Unable to execute logon vb script from 2008 netlogon share from an intersite DC

check the permissions on that file if it is the only one giving you problems (permissions and access to the netlogon files, if the transition to the new DC isn't successfully competed can be an issue.

I don't think it's a permission issue. I can log onto DC2 with DC1 administrator and the problem remains.  Like I say, it's only VBS scripts I cannot execute or copy from the remote DC netlogon share. Anything else it allows me to copy be it .bat .ps1 .cmd files and pretty much anything else.

Is there something or setting that is preventing vbs script being copying or executed from a remote netlogon in a different subnet? Does something like that exist?

I am not talking about user right (permissions) I am talking about the NTFS permissions on the files and folders--did you check that?

Yes, everything matches the same. I even did a DCdiag on the netlogon and both DC's pass.

we seem to be mis-communicating. If you go to the file and folders on the drives in question, then right click on it, then click on properties and then go to the permissions tab -- this is NTFS permissions; which provide what files may be executed and by who.

I apologize if I am not communicating clearly.

I checked all NTFS permissions and they are the same for each file in my net logon folder be it VBS or bat or cmd or ps1, there are no special permissions or explicit permissions for any of the VBS files in that folder.

Okay here the results:

C:\windows\SYSVOL\sysvol\mydomain.com\scripts\admin.vbs
BUILTIN\Administrators:(I)(F)
NT AUTHORITY\Authenticated Users:(I)(RX)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Server Operators:(I)(RX)

Successfully processed 1 files; Failed processing 0 files
================
C:\windows\SYSVOL\domain\scripts\admin.vbs
BUILTIN\Administrators:(I)(F)
NT AUTHORITY\Authenticated Users:(I)(RX)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Server Operators:(I)(RX)

Successfully processed 1 files; Failed processing 0 files
=============

Thanks.

I had no errors, just have vb login scripts that won't execute, everything else is fine or appears to be. There is still a 2003DC that is being retired within the month, so the domain function level is still 2008.

We have moved all roles and services to the 2008 controllers.

Follow up question, if my permissions are out of whack right now, which permissions were added during a 2008 upgrade then? Is there any way to reset them?

Just because you ran icacls without any errors doesn't mean anything, not for our purposes here. The point I am trying to show you is to compare the user and permissions on your 'scripts" folder compared to one that does allow execution; just look how different they are--compare the permission on the same folder on your 2003 server and you will the difference--this usually points to a upgrade that was incomplete or had errors. If you have been able to transfer all the FSMO roles w/o any errors then you may have to add the missing permissions manually.

You're right the permissions on the folders in the 2003 box are not the same on any 2008 DC's.


** Update ** I did some fixing, and now all folders and files report the same permissions everywhere. Thanks for bringing light to that. Unfortunately my problem still remains.

I cannot open, read or execute my vbs login scripts that exist in another subnet. Locally things work as expected, in another subnet, the scripts refuse to run or be read.

What is your router setup to get from one subnet to the other? So a user in site 1 can copy and execute any script in site 2's netlogon as long as it is not a vbs script?

I have a private site to site VPN. No firewalls exist between subnets.

Yes, that's it. A user in site 1 can copy and execute any script as long as it's not a vb script.

ok so let's try this to see if there is some mask to block vbs somewhere
rename the file from .vbs to .bat and see if you can copy it
then create a vbs file with the lines below see if it can be copied and run

'Login Message
'=============
sLoginMessage = "Welcome to the You Domain." & vbCRLF
sLoginMessage = sLoginMessage & "----------------------------------------" & vbCRLF
sLoginMessage = sLoginMessage & "Click OK to continue to login to your computer." & vbCRLF
wscript.echo sLoginMessage

Thanks for staying with this.

Okay I changed the name with one of our vbs to bat extensions. No go.

I copy your script into a VBS file and I can copy it, execute it, and do everything I can with a bat or any other file in my netlogon folder.

There must be something inside those files to prevent the system from allowing it to be copied.

Yes that's right there is something in your code that is preventing it from running, being copied. My guess is it may be a firewall or virus software setting. Can you check your code--what exactly is it doing?

I'll post it..

ON ERROR RESUME NEXT

Dim WSHShell, WSHNetwork, objDomain, DomainString, UserString, UserObj, Path

Set WSHShell = CreateObject("WScript.Shell")
Set WSHNetwork = CreateObject("WScript.Network")

'Automatically find the domain name
Set objDomain = getObject("LDAP://rootDse")
DomainString = objDomain.Get("dnsHostName")
WinDir = WshShell.ExpandEnvironmentStrings("%WinDir%")

'Grab the user name
UserString = WSHNetwork.UserName

'Bind to the user object to get user name and check for group memberships later
Set UserObj = GetObject("WinNT://" & DomainString & "/" & UserString)

'Grab the computer name for use in add-on code later
strComputer = WSHNetwork.ComputerName

'Synchronizes the time with Server our NTP Server
WSHShell.Run "NET TIME \\DC12 /set /y"

'Add the default route for the Edmonton network
WSHShell.Run "ROUTE ADD 10.10.1.0 MASK 255.255.255.0 10.10.2.2"

'Disconnect any drive mappings as needed.
WSHNetwork.RemoveNetworkDrive "H:", True, True
WSHNetwork.RemoveNetworkDrive "P:", True, True
'WSHNetwork.RemoveNetworkDrive "U:", True, True

'Give the PC time to do the disconnect, wait 300 milliseconds
wscript.sleep 300

'Map drives needed by all
'Note the command using the user name as a variable to map to a user share.
WSHNetwork.MapNetworkDrive "H:", "\\FS01\shared",True

If strComputer="TEST" then WSHNetwork.MapNetworkDrive "P:", "\\FS20\Files",True
      WSHNetwork.MapNetworkDrive "T:", "\\FS01\Files",True
'End If
WSHShell.Run tempCMD,0

WSHNetwork.MapNetworkDrive "U:", "\\FS01\users\" & UserString,True

wscript.sleep 300
'Install Printers
WSHNetwork.AddWindowsPrinterConnection "\\PS06\Reception-Konica-Duplex-Color-PCL"
WSHNetwork.AddWindowsPrinterConnection "\\PS06\Reception-Konica-Duplex-Black-PCL"
WSHNetwork.AddWindowsPrinterConnection "\\PS06\Reception-Konica-Onesided-Color-PCL"
WSHNetwork.AddWindowsPrinterConnection "\\PS06\Reception-Konica-Onesided-Black-PCL"


'Remove Printers
WSHNetwork.RemovePrinterConnection "\\PS06\Reception_Panasonic_Black"
WSHNetwork.RemovePrinterConnection "\\PS06\Reception_Panaosonic_Color_Duplex"
WSHNetwork.RemovePrinterConnection "\\PS06\Reception Copier Color - Single Side"
WSHNetwork.RemovePrinterConnection "\\PS10\Reception_copier_black"
WSHNetwork.RemovePrinterConnection "\\PS10\Reception_copier_color"
'******** create folder **********

'dim filesys, newfolder, newfolderpath

'newfolderpath = "c:\Program Files\Software\001"

'set filesys=CreateObject("Scripting.FileSystemObject")

'If Not filesys.FolderExists(newfolderpath) Then
'Set newfolder = filesys.CreateFolder(newfolderpath)
'Response.Write("A new folder has been created at: " newfolderpath)
'End If
'************************************

'TempCMD = "Xcopy " & CHR(34) & "\\FS01\shared\it\software\001\*.*" & CHR (34) & " " & chr(34) & "C:\program files\software\001\*.*" & chr(34) & " /D /E /V /C /Y"
'WSHShell.Run tempCMD,0

If Not strComputer="TEST" then WSHShell.Run "reg import \\FS01\shared\logins\scripts\odbcreg.reg",0
'Add On Code goes below this line
'=====================================
' ===== Changed by SYSADMIN July 4 2012 =====
WSHShell.Run "reg import \\FS01\shared\logins\scripts\timeoutprocede.reg",0
WSHShell.Run "reg import \\FS01\shared\pdfcreator-disable-update.reg",0
WSHShell.Run "reg import \\FS01\shared\disable_gadgets.reg",0
'dim tempCMD

TempCMD = "Xcopy " & CHR(34) & "\\FS01\shared\it\logins\admin\Desktop\*.*" & CHR (34) & " " & chr(34) & "C:\Documents and Settings\%username%\Desktop\*.*" & chr(34) & " /D /E /V /C /Y"
WSHShell.Run tempCMD,0

' ===== Changed by SYSADMIN July 4 2012 =====
'TempCMD = chr(34) & "P:\Install Software\run me.bat" & chr(34)
'WSHShell.Run TempCMD,0

'=====================================

' Enable dcom
Set Myshell = WScript.CreateObject("WScript.Shell")
Myshell.RegWrite "HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM","Y","REG_SZ"
Myshell.RegWrite "HKLM\SOFTWARE\Microsoft\Ole\LegacyAuthenticationLevel",2,"REG_DWORD"

' Set dcom default permissions
Myshell.regdelete "HKLM\SOFTWARE\Microsoft\Ole\DefaultLaunchPermission"
Myshell.regdelete "HKLM\SOFTWARE\Microsoft\Ole\MachineAccessRestriction"
Myshell.regdelete "HKLM\SOFTWARE\Microsoft\Ole\MachineLaunchRestriction"

' Disable simple file sharing
Myshell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ForceGuest","0","REG_DWORD"

'=====================================
'Add On Code goes above this line

'Clean Up Memory We Used
set UserObj = Nothing
set GroupObj = Nothing
set WSHNetwork = Nothing
set DomainString = Nothing
set WSHSHell = Nothing
Set WSHPrinters = Nothing
 

'Quit the Script
wscript.quit

===

It's all pretty benign stuff.

I agree; I am not at all a vbs expert but I don't see anything that can be a reason for concern. At this point I think you should ask for attention and ask for real vbs experts that can see why this code is been stopped. I will if I can put this code on a test 2008 server and see if I get the same issues as you or not (sometime later tonight or tomorrow).

Unfortunately my problem went isolated thanks Lionel for the help!

I've requested that this question be closed as follows:

Accepted answer: 0 points for dyadmin's comment #a40953335

for the following reason:

Question was not solved.

The problem was found--there was something in the script that would not allow it to be executed/run or copied. This question was not filed under the scripting section but the Windows section and we did find that the problem lies with the code, the script itself. Suggest this question be re-posted to now ask for help with the script itself-otherise we did isolate the problem--it is the script itself.

Lionelmm is correct in that we have isolated the problem in the script, although we don't know what that problem is, so I was going to close this question and open up a new one as a result of our findings. Lionelmm deserves a ton of credit for assisting me whittle down the issue. I don't know how to reward him for his assistance.  I look forward to seeing more responses from more eyes.

I strongly disagree with the suggestion to delete this question--I suggest you accept your last comment as the answer and reward my most helpful comment(s) with the points you deem appropriate.

We isolated the problem inside the script but yet  did not find why the vb script was not running, that will be submitted as another question.

As an organization we have decided to convert our scripts to powershell and that seems to be working for us.