Question

Logon scripts not running

Asked by: Mike_Courtney

I am running a Citrix access gateway 4.2 with advanced access control.
I am using a network resource that currently allows all port access this is secured by windows group so the citrix VPN client only runs when a user is a member of that group.

I logon through a web interface and due to membership of the relevant group the VPN client starts and connects.
Domain authentication is OK by virtue of relevant icons being shown and the VPN client starting.

My problem is that the logon scripts don't run.
Logon scripts are set on the user's account in AD user profile tab (not tterminal services profile- although this makes no difference)
The script is in a subdirectory of the netlogon share and the relative path from netlogon is referenced in the logon script box

Scripts are .bat files

A network capture doesn't show much information

The connection log from the VPN client gives the following errors (no consistency)

User info lookup failed. Cannot not execute logon script. (2221)
or
User info lookup failed. Cannot not execute logon script. (53)

this is telling me user cannot be found or path can't be found - I've confirmed this is not the case for other apps - and authentication works.
The script can be run manually

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2008-01-10 at 07:22:50ID23072654
Tags

Citrix

,

Access Gateway with advanced access controls

,

4.2

,

Citrix SSL Vpn in use logon scripts not running

Topics

Citrix

,

Virtual Private Networking (VPN)

Participating Experts
1
Points
0
Comments
19

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Logon script forced upon vpn users
    Is there any way to force a logon script upon users who connect to my net via VPN? I know there are a few ways on the client side, but what about server side. There are of course already scripts running on the lan, applied to gpos, users profiles, logon and logo off and suc...
  2. simple logon bat file
    Hi all Iam new to logon scripts read an artical on how to make a simple bat logon script and where to place it. here,s what ive done @echo off net use x: \\mars\home and saved it as bat and put it in a shared folder called netlogon then went over to the users profile and ...
  3. netlogon
    I have a small office network with xp computers and 2000 computers. One server running Windows 2003 Server. On one of my computers when I log on I get a command window that says cmd.exe was started with the above path as the current directory. UNC paths are not supported. ...
  4. Can you launch a vbs script from a bat file logon script
    I have a logon bat file now and need to remap printers in MS Active Directory to a new server. I have worked with vbs logon scripts but never bat logon scripts, so can I call a vbs script from a logon script that is in bat format. Then let the vbs script remap the printers.
  5. Logon script is not running from the \\servername\netlo…
    I have several different logon scripts for various departments. I use a simple .bat file to map the appropriate drives and other various functions. I have made some significant changes lately and I changed the script, but now it does not run at logon. I have all AD account...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: Mike_CourtneyPosted on 2008-01-10 at 08:20:17ID: 20628338

all intrusion prevention and firewall / wirusscan devices have been disabled on computers we have tested on

 

by: croberdsPosted on 2008-01-11 at 11:28:07ID: 20639339

Maybe the script is not getting run because of a group policy?  The web interface should use whatever is in the user's profile but it does strange things sometimes.

You can do an Result set of policy (right click the user in AD go to All tasks/Resultant Set of Policy-logging) and see what is getting run when they log into the terminal server.  If the logon script is being run it should show up in the User Configuration/Windows Settings/Logon Scripts.

Maybe try to make an OU of your citrix users and put the logon script there.  If all of the citrix users have the same logon script and you only have one or two terminal servers you can also put the logon script on the group policy of the terminal servers themselves.  Go to the run, type gpedit.msc, then like above go to User Configuration/Windows Settings/logon scripts and right click and set up a .bat file.

 

by: Mike_CourtneyPosted on 2008-01-11 at 12:14:09ID: 20639863

The logon script is not running as part of a GPO. It's set in the user object (logon script path). Your thought is good though - I'll try putting it in a GPO

 

by: croberdsPosted on 2008-01-11 at 13:56:33ID: 20641025

Wierd that it wouldn't work in the user object though.  I used to have some logon scripts in the user object and I know they worked before I moved them to a GPO.  We use the web interface also but I don't have a CAG.  Maybe if the profiles aren't stored on the citrix server and instead are on a share somewhere that could perhaps cause the problem.  Or if the script is somehow dependant on a full desktop and you are running an application that may cause a conflict also.

 

by: Mike_CourtneyPosted on 2008-01-11 at 15:10:46ID: 20641611

i actually think it is a networking issue if I'm honest - but I'm very confused by it

 

by: croberdsPosted on 2008-01-11 at 15:55:39ID: 20641845

since you are getting the error it shows it is trying to run the script but is unable to. The way the error is it seems it cannot find the logon script.  Are you using roaming profiles?  If not do you have a fileshare for the TS/Citrix user profiles or are the files saved on the citrix server (they will go there by default if you don't set them up elsewhere).

 

by: Mike_CourtneyPosted on 2008-01-12 at 06:43:35ID: 20643923

The logon scripts are all stored in a subdirectory of the netlogon share of the DC's.

ie
\scripts\script.bat

The unc of this is

\\Domaincontroller\netlogon\scripts\scripts.bat

or

\\domain\SysVol\domain\scripts\scripts\mike.bat

(yes scripts is there twice)

As far as I'm aware I wouldn't need to have the logon script on the citrix server as well. I accept that it seems to be having problems finding it.

Folder redirection is in use

 

by: croberdsPosted on 2008-01-12 at 13:54:52ID: 20645438

One other thing to consider would be if it is on a windows 2003 server to make sure the restrictions are loosened up.  The Internet Explorer Enhanced Security Configuration can be a pain just to get a drive mapped until you disable it.

 

by: Mike_CourtneyPosted on 2008-01-13 at 13:39:44ID: 20649292

Running the script through a GPO linked logon script has the same problem.

Croberds your last comment is interesting - can you elaborate please.

As this is a vpn solution the script should run on the client side - (windows 2000 pro SP4) rather than on a server.

 

by: croberdsPosted on 2008-01-14 at 07:55:15ID: 20653827

If a script tries to run while logging into citrix it is going to use the terminal/citrix servers local policies also.  If you write a script that runs a program on a network share but the terminal server is not allowed to view that share (even if the local client that is logging into the share has permissions) then the script cannot run.

If your citrix server is Win 2000 server then the defaults would have been fine unless you tightened up some local policies in the past.  Win 2003 server already has a lot of restrictions in place including the obvious IE enhanced security and software restiction policies.  http://support.microsoft.com/kb/324036 talks about making some changes to those.  If you are using a vpn that should give the user access to the domain, but when they logon onto the citrix server they still have to abide by the citrix users local policies.

I have never used Citrix Access Gateway so your knowledge of how it sets up your vpn will probably be better than mine.  I did attend a Brian Madden class where we discussed it briefly, but my knowledge is more with citrix itself as that is what I deal with every day.

I knew I had seen something on this before, I searched madden's site after I typed all of the above--http://www.brianmadden.com/Forum/Topic/87805

hope that helps

 

by: Mike_CourtneyPosted on 2008-01-14 at 14:50:47ID: 20657851

I think that's where a lot of the complexity comes here.
From my understanding the citrix gateway secure client is acting as a tunnel to the internal network and therefore the login script is running on the client (no involvement of Citrix presentation or WI servers).

Unfortunately as it is vpn then i can't do much with the network captures!!

 

by: croberdsPosted on 2008-01-15 at 07:39:50ID: 20663497

Mike, I apoligize as I think I may have misinterpreted your question at the beginning.  From what you are saying you are not actually running a terminal session, you are just using the CAG to tunnel into the VPN?

If that is the case then the problem is different than I thought.  I am assuming you enabled logon scripts from the CAG?  I would also assume that by tunneling in that only basic command logon scripts would work, like drive mapping.  As I mentioned previously I am not an expert on CAG and we may need to hope someone else who is steps in.

The error of "user info lookup failed" seems to imply that the DC and the CAG either cannot communicate or have the user in a different security group.

 

by: Mike_CourtneyPosted on 2008-01-15 at 08:03:32ID: 20663721

yes that's exactly it - I'm sorry it seems I led you on a bit of a dance.

All the scripts are doing are mapping drives - but they aren't running at all.

Many thanks for your input, I'll leave the question open hoping it attracts others.

Mike

 

by: croberdsPosted on 2008-01-15 at 08:44:08ID: 20664096

I found this on madden's site:  http://www.brianmadden.com/Forum/Topic/39566

maybe your answer is in there.

 

by: croberdsPosted on 2008-01-15 at 08:48:42ID: 20664145

looks like the scripts will only run if the client is already a member of the domain.  That's a deficiency if that doesn't work but that's what I gather from the thread over there.

 

by: Mike_CourtneyPosted on 2008-01-20 at 14:09:59ID: 20702670

I'm still looking at investigating these new bits

 

by: Mike_CourtneyPosted on 2008-01-23 at 02:09:49ID: 20722108

Here's another new bit,

One user - manually added to power users group (as per articles and confirmed domain logon) sees this when it tries to run his script

[Wed Jan 23 09:54:04] Using user logon script \\??????????????!?!???????????????????????\NETLOGON\scripts\scriptname.cmd

 

by: Mike_CourtneyPosted on 2009-06-27 at 14:46:29ID: 24729320

This was down to the set of firewall rules in use. Even though I tried it with the firewall disabled it appears it wasn't disabled enough!

Eventually I got to the following rule set:

To run the logon scripts:
Outbound UDP to DC's 137 and 138 from ntoskrnl.exe (inc. path)
Outbound TCP to DC's 139 and 445 from ntoskrnl.exe (inc. path)
Outbound UDP to DC's 389 from Lsass,exe (inc. path)
Outbound TCP to DC's 135 from Lsass,exe (inc. path)
Outbound UDP/TCP to DC's 88 from Lsass.exe (inc. path)

To allow drive mapping
Outbound TCP 139 and 445 to file servers

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...