GPO Issue, "Run these programs at user logon" - Weird issue.


Recommended Posts

Ok weird issue here, have a GPO applied to group of computers and "Authenticated Users". GPO is working fine for the most part, except the contents of the GPO.

Computer Config>Policies>Administrative Templates>System>Logon is there "Run these programs at user logon" resides. I have 1 program already there, it basically launches a 3rd party app with a disclaimer with an "I accept" and "I decline" button. That works fine, I can edit that line in the GPO at the server, do a GPUPDATE /FORCE on server and client and see the changes. It is entry: 1

Entry 2: is a second app. I can add it to GPO, do a GPUPDATE /FORCE on server and client. It never shows in the registry at HKLM>Software>Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run in the list with "1" above

It was previously in there, we took it out because of some issues, fixed the issues, added it back.

Now the weird part, if I add it twice to the GPO list, it will show up in the registry area above once I go the GPUPDATE /FORCE. But it is entry "3". It totally skips over entry "2". See this pic: https://dl.dropboxusercontent.com/u/111413/gpo-issue.jpg

Any ideas anyone?

  On 19/11/2015 at 15:44, Daedroth said:

Try running RSOP against the client machine/user to see what's going on with the policies that are being applied.

Yeah RSOP looks good. see: https://dl.dropboxusercontent.com/u/111413/gpo-issue-rsop.jpg

Interesting, so I change a filename to make the entry different then the previously used one

From: \\srv-dc01\netlogon\cc\runasspc.exe /cryptfile:\\srv-dc01\netlogon\cc\crypt.spc /quiet

To: \\srv-dc01\netlogon\cc\runasspc.exe /cryptfile:\\srv-dc01\netlogon\cc\crypt1.spc /quiet

And it took :/ that's really weird....

  On 19/11/2015 at 16:12, xendrome said:

Interesting, so I change a filename to make the entry different then the previously used one

From: \\srv-dc01\netlogon\cc\runasspc.exe /cryptfile:\\srv-dc01\netlogon\cc\crypt.spc /quiet

To: \\srv-dc01\netlogon\cc\runasspc.exe /cryptfile:\\srv-dc01\netlogon\cc\crypt1.spc /quiet

And it took :/ that's really weird....

I noticed that you are using the Computer Configuration side of the GPO for this. Is there a reason you're using that instead of the User Configuration? From my (limited/brief) experience with GP, Computer Configuration is applied when the computer starts up, using system credentials. If I want something to apply to a user account, or start something when the user logs on, I use the User Configuration side of the GPO.

Out of curiosity, what happens if you stick it in the User Configuration?

  On 20/11/2015 at 08:17, Daedroth said:

I noticed that you are using the Computer Configuration side of the GPO for this. Is there a reason you're using that instead of the User Configuration? From my (limited/brief) experience with GP, Computer Configuration is applied when the computer starts up, using system credentials. If I want something to apply to a user account, or start something when the user logs on, I use the User Configuration side of the GPO.

Out of curiosity, what happens if you stick it in the User Configuration?

Well according to Microsoft the different is, Computer Config applies to Computers and User Config appies to users, so HKLM (All users) vs (HKCU). The danger for a setting like this in using it under the User Config is, there will be an entry in every users registry hive, so if you remove something via GPO and it fails, you'll have to automate a script to clean up that reg entry for every user at logon or run on demand. By running it under Computer Config it puts it in HKLM and is 1 settings for all/any user.

This topic is now closed to further replies.
  • Posts

    • I just made an account on 0patch I'm going to for 5 years in advance My fully loaded Acer aspire 7 (2019) will live up these 5 years in ease Laptop is not glued, there are about 20 screws to open it, I can maintain it with ease, no soldered memory or so, I clean it up every 6 months, I'l last for maybe another 8 years
    • Microsoft Teams gets a much needed health dashboard for admins by Usama Jawad Microsoft Teams is one of the most widely used tools for online collaboration and communication, especially in enterprise environments. This also means that any problem with the software has the potential to impact many customers and workflows. Up until now, the Teams troubleshooting process was fairly manual and cumbersome, but Microsoft is now looking to resolve this issue with a new "Teams client health" dashboard for admins. If a Teams instance now faces any kind of disruption, Teams administrators and helpdesk teams can use this dashboard to proactively diagnose and resolve the problem, rather than waiting for a disgruntled user to come to them with incomplete information. Microsoft says that Teams client health is focused on providing actionable insights that actually do require administrator input, surfacing actual issues that cannot self-heal, and highlighting persistent problems rather than one-offs. The Redmond tech firm has highlighted several scenarios where the Teams client health dashboard can enhance productivity with minimal disruption to workflows. One example is dealing with customers who are experiencing crashing issues in Teams. Rather than engaging in a manual process that involves asking them to reproduce the issue, you can simply leverage the health dashboard to spot problematic spikes and then remediate them yourself (as a Teams admin) through the provided mitigation guide. Similarly, another scenario involves monitoring and auditing if people within your organization are using the latest version of Teams. Right now, this is a very manual process, but with the health dashboard, you get these insights directly, including details about potential issues that might be blocking Teams updates. As expected, the Teams client health dashboard is available for admins and helpdesk teams within the Teams Admin Center. Still, Microsoft has encouraged customers to bookmark a direct link to the dashboard for easier recurrent navigation.
    • Fact that microsoft needs to explain why.. that prooves that they kinda failed with win 11.......... like Vista
    • they are putting so many **** but even like that its still better than move to 11 i guess
    • thats what many did, i remember i used 8.1 and to my surprise it was not bad once you install classic shell, but w10 its a improvement over 8 and many moved from 7 to it because it was a decent OS, the same way that people moved from XP to 7 because vista was a disaster but 7 was good. We can hope that w12 its great. until then w10 can stay longer and ltsc version its perfect
  • Recent Achievements

    • Reacting Well
      pelaird earned a badge
      Reacting Well
    • Mentor
      The Werewolf went up a rank
      Mentor
    • First Post
      Myriachan earned a badge
      First Post
    • Week One Done
      DrRonSr earned a badge
      Week One Done
    • Week One Done
      Sharon dixon earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      609
    2. 2
      ATLien_0
      219
    3. 3
      +FloatingFatMan
      169
    4. 4
      Michael Scrip
      158
    5. 5
      Som
      148
  • Tell a friend

    Love Neowin? Tell a friend!