28, 2012 9:32 PM
     
     
    Sign In to Vote
    0

    I had to step away from this issue to take care of another, but now my full focus is back on this issue. 

    I linked my GPO to all the OU's I created for each department.  Each OU has the designated user for that department, so i verified users are indeed in the OU. 

    At the very top of the report I ran, I see Group Policy Objects > Applied GPO's.  Under this category I have Net Time, Default Domain Policy, Default Domain Controller Policy.  I'm thinking the policy isn't correctly applied, obviously since it's not working.

    At one point it was working, but somebody intentionally broke it.  Is their a way to find out what was removed or modified?

     
  • Thursday, November 29, 2012 12:14 PM
     
     
    Sign In to Vote
    0
     
    > At one point it was working, but somebody intentionally broke it.  Is
    > their a way to find out what was removed or modified?
     
    No, but you can also check the "rejected policies" and the reason why
    they are rejected.
     
    If your GPO is listed in neither applied or rejected, then it isn't
    properly linked to the right OUs...
     
    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
     
  • Monday, December 10, 2012 7:43 PM
     
     
    Sign In to Vote
    0

    The policy was showing up under Denied GPOs, reason it was denied was 'empty'.  I've linked the GPO to the appropriate OU and it's no longer in the Denied GPO list.  But it's not showing up in the applied GPO list.  So I'm still not linking it correctly, but I don't know why.

     
  • Tuesday, December 11, 2012 12:29 AM
     
     
    Sign In to Vote
    0
    Interestingly enough, I don't see the working GPO's listed either.  And I know those work.  I'm confused as to why one GPO is working, and another is not, yet neither one are showing up in applied GPO.  The only ones I have listed are Net Time, Default Domain Policy, Default Domain Controller Policy.  I'm pretty sure these are default.
     
  • Tuesday, December 11, 2012 1:00 PM
     
     
    Sign In to Vote
    0
     
    > Interestingly enough, I don't see the working GPO's listed either. 
    > And I know those work.  I'm confused as to why one GPO is working, and
    > another is not, yet neither one are showing up in applied GPO.  The
    > only ones I have listed are Net Time, Default Domain Policy, Default
    > Domain Controller Policy.  I'm pretty sure these are default.
     
    Please check where your object is located in AD.
    dsquery user -samid <accountname>
     
     
    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
     
  • Tuesday, December 11, 2012 7:47 PM
     
     
    Sign In to Vote
    0

    Alright so here's what I got from that command you listed

    "CN=Joe Schmoe, OU=Finance, OU=Company, OU=X - Companies, DC=company, DC=local"

    Inside of the Group Policy Objects, I have one called Logging.  Inside Logging under the links I have the Finance OU listed, with Enforced NO and Link Enabled YES.  Below that under Security Filtering, I have the Finance Policy Group, which has that particular user I'm testing with in and I also tried adding just the user alone in the Security Filtering. Still no go.

     
  • Wednesday, December 12, 2012 12:39 PM
     
     
    Sign In to Vote
    0
     
    > Inside of the Group Policy Objects, I have one called Logging.  Inside
    > Logging under the links I have the Finance OU listed, with Enforced NO
    > and Link Enabled YES.
     
    And no entry in either "applied" or "denied"? Do you have "loopback
    replace" enabled? (Computer - adm-templates - group policy)
     
    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
     
  • Wednesday, February 27, 2013 1:30 AM
     
     
    Sign In to Vote
    0

    Heya Martin,

    Are you still around the forums?  I dropped this topic because of some other more critical issues that surfaced, and I'm finally able to come back to this issue.  As this issue has now really hurt us, being that I need to apply some new policies.  So you left off with the question if the 'loopback replace' was enabled? I don't believe it's enabled, should it be?  Isn't that for per computer?

    I still find it odd that I don't see a list of applied GPO's, only the one called 'Default Domain Policy'.  I'm not exactly sure why some policies work, and some don't.  I tested another GPO in my test environment and noticed that if I change something and try to apply it again, it no longer works.  Is something causing these abnormal issues, as in a setting that is held or needs to be enabled/changed? I'm all over the place, and frustrated because the person who originally setup this GPO did a real shiat job, and unfortunately I can't start over.

    Sorry for the long delay on this Martin, I appreciate your time. 

     
  • Wednesday, February 27, 2013 11:56 AM
     
     
    Sign In to Vote
    0
     
    > Are you still around the forums?
    >
     
    Sure I am :-D
     
    On an affected computer, open gpmc.msc, navigate to your domain - Group
    Policy Results and create a report for an affected user. In this report,
    in the computer summary and user summary, check what GPOs are applied
    (and where they are linked), and check what GPOs are not applied and
    why. This is the starting point.
     
    Also, on a command prompt (when logged on with the above affected user)
    execute "gpupdate /force" and examine the output - any warnings or errors?
     
    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
     
  • Wednesday, February 27, 2013 6:10 PM
     
     
    Sign In to Vote
    0

    Good to know!!  So here's what I got...

    Computer summary

    Denied GPO
    Name: Logging      link location: company.local        Reason Denied: Empty
    Name: {BD8477-4EG04-4LFG547}      link location: ppmc.local      Reason: Inaccessible

    I have about 7 of the {BD8477-4EG04-4LFG547} but I didn't want to list them all.  These basically tell me that they've been deleted, is that correct?  But to focus on the Logging issue, that's what I have for computer summary.  Here is User summary

    User Summary
    Applied GPOs
    Name: Logging      link location: company.local       

    Denied GPOs
    Name: Proxy      link location: company.local/accountingdept        Reason Denied: Inaccessible 

    I threw in one more here that I'm having problems with, simply because I'm a little confused as to why computer shows it denied, and User shows it enabled.  From my understanding, one will be set for a specific user and one will be set for the computer itself.  But I thought I only had it configured for the user.

    The reason for empty is because the policy doesn't have a condition, like a script to run or something.  But I've verified the scripts are in the right places.
    The reason for inaccessible and random numbers showing up, is the act of malicious intent.  The group policy was intentionally broken by a technician that is no longer here, so now I need to clean it up.

     
  • Wednesday, February 27, 2013 8:53 PM
     
     
    Sign In to Vote
    0

    Now we get closer :D

    first: "Reason denied:Empty" is misleading. This GPO is not really denied, but there are simply no Computer Settings defined. Nothing to really care about, just Informational... User applies it simply because she has access and it is not empty.

    second: "Inaccessible" - this is a result of things having gone wrong... From your Output, I see that you are using cross Domain GPO links. That's hard to support through a Forum. Anyway - there's some Kind of ACL in place. Either "no apply rights" (this may apply to the user "Proxy" GPO, the user has read access, that's why we see a Name, but she does not have apply access) or "no access at all" (this may apply to all the GUID GPOs where the Computer not even has read access, thus being unable to resolve the GUID to a Name).

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!

     
  • Monday, March 04, 2013 7:57 PM
     
     
    Sign In to Vote
    0

    So let me ask you this Martin, I've tried adding another group policy, and I noticed it still isn't working.  So something is amiss in the configuration, that the previous technician setup.  You also mentioned, that we are using cross Domain GPO links.  Is that bad, or just harder to troubleshoot since it's global?

    If I wanted to start from scratch, how would you go about doing that with the existing policies?  I realize that's a broad question, but what I'm concerned about is if I deploy a new GPO set does that override the policies the users have now?  The more I type this post, the more complicated I feel it gets.  I guess what I'm truly after is configuring my GPO the right way!  What do you think, how deep am I in the hole?

     
  • Wednesday, March 06, 2013 6:31 PM
     
     
    Sign In to Vote
    0
    I take it that's to broad of a question?
     
  • Wednesday, March 06, 2013 8:14 PM
     
     
    Sign In to Vote
    0
    Am 04.03.2013 20:57, schrieb sheld0r:
    > If I wanted to start from scratch, how would you go about doing that
    > with the existing policies?
     
    That in fact IS a broad question, but in short:
     
    Create a new OU for computers, another one for users (or new OU trees,
    if required). Create policies as required and move designated users and
    computers to the new OUs. Test thoroughly and then - bump :-) At least,
    that's what I would do.
     
    Get rid of the old stuff you didn't implement and aren't responsible for
    - that's the only true way out.
     
    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
     
  • Friday, March 08, 2013 10:16 PM
     
     
    Sign In to Vote
    0
    This is unreal!  I create a new simple group policy that install's an .msi on a particular user.  It doesn't work, I see it run once meaning it worked one time! And after that it doesn't work anymore.  I needed to added another file to the .msi, so when I went back to run it again after I updated the gpo, it doesn't work.  Is GP that finicky, that you can only run it once?  This is unbelievable, GP is so frustrating and annoying.  Something so easy can create nothing but headaches! 
     
  • Saturday, March 09, 2013 9:28 PM
     
     
    Sign In to Vote
    0
    Am 08.03.2013 23:16, schrieb sheld0r:
    > This is unreal!  I create a new simple group policy that install's an
    > .msi on a particular user.  It doesn't work, I
    > see it run once meaning it worked one time! And after that it doesn't
    > work anymore.
     
    MSI GPOs have a "brain" - they remember what they already did and do not
    do it again...
     > GP is so frustrating and annoying.  Something so easy can create
    > nothing but headaches!
     
    That's just because you miss some knowledge and experience ;-)
     
    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
     
  • Monday, March 11, 2013 3:48 PM
     
     
    Sign In to Vote
    0
    I was afraid you would say something like that Martin, so with that being said how do you work around or with that?  It can't just be a one shot deal, right?  Missing knowledge and experience, yes most definitely!! But I'm working on that, slowly but surely. 
     
  • Tuesday, March 12, 2013 10:09 PM
     
     
    Sign In to Vote
    0
    Am 11.03.2013 16:48, schrieb sheld0r:
    > how do you work around or with that?
     
    I'm the bad guy ;-)) Visit the AskDS blog (select the GPO tags) for a
    starter, and visit my own blog for some of the more advanced techniques
    in GPOs.
     
    And for Software installation: Do not use GPOs if you want to avoid
    trouble. Use SCCM/SCE or any other convenient product.
     
    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!