Group Policy

Group Policy scripts, what are they doing on my PC?

Even if I’m not anymore in the direct IT Department, some manager have asked me this question when they noticed that there were some shutdown/startup scripts running on their client machines so I thought that writing a post that explains how to find this information could be a good idea.

Let’s start from the concept: in an Active Directory based domain Administrators can write Group Policies that can satisfy many needs in IT Administration, including which scripts a computer or user has to run while starting up or logging to a computer. These scripts are of two main kinds:

• COMPUTER: we can have a script for startup and one for shutdown
• USER: we can have a script for login and one for logoff

So an Admin can provide some scripts and be sure that these are running accordingly but how can you understand what are the scripts doing? Simply perform these steps

1. Click START/RUN type MMC and press ENTER
2. Press CTRL+M (Add/Remove Snap-in) and click the ADD button
3. Select Resultant Set Of Policy, click the ADD button and then CLOSE
4. Click OK
5. Right click the Resultant Set Of Policy node and choose “Generate RSOP data”
6. Click NEXT until you reach the USER SELECTION window
7. Check the lower radio button “Do not display user policy…” and click NEXT twice
8. Click FINISH
9. Expand the tree Computer Configuration/Windows Settings/Scripts/Startup
10. Now browse your closest domain controller to something like \\DOMAINCONTROLLER\SYSVOL\DOMAINNAME\Policies\{XXXXXXXXXXXXXXXXXXXXXXXXXXXX}\Machine\Scripts\Startup; in this folder you should find the scripts that are run on your computer

At this point you can copy these files and read their content and, if they are clear enough, remove any doubt on what your SysAdmin is trying to do with these scripts.

[TLBAT] Keep patches and updates under control with WSUS

In my previous articles I’ve described the process to allow several services and servers to be installed for free or at low cost in your network; this post continues with “I want it but I have no budget” philosophy and enables you to have an update and patching system for your network where you can control who, what, when is updated/upgraded.

In order to have a server/infrastructure of servers for the updates in your network, you will need to install the Microsoft Windows Update Services Server 3.0 (a.k.a. WSUS).

Basically with WSUS you can create a local update server where you can control all the updating process for your client’s network. You may choose to download the updates and patches from the Microsoft Update site and store a copy of the files locally in order to save bandwidth; you may only choose to control the approval/denial of the updates and have the clients connect to Microsoft to download the files; you may also create a tier based WSUS structure where a child server receives updates and approvals from the above server and so on.

Once you have designed, planned and installed your WSUS structure you can then use Group Policies, or any other method (e.g. VBScript) to have your clients connect to the WSUS servers in your structure.

First start by downloading this document that describes the process for deploying the WSUS; then you may consider having a look at this site that explains how to implement GPO for the use of WSUS or consider using either VBScript or this Visual Basic 6.0 tool I released some years ago.

This time we have to thank Microsoft for providing another money-saver tool that won’t impact your low budget!!!

Keep on reading my blog and in the end you will have saved lots of buck$ that you may consider to send me via PayPal!!