GPO Issue, "Run these programs at user logon" - Weird issue.

By xendrome
in Microsoft (Windows)

 Share

Recommended Posts

Grand Master

xendrome

Posted
Posted

Ok weird issue here, have a GPO applied to group of computers and "Authenticated Users". GPO is working fine for the most part, except the contents of the GPO.

Computer Config>Policies>Administrative Templates>System>Logon is there "Run these programs at user logon" resides. I have 1 program already there, it basically launches a 3rd party app with a disclaimer with an "I accept" and "I decline" button. That works fine, I can edit that line in the GPO at the server, do a GPUPDATE /FORCE on server and client and see the changes. It is entry: 1

Entry 2: is a second app. I can add it to GPO, do a GPUPDATE /FORCE on server and client. It never shows in the registry at HKLM>Software>Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run in the list with "1" above

It was previously in there, we took it out because of some issues, fixed the issues, added it back.

Now the weird part, if I add it twice to the GPO list, it will show up in the registry area above once I go the GPUPDATE /FORCE. But it is entry "3". It totally skips over entry "2". See this pic: https://dl.dropboxusercontent.com/u/111413/gpo-issue.jpg

Any ideas anyone?

Grand Master

xendrome

Posted
  • Author
Posted
  On 19/11/2015 at 15:44, Daedroth said:

Try running RSOP against the client machine/user to see what's going on with the policies that are being applied.

Yeah RSOP looks good. see: https://dl.dropboxusercontent.com/u/111413/gpo-issue-rsop.jpg

Grand Master

xendrome

Posted
  • Author
Posted

Interesting, so I change a filename to make the entry different then the previously used one

From: \\srv-dc01\netlogon\cc\runasspc.exe /cryptfile:\\srv-dc01\netlogon\cc\crypt.spc /quiet

To: \\srv-dc01\netlogon\cc\runasspc.exe /cryptfile:\\srv-dc01\netlogon\cc\crypt1.spc /quiet

And it took :/ that's really weird....

Veteran

Daedroth

Posted
Posted
  On 19/11/2015 at 16:12, xendrome said:

Interesting, so I change a filename to make the entry different then the previously used one

From: \\srv-dc01\netlogon\cc\runasspc.exe /cryptfile:\\srv-dc01\netlogon\cc\crypt.spc /quiet

To: \\srv-dc01\netlogon\cc\runasspc.exe /cryptfile:\\srv-dc01\netlogon\cc\crypt1.spc /quiet

And it took :/ that's really weird....

I noticed that you are using the Computer Configuration side of the GPO for this. Is there a reason you're using that instead of the User Configuration? From my (limited/brief) experience with GP, Computer Configuration is applied when the computer starts up, using system credentials. If I want something to apply to a user account, or start something when the user logs on, I use the User Configuration side of the GPO.

Out of curiosity, what happens if you stick it in the User Configuration?

Grand Master

xendrome

Posted
  • Author
Posted
  On 20/11/2015 at 08:17, Daedroth said:

I noticed that you are using the Computer Configuration side of the GPO for this. Is there a reason you're using that instead of the User Configuration? From my (limited/brief) experience with GP, Computer Configuration is applied when the computer starts up, using system credentials. If I want something to apply to a user account, or start something when the user logs on, I use the User Configuration side of the GPO.

Out of curiosity, what happens if you stick it in the User Configuration?

Well according to Microsoft the different is, Computer Config applies to Computers and User Config appies to users, so HKLM (All users) vs (HKCU). The danger for a setting like this in using it under the User Config is, there will be an entry in every users registry hive, so if you remove something via GPO and it fails, you'll have to automate a script to clean up that reg entry for every user at logon or run on demand. By running it under Computer Config it puts it in HKLM and is 1 settings for all/any user.

This topic is now closed to further replies.
 Share
Go to topic listing