Endpoint Client Installation using Group Policy (Logon Script):

Similar documents
Guide to deploy MyUSBOnly via Windows Logon Script Revision 1.1. Menu

Create, Link, or Edit a GPO with Active Directory Users and Computers

HOW TO SILENTLY INSTALL CLOUD LINK REMOTELY WITHOUT SUPERVISION

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

How do I install Active Directory on my Windows Server 2003 server?

Windows 2008 Server DIRECTIVAS DE GRUPO. Administración SSII

How to. Install Active Directory. Server 2003

Configuring browser settings (Internet Explorer and Google Chrome) for Bug Club via a Group Policy

Autograph 3.3 Network Installation

How to monitor AD security with MOM

MailStore Outlook Add-in Deployment

AD Certificate Distribution

Group Policy 21/05/2013

Test Note Phone Manager Deployment Windows Group Policy Sever 2003 and XP SPII Clients

G DATA TechPaper #0204. Installing G Data Security Client using GPOs and logon scripts. G DATA Service Team

System Area Management Software Tool Tip: Agent Deployment utilizing. the silent installation with Active Directory

Automating client deployment

Management Utilities Configuration for UAC Environments

Download/Install IDENTD

Quick Start Guide. IT Management On-Demand

Automatic Network Deployment

Secrets of Event Viewer for Active Directory Security Auditing Lepide Software

Specops Command. Installation Guide

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

Administration Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

EventTracker: Support to Non English Systems

Building the SAP Business One Cloud Landscape Part of the SAP Business One Cloud Landscape Workshop

Installing and Configuring Login PI

How To - Implement Single Sign On Authentication with Active Directory

Installing Client GPO Software

4cast Client Specification and Installation

Searching for accepting?

Contents. Supported Platforms. Event Viewer. User Identification Using the Domain Controller Security Log. SonicOS

SCCM How to guide deploying SCCM Client, setting up SUP and SCEP. Hans Chr. Andersen

Windows Clients and GoPrint Print Queues

HELP DOCUMENTATION E-SSOM DEPLOYMENT GUIDE

ContentWatch Auto Deployment Tool

ACTIVE DIRECTORY DEPLOYMENT

Installation Guide. . All right reserved. For more information about Specops Inventory and other Specops products, visit

Windows Server Password Recovery Techniques Courtesy of Daniel Petri

SARANGSoft WinBackup Business v2.5 Client Installation Guide

Introduction to DirectAccess in Windows Server 2012

Pcounter for Windows

Windows Logging Configuration: Audit Policy Configuration

Sharpdesk V3.5. Push Installation Guide for system administrator Version

White Paper Monitoring Active Directory Using System Center Operations Manager 2007 R2

There are only a couple of things that need to happen once you've ordered the product from our Service Manager.

ADSelfService Plus: 3rd party Winlogon Client Software Support

ENABLE LOGON/LOGOFF AUDITING

XMap 7 Administration Guide. Last updated on 12/13/2009

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

Administration Guide. . All right reserved. For more information about Specops Gpupdate and other Specops products, visit

NetSpective Logon Agent Guide for NetAuditor

Promap V4 ActiveX MSI File

Installation of MicroSoft Active Directory

DisplayLink Corporate Install Guide

MSI Admin Tool User Guide

Ad Hoc Transfer Plug-in for Outlook Installation Guide

NetWrix Password Manager. Quick Start Guide

TECHNICAL DOCUMENTATION SPECOPS DEPLOY / APP 4.7 DOCUMENTATION

Contents Introduction... 3 Introduction to Active Directory Services... 4 Installing and Configuring Active Directory Services...

ILTA HANDS ON Securing Windows 7

Dell Spotlight on Active Directory Deployment Guide

Setting up Active Directory Domain Services

SRT210 Lab 01 Active Directory

A brief Guide to checking your Group Policy Health

Deployment of Keepit for Windows

PC Power Down. MSI Deployment Guide

Chapter. Managing Group Policy MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:

Active Directory Software Deployment

Virtual Appliances. Virtual Appliances: Setup Guide for Umbrella on VMWare and Hyper-V. Virtual Appliance Setup Guide for Umbrella Page 1

DigitalPersona Pro Server for Active Directory v4.x Quick Start Installation Guide

Running 4D Server as a Service on Windows

Windows Administration Terminal Services, AD and the Windows Registry. INLS 576 Spring 2011 Tuesday, February 24, 2011

VMware User Environment Manager

Installation Guide - Client. Rev 1.5.0

User Guide. Version 3.2. Copyright Snow Software AB. All rights reserved.

MICROSOFT BITLOCKER ADMINISTRATION AND MONITORING (MBAM)

PLANNING AND DESIGNING GROUP POLICY, PART 1

Active Directory Disaster Recovery Workshop. Lab Manual Revision 1.7

Using Logon Agent for Transparent User Identification

Monitoring Oracle Enterprise Performance Management System Release Deployments from Oracle Enterprise Manager 12c

DeviceLock Management via Group Policy

Deploying the DisplayLink Software using the MSI files

How to Create a Delegated Administrator User Role / To create a Delegated Administrator user role Page 1

Module 8: Implementing Group Policy

Microsoft Windows Server 2008 Active Directory, Configuring

Using Group Policy to Manage and Enforce ACL on VNX for File P/N REV A01 February 2011

DriveLock Quick Start Guide

Technical Reference: Deploying the SofTrack MSI Installer

How to troubleshoot Active Directory operations that fail with error 8456 or 8457: "The...

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

System Center 2012 R2 SP1 Configuration Manager & Microsoft Intune

Using Group Policies to Install AutoCAD. CMMU 5405 Nate Bartley 9/22/2005

Group Policy for Beginners

Audit account logon events

Web-Access Security Solution

Transcription:

Endpoint Client Installation using Group Policy (Logon Script): Table of Contents Introduction... 2 Creating a Batch File... 2 Logon Script Permissions... 3 Assigning the Logon Script to User(s)... 3 Domain Controller Replication... 11 Testing the Logon Script... 11

Introduction The logon script is the file that performs the actual action. So we'll start by creating the script. Unlike the "old fashioned" method of using ADUC and the Profile tab of the users' account properties, the default location for GPO- initiated logon scripts is deep within the SYSVOL special folder, which, by default, is shared on all Domain Controllers in an Active Directory forest, and is located in the following folder: %SystemRoot%\SYSVOL\sysvol\<domain DNS name>\policies\{guid}\user\scripts\logon Where %SystemRoot% is usually C:\Windows, <domain DNS name> is the DNS name of the domain, similar to domain.local, and {GUID} is a hexadecimal string representing the GUID (unique identifier) of the specific Group Policy Object in use. This folder, which is a part of the SYSVOL special folder, is replicated to all the Domain Controllers in the domain. Each GPO has its own internal User and Machine subfolders, and under them it has, if used, a Logon, Logoff, Startup and Shutdown subfolder where appropriate. Creating a Batch File Before creating the batch file, it is required that you download the Total Defense Endpoint Client by logging into your Total Defense Cloud Management Portal, extract all files and save the files to a network share such as NETLOGON which all users have at least read access to. Once extracted, there should be total of two (2) files EndpointSecurity.msi and isf.cfg. Both of the files are needed to complete the endpoint installation. Create a batch file (New Text Document! Batch File) and give it an appropriate name so that it could be easily identified. The script can use ANY name, just make sure you change file extension from.txt to.bat. If you are unable to see file extension, modify folder view options to have system display file extensions. Script Content: @echo off tasklist /FI "IMAGENAME eq isfagent.exe" /FO CSV > C:\search.log FINDSTR isfagent.exe C:\search.log > C:\found.log FOR /F %%A IN (C:\found.log) DO IF %%~za EQU 0 GOTO end mkdir C:\TDI copy \\servername01\share\endpointsecurity.msi C:\TDI copy \\servername01\share\isf.cfg C:\TDI cd C:\TDI msiexec /quiet /i EndpointSecurity.msi cclient=install-only del C:\TDI\EndpointSecurity.msi del C:\TDI\isf.cfg :end del C:\search.log del C:\found.log 2

Note: The UNC Path \\servername01\share in the script above refers to your network share where you saved the Endpoint files after extracting them. Modify the UNC path as necessary. Logon Script Permissions Logon and Logoff scripts run with the credentials of the user. It is recommended that the Domain Users group shall be given permission to any resources used by the logon scripts. For example, if the Logon or Logoff script writes to a log file, the group Domain Users should be given read/write access to the file or the folder where the log file is located. Most users have limited privileges on the local computer, so Logon and Logoff scripts will have the same limited privileges. As a side note, Startup and Shutdown scripts run with the credentials of the computer object. It is recommended that the Domain Computers group shall be given permission to any resources used by the Startup or Shutdown scripts. However, it's worth knowing that Startup and Shutdown scripts have System privileges on the local computer. This gives Startup and Shutdown scripts access to the local file system and registry. Assigning the Logon Script to User(s) We need to decide what user should have the logon script. With this procedure (and unlike the Active Directory Users and Computers method), you can link AS MANY logon script AS YOU WANT to your users, and you can do it as many times as you want. However, it will only work on computers that are Windows 2000 and above; although in most cases nowadays this should not be a problem. If you choose to apply the script to all the users in the domain, you should create a Group Policy Object (or GPO) and link it to the ENTIRE domain. You can also use Default Group Policy Object. If you choose to apply the script ONLY to a specific set of users, you must place all the users in one OU (Organization Unit) in Active Directory Users and Computers, and link the GPO to that OU. In order to assign the GPO and edit it, we'll use the Group Policy Management Console or GPMC in short. This tool is not installed by default in Windows Server 2003, and neither is it installed by default in Windows Server 2008. In Windows Server 2008, GPMC is considered to be a "Feature", and you must install it before being able to use it. However, unlike in Windows Server 2003 where you must download and install the tool, in Windows Server 2008, GPMC is already a part of the OS, you simply need to add it. If the Windows Server 2008 server is also a Domain Controller, GPMC will be automatically installed as part of the DCPROMO procedure. If it's not a DC, you'll need to manually add it. Navigate to GPMC from within the Administrative Tools. See next page for an example screenshot. 3

1. Open Group Policy Management Console from the Administrative Tools folder (or gpmc.msc from RUN). 2. If, as described in the above paragraph, you decided to apply the script to ALL THE DOMAIN USERS, expand the domain tree, locate the domain name. Right- click the domain name and select Create and Link a GPO Here. 3. If, as described in the above paragraph, you decided to apply the script to ONLY a SPECIFIC SET of users, expand the domain tree, locate the OU where the users from are located. Right- click the OU and select Create and Link a GPO Here. 4

Note: It is possible that a GPO already exists and it is linked to the object level you need. In that case you don't need to create a new GPO, you can use the existing one. 4. In the New GPO window, give the new GPO a descriptive name, such as "Total Defense Endpoint GPO". Click Ok. 5. If you don't see it already, refresh the GPMC view and find the new GPO you've just created under either the domain name, or the OU, depending on your previous choice. 6. When you click on the new GPO you might be prompted with a message window. Click OK. 5

7. Right- click the new GPO and select Edit. 8. In the Group Policy Object Editor window, expand User Configuration > Windows Settings > Scripts. 9. Double- click Logon in the right- hand pane. 10. In the Logon Properties window, click Show Files. 6

11. A window will open. The path will be a folder similar to the following: \\domain.yc.local\sysvol\domain.yc.local\policies\{93b029be- C962-4A88-8FE4- E8002BCC74E4}\User\Scripts\Logon. Paste the logon script you've copied in the previous part of this article. Close the window. 7

Note: If you get Permission Denied message upon pasting logon.bat file, run cmd.exe as Administrator and use copy command to paste the file. 12. Back in the Logon Properties window, click Add. 13. In the Add a Script window, click Browse and you will see the logon script step #11. Whatever you do, DO NOT manually browse for the file; it should be in front of your eyes. If it's not there, check the previous steps for a mistake. Click OK. 8

9

14. Back in the Logon Properties window, see if the logon script is listed, and if it is, click Ok. 15. Close the Group Policy Object Editor window. 16. Close the GPMC window. 10

Domain Controller Replication Now we need to replicate the DCs in the domain by using Active Directory Sites and Services, Replmon, Repadmin, or gpudate /force from command prompt or wait a few minutes (depending on the number of DCs). Testing the Logon Script 1. On one of the computers which are member of the domain, logoff the specific user account. 2. Logon and test. If the logon script doesn't work for you, go back to the basics and see if it works at all by double- clicking on it. See if it's placed in the right path, and see if it has replicated to the other DCs. Also check permissions by trying to manually run the script from the right path but while logged on as the user, and not as an administrator. If it still doesn't work, use GPMC's Group Policy Results feature to determine of the GPO has indeed been applied to the user. 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information