PHWinfo - Afficher un message - How to prevent a trusted domains logon script running on the trusting domain?

30/11/2006, 18h39

Hi,

To stop scripts running you could create a Software Restriction policy in a
GPO attached to the OU the Citrix servers belong to. Then create a hash rule
for each script. This may not be easy to manage though if there are lots of
different scripts and you would have to rehash when any changes were made.

The fundamental problem is that as you do not have the ability to change
users or scripts in Domain_A so you are limited to what you can do. Think of
it this way, you would be very annoyed if a non administrator started
changing settings applied to your users.

The other solution of course is to create separate accounts in Domain_B for
Citrix and then you can do what every you want with the login scripts with no
interference from Domain_A.

Best Regards
Joe Dunn MCSE

"John Hooper" wrote:

> Good Afternoon Group,
>
> I have a problem at the moment which I do not know how to tackle and I am
> hoping you guys may be able to . Currently I have 2 Windows 2003
> domains. Domain_A and Domain_B. There is a one way trust relationship
> between the two domains. Outgoing trust on Domain_B and Incoming on
> Domain_A. All user accounts and regular desktops belong to Domain_A.
> Domain_B is a server farm consisting of mainly Citrix Presentation Server 4
> servers publishing specific applications. Now, in Domain_A there are
> extensive logon scripts that are used. Is there a way to prevent logon
> scripts being processed when a user of Domain_A logs onto via terminal
> services Domain_B? I would like to intercept Domain_A's logon scripts and
> have this authenticated user run logon scripts which are relevent to
> Domain_B. I kind of think of it in this way. I am a passenger at an airport.
> I approach the passenger scanning machine. I empty out my pockets and place
> the contents in the tray (Domain_A's logon scripts). I walk through the
> scanner (Domain_A users logs onto Domain B), and then I do not give back the
> contents that the user placed into the try but give the user new contents to
> put into his pockets. I know this may sound confusing but if anyone has any
> suggestions on how I can achieve this I would be most gratified. One note
> tho, I cannot change or modify any login scripts or processed in Domain_A,
> only in Domain_B can I make these changes.
>
> Thanks for any input anyone may have,
>
> Best Regards
>
> John
>
>
>

30/11/2006, 18h39	#5
jwd Messages: n/a Hébergeur:	RE: How to prevent a trusted domains logon script running on the trust Hi, To stop scripts running you could create a Software Restriction policy in a GPO attached to the OU the Citrix servers belong to. Then create a hash rule for each script. This may not be easy to manage though if there are lots of different scripts and you would have to rehash when any changes were made. The fundamental problem is that as you do not have the ability to change users or scripts in Domain_A so you are limited to what you can do. Think of it this way, you would be very annoyed if a non administrator started changing settings applied to your users. The other solution of course is to create separate accounts in Domain_B for Citrix and then you can do what every you want with the login scripts with no interference from Domain_A. Best Regards Joe Dunn MCSE "John Hooper" wrote: > Good Afternoon Group, > > I have a problem at the moment which I do not know how to tackle and I am > hoping you guys may be able to . Currently I have 2 Windows 2003 > domains. Domain_A and Domain_B. There is a one way trust relationship > between the two domains. Outgoing trust on Domain_B and Incoming on > Domain_A. All user accounts and regular desktops belong to Domain_A. > Domain_B is a server farm consisting of mainly Citrix Presentation Server 4 > servers publishing specific applications. Now, in Domain_A there are > extensive logon scripts that are used. Is there a way to prevent logon > scripts being processed when a user of Domain_A logs onto via terminal > services Domain_B? I would like to intercept Domain_A's logon scripts and > have this authenticated user run logon scripts which are relevent to > Domain_B. I kind of think of it in this way. I am a passenger at an airport. > I approach the passenger scanning machine. I empty out my pockets and place > the contents in the tray (Domain_A's logon scripts). I walk through the > scanner (Domain_A users logs onto Domain B), and then I do not give back the > contents that the user placed into the try but give the user new contents to > put into his pockets. I know this may sound confusing but if anyone has any > suggestions on how I can achieve this I would be most gratified. One note > tho, I cannot change or modify any login scripts or processed in Domain_A, > only in Domain_B can I make these changes. > > Thanks for any input anyone may have, > > Best Regards > > John > > >