Installing/Uninstalling Client-Side Password Reset Components Through a Group Policy (GPO)

 

1. Right-click on the domain or OU on which you wish to create the group policy and select Properties

 

 

2. On the Group Policy tab, click the New button and enter a name for the GPO you wish to create.

 

 

3. With the GPO highlighted, click on the Edit button.  This will display the Group Policy Editor.

 

  1. 4. Expand “Windows Settings” under “Computer Configuration” and select “Scripts (Startup/ Shutdown)

  2. 5. With “Scripts” highlighted, double-click on “Startup” from the right pane. This will display the “Startup Properties” window.

  3.  

     

6.        On this window, we will add the script file that will be run by the GPO.  Click on the Show Files button and copy the “PasswordResetInstallation.vbs” or  “PasswordResetUnInstallation.vbs” script into the window that appears and  close the window

NOTE: The scripts are deployed by the password reset installer under the [INSTALL PATH]\ HSPwdReset\HSPasswdRst folder. If the location of the Installation files is changed, script files will need to be modified.

To do this, open the “PasswordResetInstallation.vbs” or “PasswordResetUnInstallation.vbs” file in any text editor and replace the highlighted area in the following screenshot with the new UNC path. Be sure not to append the end of the path with a slash “\

 

7. With the script now stored in this GPO, click on Add button.

8. Click on the Browse button and select the “PasswordResetInstallation.vbs” or “PasswordResetUnInstallation.vbs” file

 

Once completed, click OK on the “Add a Script” box and again for the Startup Properties box.

9.        With the script added, next we will set the administrative template to be used.  From the Group Policy Object Editor, Select “Scripts” found under Computer Configuration > Administrative Templates > System

 

10. Within the right pane, double-click “Run logon scripts synchronously”, select “Enabled”, and click OK

 

11. With scripts still selected, from the right pane, double-click “Maximum wait time for group policy scripts” , select “Enabled”, and click OK

 

12. With “logon” selected in the left pane, double-click “Always wait for the network at computer startup and logon” within the right pane, select “Enabled”, and click OK

 

13. With “Group Policy” selected in the left pane, double-click on “Group Policy slow link detection” within the right pane, select “Enabled”, and click OK

 

Next, we will apply the policy to computer accounts. To simplify this, it is recommended that all computer accounts be placed in a single group.

14. Right-click the main GPO node and click on Properties

 

 

 

15. From the Security tab, add the computer accounts or the group(s) containing the computer accounts and grant them “Read” and “Apply Group Policy” permissions

 

 

16. Select Authenticated Users group and click Remove

 

 

17. Click Apply and close the windows including the GPO Editor

 

18. Now reboot all the client machines to execute the new GPO. Note: Refer to http://support.microsoft.com/kb/840669  for Windows XP Sp1 and Sp2.