none
COMPUTER GPO - Run these programs at user logon - not working as intended on Win7 clients RRS feed

  • Вопрос

  • Task:  To launch the client computer's default web browser to visit a specific site, at any user logon.

    Server: 2008 R2 sp1

    GPO:

    Scope Security Filtering:  Everyone
    Scope WMI Filtering: <none>
    Details GPO Status: User configuration settings disabled
    Settings:

    > Computer Configuration
     > Administrative Templates
      > System
       > Logon
        > Run these programs as user logon
           + ENABLED
           Items to run at logon = http://abcde.abc/

    This populates registry key:

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1 = http://abcde.abc/

    There are no other settings in this simple, single instruction GPO.

    And now for my favorite part; Windows XP likes this GPO no problemo.  Windows 7 sp1 PRO accepts the GPO, includes the Registry key, but no browser launches.  Why am I banging my head on this?

    Quoting the GPO information:

    Specifies additional programs or documents that Windows starts automatically when a user logs on to the system.

    To specify values for this setting, click Show. In the Show Contents dialog box in the Value column, type the name of the executable program (.exe) file or document file. To specify another name, press ENTER, and type the name. Unless the file is located in the %Systemroot% directory, you must specify the fully qualified path to the file.

    Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the system starts the programs specified in the Computer Configuration setting just before it starts the programs specified in the User Configuration setting.

    Also, see the "Do not process the legacy run list" and the "Do not process the run once list" settings.


    8 сентября 2011 г. 16:29

Все ответы

  • So I've had some fun with this and tried a few other things.

    1. notepad.exe - works... okay that means Win7 is at least is parsing the RUN key, but still does nothing about a url as a Startup .

    2. Programmatically create and call a vbs in a single line; works from cmd line, but unfortunately neither WXP nor Win7 will parse this as a RUN REG_SZ .

    echo CreateObject("Shell.Application").Open "http://abcde.abc" > %temp%\launch.vbs & echo CreateObject("Scripting.FileSystemObject").deletefile(wscript.ScriptFullName) >> %temp%\launch.vbs & %temp%\launch.vbs

    or

    %comspec% /c "echo CreateObject("Shell.Application").Open "http://abcde.abc" > %temp%\launch.vbs & echo CreateObject("Scripting.FileSystemObject").deletefile(wscript.ScriptFullName) >> %temp%\launch.vbs & %temp%\launch.vbs"

    So I went where I should have gone in the first place, Group Policy Preferences and :

    3. Created a Windows Settings > Shortcuts > URL in All Users Startup.

    Now since the original legacy GPO setting works with WXP, I've ILT this GPP to Windows 7 only, and there was much rejoicing.

     

    It's true that I've resolved my task issue by getting Win7 clients to behave just like the WXP clients, but it sill leaves the question of why does this particular legacy setting not work when using a URL for the "Run these programs as user logon" on Windows 7 clients like it does for Windows XP?

    Is it a deliberate feature lockdown or is it a Windows 7 bug ?

    8 сентября 2011 г. 18:22
  • Hi Robert,

    Did you turn UAC on?

    Please configure the EnableLinkedConnections registry value, follow these steps:

    1. Click Start, type regedit in the Start Search box, and then press Enter.
    2. Locate and then right-click the following registry subkey:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    3. Point to New, and then click DWORD Value.
    4. Type EnableLinkedConnections, and then press Enter.
    5. Right-click EnableLinkedConnections, and then click Modify.
    6. In the Value data box, type 1, and then click OK.
    7. Exit Registry Editor, and then restart the computer.

    Then check if it works.

    Regards,

    Miya


    This posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    12 сентября 2011 г. 7:15
    Модератор
  • I don't see how http://support.microsoft.com/kb/937624, "Programs may be unable to access some network locations after you turn on User Account Control in Windows Vista or in Windows 7" has anything to do with Windows 7 default behaviour when issued with the command of a url from the RUN key.

    If it was simply a matter of security, it would at least dump an error into a log, but no events are logged anywhere, ever.

    I'll test this tomorrow, but bypassing security isn't something I'm warm to, and this kb still doesn't directly answer the question of why does Windows 7 behave differently for something so simple as default behaviour when issued a URL from the RUN.


    BTW, the URL is also a trusted site.
    12 сентября 2011 г. 18:41
  • Thanks for the update.

    Hope we can get your good news. If not work, we need further research.

    Regards,

    Miya


    This posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    13 сентября 2011 г. 9:06
    Модератор
  • Since I posted this unusual behavior 5 days ago, has anyone else tried this particular simple setting to see if it does not work as I have described? 
    13 сентября 2011 г. 13:14
  • I'll test this when I have time later today.  Any chance it needs to be prefixed with iexplore or iexplore.exe?
    • Изменено JuliusPIV 13 сентября 2011 г. 14:53
    13 сентября 2011 г. 14:40
  • I've actually come across an old thread pre-dating Windows 7, on another forum, that describes how you explicitly cannot do that, but how what I'm doing should work:

    http://www.petri.co.il/forums/showthread.php?t=21567

    Besides which, I do not want to force the use of IE, but rather the default browser, whether it be Firefox, Chrome, Opera or whatever.

    Others have suggested invoking loopback policy processing, however this is not a user configuration, but a comptuer configuration.  I tried it anyways and there was no change.

    As I stated in the second message in this thread, dropping a simple .exe into the field works; for some reason, Win7 is simply doing nothing, no fail, no launch and fail, no nothing, when a URL is supplied in the legacy GPO for RUN.

    I've had a couple of other fires dropped into my lap today, but I'm hopeful I'll be able to try a couple of other ideas.

    13 сентября 2011 г. 15:42
  • I won't be of much help here other than confirming it doesn't work.  I followed Robert's steps and had the system try to run 'http://www.oracle.com', 'iexplore www.redhat.com', and 'iexplore.exe www.hotdealsclub.com'.  After a quick 'gupdate /force /boot && gpresult /R' to confirm its working I rebooted and only the latter URLs opened, not the Oracle site.

    I wouldn't be surprised if this was an intentional, undocumented, 'feature' change.

    13 сентября 2011 г. 17:30
  • Thank you Julius!  I'm not mad after all.. well only mostly mad.

    As I've also stated above, I switched to delivering this solution to Windows 7 by using the GPP for creating a shortcut in the AllUsers Startup.

    Considering some of the fun we've been having implementing some Windows 7 solutions of late, it's good to see an issue confirmed by an outsider at last.

    13 сентября 2011 г. 17:38
  • I got into a Windows XP VM that I forgot I had and added the machine to the GPO scope and sure enough it works fine without changing a thing; All three links opened up.  Amazing!

    Robert: You may be entitled to free support on this since it appears it could be a true bug or an undocumented 'feature' change.

    15 сентября 2011 г. 16:24
  • Thanks again Julius.  It's good to see this behaviour confirmed.

    It's no longer an issue to my design since I've switched over to using GPP as a solution for delivery of the element, but it still exists as a potential issue for someone else somewhere.

    Now what?

    15 сентября 2011 г. 17:22
  • Did you get any further with a resolution to this problem Robert?  I'm seeing the same problem on 2003R2 site where we are in the process of migrating to Win7 and (soon?) 208R2.

    The current gpo works fine on XP and calls up a local Sharepoint 3.0 website, but Win7 PC's just ignore the RUN with no error logged.  A few weeks yet before we can migrate to 2008R2 and the 'fudge' meanwhile user frustration is growing.  Is it a bug or an "Enhanced feature"?  Is there a workaround in 2003R2?

    Thanks

  • I've relegated Win7's handling of this as a feature, and moved on.  My GPP dumps a URL into All Users Startup for Windows 7 clients.