Solved

can't execute login script

Posted on 2004-04-30
7
242 Views
Last Modified: 2010-03-18
Hello,
 
I have a specific problem that I can't fix and would like to get some hints or advices.
 
 
We have a domain with 4 domain controllers. ( windows 200 servers )
about 40 stations ( windows 2000 pro and Windows XP pro )
 
 
For some obscur reason the login script that's supposed to be executed when a user logons won't start anymore most of the time.
 
Unfortunately I couldn't find any pattern:
On some stations the script starts for a user but won't start on another station for the same user. ( and it doesn't matter if it's a windows XP or 2000 pro box )
Also for a station, some user will be able to start the login script but some other won't on the same station.
 
 
It took me a little while to notice the issue and I suspect that it may be related to one of those things.
- I demoted one of the DC ( a 5th one ) a month ago
- I migrated from SBS 2000 to Windows 2000 domain 4 months ago
- We are using group policy to limit the users on some station settings
 
 
I checked the shares on each DCs and they all have \\<servername>\SYSVOL\domain.com\scripts with the right batch files in it .
For whatever reason on some station, when the login script file starts it doesn't always run from the same server ( one station could execute the script from SERVER1 and another station from SERVER2 )
I also managed one time to make a login script starts for a specific user on a specific station by changing the filename in the "user's active directory properties" -> "login script section" from a batch file name to another one, however it just worked for one user and hasn't work again for any other one.
I also enabled the login script option in the GPO to see if things would work but it didn't change anything.
 
 
Any ideas or at least hints ?
 
 
Thanks
0
Comment
Question by:ekriner
  • 3
  • 3
7 Comments
 
LVL 23

Expert Comment

by:rhandels
ID: 10960712
Hi,

I'd say DNS. We also had this problem on a 2003 network with Windows 2000 clients, where some clients got some mappings, some got no mappings and some got all mappings.

Our problem was that the DNS server weren't in sync. Try doing a ipconfig /flushdns on all servers to flush all dns entries. Force a DNS sync (if they are AD integrated, then an AD sync).

Could you please look at the DNS logging on all of your server to see if something's wrong there?? Maybe some sort of Event in the event viewer??

My first go is DNS, but we need to see why it doesn't work.
0
 
LVL 23

Expert Comment

by:rhandels
ID: 10960718
One thing,

Did you demote the 5th server or did you just shut it down.. Maybe the domain still thinks it has 5 DC's...
0
 

Author Comment

by:ekriner
ID: 10961857
Hello,
 
Thanks for your help,
 
I flushed the DNS on servers and stations, forced and AD replication on all servers. Compared the DNS, they are identical. The DNS logs don't have any errors at all.
Unfortunately the stations are still not login right .
 
Do you have any other suggestions ?
 
 
Thanks
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:ekriner
ID: 10963039
Hello,

One more thing, I demoted it using DCPROMO.

Ed
0
 
LVL 23

Expert Comment

by:rhandels
ID: 10967132
Do you see anything strange on the pc where you try to log in?? Does the login script for some people works half or does it sometimes work good all teh way and bad all the way..

Normally, if you set this option through GPO, then it should be working. Maybe there is something with the GPO's. I would go for 1 option if i where you. I'll try to fix the GPO option with you...

Where did you put the login script option in GPO. In the users Policies or pc's policies?? Do you have more policies, or just one (for this "test" it would try just 1 policy if i where you). Do you have OU's where you enabled the option "block policy inheritence".??

Demoting is the right thing to do, then the domain knows that one server "leaves" the domain...
0
 
LVL 1

Accepted Solution

by:
gootmundi earned 500 total points
ID: 10970480
Hi,

This does sound like a problem with your GPO's somewhere along the line. The way I generally troubleshoot this kind of problem is by:

1- Creating a new OU
2- Add a computer and a user into this OU (in your situation this should be a combination that is NOT currently working)
3- Ensure that you create explicit 'deny' entries on the security of both the computer and user on all the GPO's that would effect that OU, and make sure that you 'Block Inheritance' for GPOs in the new OU.
4- If everything works fine after doing this, apply the group policies 1 by 1 until the logon scripts stop working.

Hope it helps.
0
 

Author Comment

by:ekriner
ID: 10983037
Hello gootmundi,
 
Thanks for that advice.

I did what you suggested me to do ( move a user and station to another OU ) and things worked out. I am still in the process of enabling policy by policy and test things out. Give me another day for me to figure out what policy could be the issue and I'll let you know what I came up with .
 
Thanks again !
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

A brief overview to explain gateways, default gateways and static routes OR NO - you CANNOT have two default gateways on the same server, PC or other Windows-based network device. In simple terms a gateway is formed when a computer such as a serv…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now