Good Afternoon Group,

I have a problem at the moment which I do not know how to tackle and I am
hoping you guys may be able to . Currently I have 2 Windows 2003
domains. Domain_A and Domain_B. There is a one way trust relationship
between the two domains. Outgoing trust on Domain_B and Incoming on
Domain_A. All user accounts and regular desktops belong to Domain_A.
Domain_B is a server farm consisting of mainly Citrix Presentation Server 4
servers publishing specific applications. Now, in Domain_A there are
extensive logon scripts that are used. Is there a way to prevent logon
scripts being processed when a user of Domain_A logs onto via terminal
services Domain_B? I would like to intercept Domain_A's logon scripts and
have this authenticated user run logon scripts which are relevent to
Domain_B. I kind of think of it in this way. I am a passenger at an airport.
I approach the passenger scanning machine. I empty out my pockets and place
the contents in the tray (Domain_A's logon scripts). I walk through the
scanner (Domain_A users logs onto Domain B), and then I do not give back the
contents that the user placed into the try but give the user new contents to
put into his pockets. I know this may sound confusing but if anyone has any
suggestions on how I can achieve this I would be most gratified. One note
tho, I cannot change or modify any login scripts or processed in Domain_A,
only in Domain_B can I make these changes.

Thanks for any input anyone may have,

Best Regards

John

"John Hooper" <not@pplicable> wrote in message
news:u0WaB%23FFHHA.2268@TK2MSFTNGP03.phx.gbl...
> Good Afternoon Group,
>
> I have a problem at the moment which I do not know how to tackle and I am
> hoping you guys may be able to . Currently I have 2 Windows 2003
> domains. Domain_A and Domain_B. There is a one way trust relationship
> between the two domains. Outgoing trust on Domain_B and Incoming on
> Domain_A. All user accounts and regular desktops belong to Domain_A.
> Domain_B is a server farm consisting of mainly Citrix Presentation Server
4
> servers publishing specific applications. Now, in Domain_A there are
> extensive logon scripts that are used. Is there a way to prevent logon
> scripts being processed when a user of Domain_A logs onto via terminal
> services Domain_B? I would like to intercept Domain_A's logon scripts and
> have this authenticated user run logon scripts which are relevent to
> Domain_B. I kind of think of it in this way. I am a passenger at an
airport.
> I approach the passenger scanning machine. I empty out my pockets and
place
> the contents in the tray (Domain_A's logon scripts). I walk through the
> scanner (Domain_A users logs onto Domain B), and then I do not give back
the
> contents that the user placed into the try but give the user new contents
to
> put into his pockets. I know this may sound confusing but if anyone has
any
> suggestions on how I can achieve this I would be most gratified. One note
> tho, I cannot change or modify any login scripts or processed in Domain_A,
> only in Domain_B can I make these changes.
>
> Thanks for any input anyone may have,
>
> Best Regards
>
> John
>
>

I would check if %UserDomain% can be used to conditionally
exit the logon script.

"Pegasus (MVP)" <I.can@fly.com> wrote in message
news:eQzi4FHFHHA.1240@TK2MSFTNGP03.phx.gbl...
>
> "John Hooper" <not@pplicable> wrote in message
> news:u0WaB%23FFHHA.2268@TK2MSFTNGP03.phx.gbl...
>> Good Afternoon Group,
>>
>> I have a problem at the moment which I do not know how to tackle and I am
>> hoping you guys may be able to . Currently I have 2 Windows 2003
>> domains. Domain_A and Domain_B. There is a one way trust relationship
>> between the two domains. Outgoing trust on Domain_B and Incoming on
>> Domain_A. All user accounts and regular desktops belong to Domain_A.
>> Domain_B is a server farm consisting of mainly Citrix Presentation Server
> 4
>> servers publishing specific applications. Now, in Domain_A there are
>> extensive logon scripts that are used. Is there a way to prevent logon
>> scripts being processed when a user of Domain_A logs onto via terminal
>> services Domain_B? I would like to intercept Domain_A's logon scripts and
>> have this authenticated user run logon scripts which are relevent to
>> Domain_B. I kind of think of it in this way. I am a passenger at an
> airport.
>> I approach the passenger scanning machine. I empty out my pockets and
> place
>> the contents in the tray (Domain_A's logon scripts). I walk through the
>> scanner (Domain_A users logs onto Domain B), and then I do not give back
> the
>> contents that the user placed into the try but give the user new contents
> to
>> put into his pockets. I know this may sound confusing but if anyone has
> any
>> suggestions on how I can achieve this I would be most gratified. One note
>> tho, I cannot change or modify any login scripts or processed in
>> Domain_A,
>> only in Domain_B can I make these changes.
>>
>> Thanks for any input anyone may have,
>>
>> Best Regards
>>
>> John
>>
>>
>
> I would check if %UserDomain% can be used to conditionally
> exit the logon script.
>
>
Hmm, I think I may be a little confused here Pegasus, Could you elaborate
more on this ? Thank, My apologies for not understanding


Cheers

John

"John Hooper" <not@pplicable> wrote in message
news:em8YkqHFHHA.3304@TK2MSFTNGP05.phx.gbl...
>
> "Pegasus (MVP)" <I.can@fly.com> wrote in message
> news:eQzi4FHFHHA.1240@TK2MSFTNGP03.phx.gbl...
> >
> > "John Hooper" <not@pplicable> wrote in message
> > news:u0WaB%23FFHHA.2268@TK2MSFTNGP03.phx.gbl...
> >> Good Afternoon Group,
> >>
> >> I have a problem at the moment which I do not know how to tackle and I
am
> >> hoping you guys may be able to . Currently I have 2 Windows 2003
> >> domains. Domain_A and Domain_B. There is a one way trust relationship
> >> between the two domains. Outgoing trust on Domain_B and Incoming on
> >> Domain_A. All user accounts and regular desktops belong to Domain_A.
> >> Domain_B is a server farm consisting of mainly Citrix Presentation
Server
> > 4
> >> servers publishing specific applications. Now, in Domain_A there are
> >> extensive logon scripts that are used. Is there a way to prevent logon
> >> scripts being processed when a user of Domain_A logs onto via terminal
> >> services Domain_B? I would like to intercept Domain_A's logon scripts
and
> >> have this authenticated user run logon scripts which are relevent to
> >> Domain_B. I kind of think of it in this way. I am a passenger at an
> > airport.
> >> I approach the passenger scanning machine. I empty out my pockets and
> > place
> >> the contents in the tray (Domain_A's logon scripts). I walk through the
> >> scanner (Domain_A users logs onto Domain B), and then I do not give
back
> > the
> >> contents that the user placed into the try but give the user new
contents
> > to
> >> put into his pockets. I know this may sound confusing but if anyone has
> > any
> >> suggestions on how I can achieve this I would be most gratified. One
note
> >> tho, I cannot change or modify any login scripts or processed in
> >> Domain_A,
> >> only in Domain_B can I make these changes.
> >>
> >> Thanks for any input anyone may have,
> >>
> >> Best Regards
> >>
> >> John
> >>
> >>
> >
> > I would check if %UserDomain% can be used to conditionally
> > exit the logon script.
> >
> >
> Hmm, I think I may be a little confused here Pegasus, Could you elaborate
> more on this ? Thank, My apologies for not understanding
>
>
> Cheers
>
> John
>
>

1. Start a session in a mode that is supposed to run logon scripts.
2. Start a Command Prompt.
3. Make a note of the environmental variable %UserDomain%.
4. Start a session in a mode that is not supposed to run logon scripts.
5. Make a note of the environmental variable %UserDomain%.

Is %UserDomain% the same in the two modes? If it is different,
use the difference to bail out of the logon script.

Hi,

To stop scripts running you could create a Software Restriction policy in a
GPO attached to the OU the Citrix servers belong to. Then create a hash rule
for each script. This may not be easy to manage though if there are lots of
different scripts and you would have to rehash when any changes were made.

The fundamental problem is that as you do not have the ability to change
users or scripts in Domain_A so you are limited to what you can do. Think of
it this way, you would be very annoyed if a non administrator started
changing settings applied to your users.

The other solution of course is to create separate accounts in Domain_B for
Citrix and then you can do what every you want with the login scripts with no
interference from Domain_A.

Best Regards
Joe Dunn MCSE

"John Hooper" wrote:

> Good Afternoon Group,
>
> I have a problem at the moment which I do not know how to tackle and I am
> hoping you guys may be able to . Currently I have 2 Windows 2003
> domains. Domain_A and Domain_B. There is a one way trust relationship
> between the two domains. Outgoing trust on Domain_B and Incoming on
> Domain_A. All user accounts and regular desktops belong to Domain_A.
> Domain_B is a server farm consisting of mainly Citrix Presentation Server 4
> servers publishing specific applications. Now, in Domain_A there are
> extensive logon scripts that are used. Is there a way to prevent logon
> scripts being processed when a user of Domain_A logs onto via terminal
> services Domain_B? I would like to intercept Domain_A's logon scripts and
> have this authenticated user run logon scripts which are relevent to
> Domain_B. I kind of think of it in this way. I am a passenger at an airport.
> I approach the passenger scanning machine. I empty out my pockets and place
> the contents in the tray (Domain_A's logon scripts). I walk through the
> scanner (Domain_A users logs onto Domain B), and then I do not give back the
> contents that the user placed into the try but give the user new contents to
> put into his pockets. I know this may sound confusing but if anyone has any
> suggestions on how I can achieve this I would be most gratified. One note
> tho, I cannot change or modify any login scripts or processed in Domain_A,
> only in Domain_B can I make these changes.
>
> Thanks for any input anyone may have,
>
> Best Regards
>
> John
>
>
>

Good Morning Pegasus,
Wouldn't I need to perform this
within Domain_A's login script ? I cannot change or modify that script. The
only domain I can control is Domain_B.

Thanks

John
"Pegasus (MVP)" <I.can@fly.com> wrote in message
news:eZKd%23uHFHHA.2464@TK2MSFTNGP06.phx.gbl...
>
> "John Hooper" <not@pplicable> wrote in message
> news:em8YkqHFHHA.3304@TK2MSFTNGP05.phx.gbl...
>>
>> "Pegasus (MVP)" <I.can@fly.com> wrote in message
>> news:eQzi4FHFHHA.1240@TK2MSFTNGP03.phx.gbl...
>> >
>> > "John Hooper" <not@pplicable> wrote in message
>> > news:u0WaB%23FFHHA.2268@TK2MSFTNGP03.phx.gbl...
>> >> Good Afternoon Group,
>> >>
>> >> I have a problem at the moment which I do not know how to tackle and I
> am
>> >> hoping you guys may be able to . Currently I have 2 Windows 2003
>> >> domains. Domain_A and Domain_B. There is a one way trust relationship
>> >> between the two domains. Outgoing trust on Domain_B and Incoming on
>> >> Domain_A. All user accounts and regular desktops belong to Domain_A.
>> >> Domain_B is a server farm consisting of mainly Citrix Presentation
> Server
>> > 4
>> >> servers publishing specific applications. Now, in Domain_A there are
>> >> extensive logon scripts that are used. Is there a way to prevent logon
>> >> scripts being processed when a user of Domain_A logs onto via terminal
>> >> services Domain_B? I would like to intercept Domain_A's logon scripts
> and
>> >> have this authenticated user run logon scripts which are relevent to
>> >> Domain_B. I kind of think of it in this way. I am a passenger at an
>> > airport.
>> >> I approach the passenger scanning machine. I empty out my pockets and
>> > place
>> >> the contents in the tray (Domain_A's logon scripts). I walk through
>> >> the
>> >> scanner (Domain_A users logs onto Domain B), and then I do not give
> back
>> > the
>> >> contents that the user placed into the try but give the user new
> contents
>> > to
>> >> put into his pockets. I know this may sound confusing but if anyone
>> >> has
>> > any
>> >> suggestions on how I can achieve this I would be most gratified. One
> note
>> >> tho, I cannot change or modify any login scripts or processed in
>> >> Domain_A,
>> >> only in Domain_B can I make these changes.
>> >>
>> >> Thanks for any input anyone may have,
>> >>
>> >> Best Regards
>> >>
>> >> John
>> >>
>> >>
>> >
>> > I would check if %UserDomain% can be used to conditionally
>> > exit the logon script.
>> >
>> >
>> Hmm, I think I may be a little confused here Pegasus, Could you elaborate
>> more on this ? Thank, My apologies for not understanding
>>
>>
>> Cheers
>>
>> John
>>
>>
>
> 1. Start a session in a mode that is supposed to run logon scripts.
> 2. Start a Command Prompt.
> 3. Make a note of the environmental variable %UserDomain%.
> 4. Start a session in a mode that is not supposed to run logon scripts.
> 5. Make a note of the environmental variable %UserDomain%.
>
> Is %UserDomain% the same in the two modes? If it is different,
> use the difference to bail out of the logon script.
>
>

Yes, you would need access to both scripts.


"John Hooper" <not@pplicable> wrote in message
news:ufk2$bLFHHA.420@TK2MSFTNGP06.phx.gbl...
> Good Morning Pegasus,
> Wouldn't I need to perform this
> within Domain_A's login script ? I cannot change or modify that script.
The
> only domain I can control is Domain_B.
>
> Thanks
>
> John
> "Pegasus (MVP)" <I.can@fly.com> wrote in message
> news:eZKd%23uHFHHA.2464@TK2MSFTNGP06.phx.gbl...
> >
> > "John Hooper" <not@pplicable> wrote in message
> > news:em8YkqHFHHA.3304@TK2MSFTNGP05.phx.gbl...
> >>
> >> "Pegasus (MVP)" <I.can@fly.com> wrote in message
> >> news:eQzi4FHFHHA.1240@TK2MSFTNGP03.phx.gbl...
> >> >
> >> > "John Hooper" <not@pplicable> wrote in message
> >> > news:u0WaB%23FFHHA.2268@TK2MSFTNGP03.phx.gbl...
> >> >> Good Afternoon Group,
> >> >>
> >> >> I have a problem at the moment which I do not know how to tackle and
I
> > am
> >> >> hoping you guys may be able to . Currently I have 2 Windows 2003
> >> >> domains. Domain_A and Domain_B. There is a one way trust
relationship
> >> >> between the two domains. Outgoing trust on Domain_B and Incoming on
> >> >> Domain_A. All user accounts and regular desktops belong to Domain_A.
> >> >> Domain_B is a server farm consisting of mainly Citrix Presentation
> > Server
> >> > 4
> >> >> servers publishing specific applications. Now, in Domain_A there are
> >> >> extensive logon scripts that are used. Is there a way to prevent
logon
> >> >> scripts being processed when a user of Domain_A logs onto via
terminal
> >> >> services Domain_B? I would like to intercept Domain_A's logon
scripts
> > and
> >> >> have this authenticated user run logon scripts which are relevent to
> >> >> Domain_B. I kind of think of it in this way. I am a passenger at an
> >> > airport.
> >> >> I approach the passenger scanning machine. I empty out my pockets
and
> >> > place
> >> >> the contents in the tray (Domain_A's logon scripts). I walk through
> >> >> the
> >> >> scanner (Domain_A users logs onto Domain B), and then I do not give
> > back
> >> > the
> >> >> contents that the user placed into the try but give the user new
> > contents
> >> > to
> >> >> put into his pockets. I know this may sound confusing but if anyone
> >> >> has
> >> > any
> >> >> suggestions on how I can achieve this I would be most gratified. One
> > note
> >> >> tho, I cannot change or modify any login scripts or processed in
> >> >> Domain_A,
> >> >> only in Domain_B can I make these changes.
> >> >>
> >> >> Thanks for any input anyone may have,
> >> >>
> >> >> Best Regards
> >> >>
> >> >> John
> >> >>
> >> >>
> >> >
> >> > I would check if %UserDomain% can be used to conditionally
> >> > exit the logon script.
> >> >
> >> >
> >> Hmm, I think I may be a little confused here Pegasus, Could you
elaborate
> >> more on this ? Thank, My apologies for not understanding
> >>
> >>
> >> Cheers
> >>
> >> John
> >>
> >>
> >
> > 1. Start a session in a mode that is supposed to run logon scripts.
> > 2. Start a Command Prompt.
> > 3. Make a note of the environmental variable %UserDomain%.
> > 4. Start a session in a mode that is not supposed to run logon scripts.
> > 5. Make a note of the environmental variable %UserDomain%.
> >
> > Is %UserDomain% the same in the two modes? If it is different,
> > use the difference to bail out of the logon script.
> >
> >
>
>