mhamer
asked on
login script runs twice
2003 AD
mix of windows 2000 and xp pro clients
logon script is in a "site policy"
there are plenty of nested OU's but none have othe rpolices applied or linked to.
i do have show scripts visable on.
modling wizard
i checked all the polices that applied to a user and none of them ref the login script apart from site pol.
any ideas?
mix of windows 2000 and xp pro clients
logon script is in a "site policy"
there are plenty of nested OU's but none have othe rpolices applied or linked to.
i do have show scripts visable on.
modling wizard
i checked all the polices that applied to a user and none of them ref the login script apart from site pol.
any ideas?
Is there a logon script defined on the actual User Account in AD too?
ASKER
eguarding othe rposts
its not a duplicat eentry in the registry
or a double applied policy
ta
its not a duplicat eentry in the registry
or a double applied policy
ta
ASKER
no, nothing in the user profile
Sure...download the Group Policy Management Tool. This tool, allows you to run a report and show alll of the group policies effecting a computer/user. After running this tool, you will be able to see if there are more then one GPO's running the script.
Here is the download: http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
Once you install the free tool, you can run a report to see the effect of GPO's...
hope this helps..
Here is the download: http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
Once you install the free tool, you can run a report to see the effect of GPO's...
hope this helps..
You only have it set in a GPO in one section (User Configuration)? This GPO is only linked once?
I agree with NJ - download the GPMC and you can run a query to see where things are coming from. You can also spot a cross-linked GPO immediately.
http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en
You should also check to see if there is something locally configured on the workstation (for some odd reason).
I agree with NJ - download the GPMC and you can run a query to see where things are coming from. You can also spot a cross-linked GPO immediately.
http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en
You should also check to see if there is something locally configured on the workstation (for some odd reason).
ASKER
I use the GPMC already
yes the GPO is only linked once
and there isnt anywhere else to put a logon script is there?
nothing configured on local machine either, same things happernes on a newly built machine
the report from the modeling wizard looks correct and shows two policys applied none denied,
one is just the default domain policy (just account details set in here)
and teh other is the site policy which has teh loging script enabled..
ta
yes the GPO is only linked once
and there isnt anywhere else to put a logon script is there?
nothing configured on local machine either, same things happernes on a newly built machine
the report from the modeling wizard looks correct and shows two policys applied none denied,
one is just the default domain policy (just account details set in here)
and teh other is the site policy which has teh loging script enabled..
ta
ASKER
group policy results shows it ran twice but no clue to cause, it lists the same policy\ou and same time of execution
The clue you can get by enabling User Debugging on client machine:
How to enable User Debugging:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833
How to enable User Debugging:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833
ASKER
no clues :-) i have set it in the most verbose mode and can see the policys been applied but ther are the correct ones.
What makes you to say that script runs twice?
How do you know actually?
Did you check sripts for any other script inside it. Usually script can call other scripts.
How do you know actually?
Did you check sripts for any other script inside it. Usually script can call other scripts.
ASKER
it runs twice as in ,
I have "show logon scripts visable" checked
you see the scripts run in a command window, almost at same time but one obvioulsy gets "drive already mapped" messages.
I have "show logon scripts visable" checked
you see the scripts run in a command window, almost at same time but one obvioulsy gets "drive already mapped" messages.
>>>you see the scripts run in a command window, almost at same time but one obvioulsy gets "drive already mapped" messages.
Could you post your script here?
Could you post your script here?
ASKER
yes here you go, but i doubt it is the script itself??
@echo off
rem sync time with Domain controller
net time %logonserver% /set /yes
gpupdate /target:user
rem set enviroment vairables
set OMNIS="j:\data\inclass"
regedit /s SetODBCToNewServer.reg
rem regedit /s undoodbc.reg
rem ************************** *****
rem Map network drives
rem check for resource utility
IF NOT EXIST %windir%\IFMEMBER.EXE copy \\asl-servertwo\netlogon\i fmember.ex e %windir%
rem this section maps the V: and S: and x: drives
rem to the appropriate directories on asl-serveronees.
net use m: \\asl-serverone\shared /persistent:no
net use j: \\asl-serverone\db /persistent:no
net use u: \\asl-serverone\%username% /persistent:no
IF NOT EXIST "C:\Documents and Settings\All Users\Desktop\telephonelis t.lnk" copy "M:\Common\Telephone List\TELEPHONELIST.lnk" "C:\Documents and Settings\All Users\Desktop"
IFMEMBER G_MAN_READ
IF NOT %errorlevel% EQU 1 GOTO Rdrive
net use v: \\asl-serverone\man /persistent:no
rem net use w: \\asl-serverone\man /persistent:no
:Rdrive
rem This section maps R: \\asl-cubefiles\shared
IFMEMBER g_iqr_users
IF NOT %errorlevel% EQU 1 GOTO done
net use r: \\asl-cubefiles\shared /PERSISTENT:NO
:sdrive
REM MAP DRIVE FOR other s: Drive
REM IFMEMBER groupname
REM IF NOT %errorlevel% EQU 1 GOTO xdrive
REM NET USE s: \\asl-serverone\sharename /PERSISTENT:NO
:xdrive
REM rem This section maps x: ????
REM IFMEMBER mids_group
REM IF NOT %errorlevel% EQU 1 GOTO vp
REM net use x: \\asl-serverone\sharename /PERSISTENT:NO
:VP
rem ifmember g_VP_install
rem if not %errorlevel% EQU 1 goto :done
rem call %logonserver%\netlogon\vpl ogon.bat
:DONE
rem wait for 5 seconds
PING 1.1.1.1 -n 1 -w 5000 >NUL
rem check for AV software (basic)
IF NOT EXIST "C:\Program Files\Symantec AntiVirus\Cliscan.dll" alert.cmd
rem check and update applications
call m:\common\admin\baps\Bapsu pdate.bat
call m:\common\admin\daffy\daff yupdate.ba t
rem call m:\common\admin\greatplain s\gpupdate .bat
@echo off
rem sync time with Domain controller
net time %logonserver% /set /yes
gpupdate /target:user
rem set enviroment vairables
set OMNIS="j:\data\inclass"
regedit /s SetODBCToNewServer.reg
rem regedit /s undoodbc.reg
rem **************************
rem Map network drives
rem check for resource utility
IF NOT EXIST %windir%\IFMEMBER.EXE copy \\asl-servertwo\netlogon\i
rem this section maps the V: and S: and x: drives
rem to the appropriate directories on asl-serveronees.
net use m: \\asl-serverone\shared /persistent:no
net use j: \\asl-serverone\db /persistent:no
net use u: \\asl-serverone\%username%
IF NOT EXIST "C:\Documents and Settings\All Users\Desktop\telephonelis
IFMEMBER G_MAN_READ
IF NOT %errorlevel% EQU 1 GOTO Rdrive
net use v: \\asl-serverone\man /persistent:no
rem net use w: \\asl-serverone\man /persistent:no
:Rdrive
rem This section maps R: \\asl-cubefiles\shared
IFMEMBER g_iqr_users
IF NOT %errorlevel% EQU 1 GOTO done
net use r: \\asl-cubefiles\shared /PERSISTENT:NO
:sdrive
REM MAP DRIVE FOR other s: Drive
REM IFMEMBER groupname
REM IF NOT %errorlevel% EQU 1 GOTO xdrive
REM NET USE s: \\asl-serverone\sharename /PERSISTENT:NO
:xdrive
REM rem This section maps x: ????
REM IFMEMBER mids_group
REM IF NOT %errorlevel% EQU 1 GOTO vp
REM net use x: \\asl-serverone\sharename /PERSISTENT:NO
:VP
rem ifmember g_VP_install
rem if not %errorlevel% EQU 1 goto :done
rem call %logonserver%\netlogon\vpl
:DONE
rem wait for 5 seconds
PING 1.1.1.1 -n 1 -w 5000 >NUL
rem check for AV software (basic)
IF NOT EXIST "C:\Program Files\Symantec AntiVirus\Cliscan.dll" alert.cmd
rem check and update applications
call m:\common\admin\baps\Bapsu
call m:\common\admin\daffy\daff
rem call m:\common\admin\greatplain
ASKER
gpupdate is there as it fixes a few issues with policys not getting fully applied, it doesnt affect he twice run problem if removed
ASKER
plus i just put a simple test script in which opens notepad instead
i logged on and got two notepads
site policy or how site policy applied is more likley as cause???
i logged on and got two notepads
site policy or how site policy applied is more likley as cause???
net use m: \\asl-serverone\shared /persistent:no
>>>call m:\common\admin\baps\Bapsu pdate.bat
Where is this M drive located? On client machine?
Is this script (Bapsupdate.bat) called successfully?
>>>call m:\common\admin\baps\Bapsu
Where is this M drive located? On client machine?
Is this script (Bapsupdate.bat) called successfully?
Could you post your Group Policy structure with how many Group Policy, Inheritence, No Override option set etc etc.
ASKER
m: is on a differnt server
yes its called and works (twice! :-)
yes its called and works (twice! :-)
Strange...
Did you try enabling Netlogon debugging?
Did you try enabling Netlogon debugging?
Sounds like Loopback Processing is enabled on this GPO and the logon script is being called from the Computers portion of the GPO rather than the User section (yes there are two places).
If gpresult shows it runs twice then it's being processed twice - thus the loopback.
Try linking this to an OU to test - it might be a Site issue.
If gpresult shows it runs twice then it's being processed twice - thus the loopback.
Try linking this to an OU to test - it might be a Site issue.
If you have overlapping Sites (due to subnet misconfiguration) then it's possible that it's being processed twice. I'd like to see what happens when you link to an OU - my bet is it will work correctly.
ASKER
there are only three policys in play
all are set to enabled and enforced
no blocking of ihertence going on
domain = default domain policy
just computer config for account details such as password length lockouts etc
and show scripts visable
then the "site"
has the policy that does the login script,
all are set to enabled and enforced
no blocking of ihertence going on
domain = default domain policy
just computer config for account details such as password length lockouts etc
and show scripts visable
then the "site"
has the policy that does the login script,
ASKER
Netman
Hi, yes it does run properly (just the once) when attached to an OU
and loop back is configured on this particular policy.
but that needs to be there and the policy needs to be on the site too! :-)
we have several offices around the country, all the sites are correctly subnetted(just checked) but most staff log on to citrix here at my office,
so using the sites allows, one set of settings for users logging on to local machines and another set for citrix users who are techincally logging on back at my office reguardless of where they are.
so what would i change
computer portion has "start up" not "logon" scripts and that is empty, or are you talking about something differnt
Hi, yes it does run properly (just the once) when attached to an OU
and loop back is configured on this particular policy.
but that needs to be there and the policy needs to be on the site too! :-)
we have several offices around the country, all the sites are correctly subnetted(just checked) but most staff log on to citrix here at my office,
so using the sites allows, one set of settings for users logging on to local machines and another set for citrix users who are techincally logging on back at my office reguardless of where they are.
so what would i change
computer portion has "start up" not "logon" scripts and that is empty, or are you talking about something differnt
This is a shot in the dark. And might not apply to what you're are doing... but just for arguements sake... create another batch file.
In the batch file call the original login script like this... %0\..\logon.bat
Put that file into the NETLOGON directory or whatever dir you ahve the logon.bat in. Then just call that at logon and see if that works.
In the batch file call the original login script like this... %0\..\logon.bat
Put that file into the NETLOGON directory or whatever dir you ahve the logon.bat in. Then just call that at logon and see if that works.
ASKER
Spag Yetti
already tried a few threads up
it is down to loop back
but i know this sounds lame, I cant remember why i have loopback on, im pretty sure i would have done it for a reason,
I have disabled it, and see what happerns tomorrow when 1000 people log on :-) its all charecter building stuff.
I have done a few test and all seems fine with it switched off. but as i said "was there for a reason"
already tried a few threads up
it is down to loop back
but i know this sounds lame, I cant remember why i have loopback on, im pretty sure i would have done it for a reason,
I have disabled it, and see what happerns tomorrow when 1000 people log on :-) its all charecter building stuff.
I have done a few test and all seems fine with it switched off. but as i said "was there for a reason"
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You could also change the Loopback process to Replace rather than merge.
Is it necessary to have the Logon script being called from the loopback policy? The policy that controls the users account object will handle this.
Is it necessary to have the Logon script being called from the loopback policy? The policy that controls the users account object will handle this.