none
GPO apply user Logon script or GPP who Wins

    Question

  • hi

    i have 2 GPO's linked to a OU1 GPO with precedence 1 has a GPP setting which applies a Value 

    the 2nd GPO has a Logon script which applies a value that is different that the 1st GPO

    How does Precedence take place if both have conflicting settings.

    How can i have change Linkorder/Precedence so that GPO 1 always wins

    Who Wins the battle between Logon Script for a setting or GPP for a setting 

    Also 

    None of these GPO's apply HKLM settings 

    But even though i see following when i run ProcMon during User logon. Why is HKLM setting being set when user logon , is it not a computer logon thing

    Operation - RegSetValue
    Result - Success
    Path - HKLM\SOFTWARE\MySoftware\Licensing\1\Server

    Command Line "C:\Windows\regedit.exe" /s \\DC01\NETLOGON\ABC\License.reg

    Sunday, December 28, 2014 2:55 PM

Answers

  • i have 2 GPO's linked to a OU1 GPO with precedence 1 has a GPP setting which applies a Value 

    the 2nd GPO has a Logon script which applies a value that is different that the 1st GPO

    How does Precedence take place if both have conflicting settings.

    How can i have change Linkorder/Precedence so that GPO 1 always wins

    Who Wins the battle between Logon Script for a setting or GPP for a setting? 

    check:

    http://deployhappiness.com/cse-processing-order-know-lsdou-learn-this-too/

    http://evilgpo.blogspot.de/2012/11/guids-guids-guids-2.html



    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Sunday, December 28, 2014 9:18 PM
  • Also 

    None of these GPO's apply HKLM settings 

    But even though i see following when i run ProcMon during User logon. Why is HKLM setting being set when user logon , is it not a computer logon thing

    Operation - RegSetValue
    Result - Success
    Path - HKLM\SOFTWARE\MySoftware\Licensing\1\Server

    Command Line "C:\Windows\regedit.exe" /s \\DC01\NETLOGON\ABC\License.reg

    Does the file "License.reg" contain HKLM settings ?
    Is the (user) Logon Script, launching this? : Command Line "C:\Windows\regedit.exe" /s \\DC01\NETLOGON\ABC\License.reg

    If so, it's because the Logon script is simply executing what it has been configured to do.

    Group Policy Admin Templates and settings which are specific to \User Configuration\ vs. \Computer Configuration\, will only be executed "per-user" or "per-computer" - just as executing "Startup Scripts" are a per-computer thing, and executing "Logon Scripts" are a per-user thing - but that is only the trigger to execute - not what the executed payload might really do.

    I would also expect such a process to fail (a user would not usually have permissions to a HKLM regkey) unless the regkey security has been relaxed, or, the user logging in has admin rights or similar.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Sunday, December 28, 2014 9:26 PM

All replies

  • i have 2 GPO's linked to a OU1 GPO with precedence 1 has a GPP setting which applies a Value 

    the 2nd GPO has a Logon script which applies a value that is different that the 1st GPO

    How does Precedence take place if both have conflicting settings.

    How can i have change Linkorder/Precedence so that GPO 1 always wins

    Who Wins the battle between Logon Script for a setting or GPP for a setting? 

    check:

    http://deployhappiness.com/cse-processing-order-know-lsdou-learn-this-too/

    http://evilgpo.blogspot.de/2012/11/guids-guids-guids-2.html



    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Sunday, December 28, 2014 9:18 PM
  • Also 

    None of these GPO's apply HKLM settings 

    But even though i see following when i run ProcMon during User logon. Why is HKLM setting being set when user logon , is it not a computer logon thing

    Operation - RegSetValue
    Result - Success
    Path - HKLM\SOFTWARE\MySoftware\Licensing\1\Server

    Command Line "C:\Windows\regedit.exe" /s \\DC01\NETLOGON\ABC\License.reg

    Does the file "License.reg" contain HKLM settings ?
    Is the (user) Logon Script, launching this? : Command Line "C:\Windows\regedit.exe" /s \\DC01\NETLOGON\ABC\License.reg

    If so, it's because the Logon script is simply executing what it has been configured to do.

    Group Policy Admin Templates and settings which are specific to \User Configuration\ vs. \Computer Configuration\, will only be executed "per-user" or "per-computer" - just as executing "Startup Scripts" are a per-computer thing, and executing "Logon Scripts" are a per-user thing - but that is only the trigger to execute - not what the executed payload might really do.

    I would also expect such a process to fail (a user would not usually have permissions to a HKLM regkey) unless the regkey security has been relaxed, or, the user logging in has admin rights or similar.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Sunday, December 28, 2014 9:26 PM