You're saying that you have user settings that you want to apply to users only when they logon to certain computers? Sounds difficult, eh? It's not difficult at all. It sounds like a job for loopback group policy processing!
Assume the following:
[Domain] mydomain.com.org.net.local
|
|--[OU] Special Computers
| |
| |-- [Computer] COMPUTER 1
| |
| |-- [Computer] COMPUTER 2
| ...
|
|--[OU] User Accounts
|
|--[User] Bob
|
|--[User] Alice
...
You would like to apply a user setting (such as running a logon script, or applying other types of GPO user settings) for all users who logon to computers in the "Special Computers" OU. When they logon to computers located in other OUs, though, you do not want these special settings to apply.
Create and link a GPO to the "Special Computers" OU. Specify in that GPO all the user-related settings you want to apply.
("But wait, Evan! The user's account objects aren't in the 'Special Computers' OU!" Yes. I know that. Stay w/ me here. Most AD admins I've met don't understand loopback policy processing and get scared. I've seen horrible hacks like creating secondary user accounts for users to logon with when using "special computers", etc... >shudder<)
In the GPO you created, go into the COMPUTER "Administrative Templates", "System", "Group Policy", and locate the setting "User Group Policy loopback processing mode". Enable this setting. In the "Mode" box, choose "Replace" if you want all the user's "normal" group policy settings to be ignored and only the user policy settings in this new GPO to apply. Choose "Merge" if you want the user settings in the GPO to apply after all their normal user settings have applied.
My opinion is that this is a lot cleaner than "hacks" involving "If computer == blah" in logon scripts.
My advice to you would be to do what you're doing with a Group Policy Preference (GPP)registry settings, rather than with a logon script. It will apply one time, leaving default settings in the users' registry, but the user will be able to change the settings freely in the future without having them "smashed" each time they logon.
If these are Windows Server 2008 machines, like your tag says, then there's really no excuse not to use GPP registry settings. Have a look at the articles below for some more details. This is a really nice feature of W2K8, and something you should be taking advantage of.
http://www.microsoft.com/downloads/details.aspx?FamilyID=42e30e3f-6f01-4610-9d6e-f6e0fb7a0790&DisplayLang=en
http://blogs.technet.com/grouppolicy/archive/2008/03/04/gp-policy-vs-preference-vs-gp-preferences.aspx
A network packet capture at the client would probably help here. It would show you the total amount of data transferred during logon, and for sysvol/gpo operations, you could determine if the client is spending an unusual amount of time on a specific gpo(s).
After installing Microsoft Network Monitor 3.4, save the following to a cmd file, and run it as a scheduled task at system startup. That will create a capture file that you can analyze after the logon has completed.
cd /d "C:\Program Files\Microsoft Network Monitor 3"
nmcap.exe /network * /capture /DisableConversations /file c:\temp\test.cap:100M
Here are some registry settings that you can test on the client workstation to determine if they help:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"BufferPolicyReads"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoRemoteRecursiveEvents"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoRemoteChangeNotify"=dword:00000001
More information:
319440 - Logon delays occur over a slow connection if opportunistic locking is not granted for the policy file in Windows
http://support.microsoft.com/kb/319440
http://blogs.technet.com/b/mrsnrub/archive/2009/09/03/windows-server-2003-x86-tuning-for-performance-based-on-role.aspx
Microsoft Network Monitor 3.4 Open Source Windows Parsers 3.4.2654
http://nmparsers.codeplex.com/
After downloading and installing the Windows Parsers, in Network Monitor, under Tools > Options > Parser Profiles, select Windows, and click Set As Active.
When viewing the capture, in the Frame Summary window, the SMB/SMB2 protocol packets will display the UNC path to the location where the Group Policies are being read. You can further refine the display by applying a filter such as SMB2 && tcp.DstPort == 445
(or SMB if SMB2 is not being used). This should provide a fairly concise display of the GPO processing.
Best Answer
Just do it using a GPO.
You can set reg keys in: GPO > User Settings > Preferences > Windows Settings > Registry > New > Registry Item Set it to Update
set the hive (HKCU)
set the Key Path (Software\Microsoft\Windows NT\CurrentVersion\Winlogon)
set the Value Name (remove the V in the checkbox) to "shell"
set the value type to string, and the value data to whatever you like (e.g. iexplore.exe -k serverfault.com).
Filter the GPO so it apply only the user\group you want (don't forget to add "Domain Computers", so the policy can be applied - KB3163622).
UPDATE Just found out there's an actual GP setting for this: User Settings > Administrative Templates > System > Custom user interface This should work just fine on the user's first login.