locked
Understanding GPO order and Start up Script orders RRS feed

  • Question

  • I have multiple GPO's under a Workstation OU which holds all the computer accounts in them. In this OU the GPO's are for assigning different software, each software has its own GPO (So we can deploy each software separately)

    Some of these GPO's install software via MSI files, other via computer startup scripts (which run as local system account)

    I figured startup scripts would from synchronously (which is not the default in server 2000 and newer)

    So in one of the GPO's I set to run scripts synchronously, set the wait timeout to 0 (wait forever and set to wait for network connection at logon)

    I figured startup scripts would run synchronously based on the GPO link order (the lower the link order the first it would install ex. link order GPO 1 would install its startup scripts before link order GPO 2)

    But when I check my result (gpresult /user user /h temp.html) it shows that they are almost reversed.

    So I set the ones I wanted first to run as a higher link number, and it seemed to work (sort of) most of them seem to be running in the order by highest link number to lowest, except one which has the highest link level which ran last.

    The other thing I noticed is even though i set startup scripts to run synchronous I still get logged into before the scripts finish running...

    so what's the exact order on how scripts run when assigned by different GPO's?

    Tuesday, June 25, 2013 8:32 PM

Answers

  • That's ok so far. Scripts in GPOs are executed in the order the GPOs are applied. First all unenforced GPOs from the domain down to the OU, then all enforced backwards (so check enforcement status of your GPOs to verify):

    http://evilgpo.blogspot.de/2012/02/loopback-demystified.html

    http://blogs.technet.com/b/askds/archive/2013/02/08/circle-back-to-loopback.aspx

    So, scripts somehow behave "similar", but not fully equal to e.g. ADM templates, but with scripts the fact is true that the script in the winning GPO will be the last to run.a

    BTW: Not a good idea to set the script timeout to zero - what happens if (for whatever reason) a script asks "are you sure (Y/N)"?


    Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

    Restore the forum design - my user defined Cascading Style Sheet!

    • Marked as answer by Zewwy Tuesday, June 25, 2013 9:36 PM
    Tuesday, June 25, 2013 8:50 PM

All replies

  • That's ok so far. Scripts in GPOs are executed in the order the GPOs are applied. First all unenforced GPOs from the domain down to the OU, then all enforced backwards (so check enforcement status of your GPOs to verify):

    http://evilgpo.blogspot.de/2012/02/loopback-demystified.html

    http://blogs.technet.com/b/askds/archive/2013/02/08/circle-back-to-loopback.aspx

    So, scripts somehow behave "similar", but not fully equal to e.g. ADM templates, but with scripts the fact is true that the script in the winning GPO will be the last to run.a

    BTW: Not a good idea to set the script timeout to zero - what happens if (for whatever reason) a script asks "are you sure (Y/N)"?


    Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

    Restore the forum design - my user defined Cascading Style Sheet!

    • Marked as answer by Zewwy Tuesday, June 25, 2013 9:36 PM
    Tuesday, June 25, 2013 8:50 PM
  • Thanks for the reply Martin,

    You usually are the first to respond to my questions, haha.

    Yes I am fully aware of that possibly that a system would Hang when set scripts to run synchronously and have a timeout of 0. I made sure that all my scripts run without user intervention as they are required to be run as the local system account.

    I'll double check the order of applied GPO's to that which you have stated and get back to see if all things are matching up.

    Thanks again for the help!


    • Edited by Zewwy Tuesday, June 25, 2013 9:01 PM typo
    Tuesday, June 25, 2013 8:59 PM
  • You usually are the first to respond to my questions, haha.

    Might be a result of global forum members and time zones ;-) here it's 23:00 right now and not 04:00am ;-))

    Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

    Restore the forum design - my user defined Cascading Style Sheet!

    Tuesday, June 25, 2013 9:10 PM
  • You nailed it, The applied GPO's are exactly as you stated, with enforced GPO's being applied at the bottom(last). I'll mark you're reply as the answer.

    The one thing I'm not understanding is if I set the GPO option to run scripts synchronous why am i able to still log in before the script finishes? i can verify it by looking to see if my installation is installed via the start menu, then i run task manager and see the process and network usage spike as the software is getting installed and once the process drops i see the software installed..... I thought setting synchronous made it so that the desktop wouldn't be available until the script has finished installing....

    If you can answer that be great if not.... oh well it wasn't part of the initial title of this thread.

    Thanks again, you rock!

    Ich danke dich in duetch, obwohl meine duetch est schrecklich.


    EDIT *I realized by checking the registry key I was accidentally setting logon scripts set to synchronous and not startup scripts, and the default behavior for anything before windows Vista was defaulted to synchronous, and all newer Versions of Windows are asynchronous. So after setting Run Startup scripts asynchronous to disabled and verify the registry key entry, i was able to see my scripts and watch them run in order then finally prompt me for login. This is great for verifying scripts run as intended.

    Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
    ValueName: RunStartupScriptSync

    Source:

    http://blogs.technet.com/b/askds/archive/2010/03/23/group-policy-script-processing-behavior.aspx

    • Edited by Zewwy Wednesday, June 26, 2013 2:26 PM Answer 2
    Tuesday, June 25, 2013 9:36 PM