Solved

Login Script not running as expected

Posted on 2004-08-05
11
7,127 Views
Last Modified: 2008-01-24
Know how people say ignorance is bliss, well I was blissfully unaware that my login scripts were not being run when I thought they were.

My current login script for my users just maps 3 drives, so it's not too complicated.

Turns out the drives were being mapped by the Home Folder section under the User Object.

I was trying to add some additional logic to the login script and my changes never did anything.  Then I started digging into it, and found out that the login script I have isn't even launched when users login.

Two W2K DC's.
DC1 has the following shares:
c:\winnt\SYSVOL\sysvol as SYSVOL
C:\WINNT\SYSVOL\sysvol\stc-rich.org\SCRIPTS as NETLOGON

DC2 has the following shares:
D:\WINNT\SYSVOL\sysvol as SYSVOL
C:\WINNT\system32\repl\import\scripts as NETLOGON

I had assigned the login script using Group Policy and assigned it to the proper container.  I verified that the proper people have perimssion to Read and Apply the GPO.  I specified the login script under User Configuration | Windows Settings | Scripts (Logon/Logoff) | Logon.
The path is \\DC1\NetLogon\logon.bat.  

When I click the Show Files button it expands to \\blah.com\SysVol\blah.com\Policies\{19B889FB-5FCB-4F9B-BDE0-AFA0B96D0880}\User\Scripts\Logon, but this directory is empty.

I found that by copying the logon.bat to this folder, it launches the login script.  I didn't think this should be necessary.

Couple of questions.  Where should I put the login script and will it replicate to DC2?  Why doesn't putting the script in the NETLOGON share work?
0
Comment
Question by:averyb
11 Comments
 
LVL 11

Assisted Solution

by:kabaam
kabaam earned 200 total points
Comment Utility
that folder is where AD looks for the logon scripts.
That is where they should be stored.  Everything in the sysvol folder is replicated to other domain controllers.
If it appears within the sysvol of one dc....I will be in the others as well.
http://www.jsiinc.com/SUBQ/tip8200/rh8215.htm


http://www.winnetmag.com/Windows/Article/ArticleID/8144/8144.html
Win2K stores Group Policy information in two locations: the Group Policy Container (GPC) and the Group Policy Template (GPT). The GPC is the AD object associated with the GPO. The GPC and GPT contain the GPO's version and status information. The GPT is a set of files residing in the \sysvol folder, which you'll find on your domain controllers. (Don't confuse the GPT with the System Volume Information folder. The policies in \sysvol reside under \systemroot\sysvol\
sysvol\domainname\policies.) In the GPT, you'll find information about administrative templates, security, scripts, and software installation.

hope this helps
good luck
0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Hi,

Just in case it's not clear from the above - I flicked through the links and wasn't sure - so if I'm duplicating your info kabaam - sorry, and if that's the case averyb don't accept this as an answer.

Scripts put into the netlogon folder will work if - in ad users and computers - you type in the name of that logon script into the login script area on the profile tab of the user you want it to apply to.

If applying via group policy, then the scripts need to be in the relevant script folder accessed by that policy - as you can set and configure when assigning a logon script through a gpo.

Deb :))
0
 
LVL 4

Author Comment

by:averyb
Comment Utility
Well, I thought I had it all figured out, but it's still not working.

Each user account has nothing specified in the login script under user properties.

The GPO assigned to the OU does have a logon script specified under the proper section.  All Authenticated Users have Read and Apply GPO policy. The logon script itself is in the appropriate folder under sysvol.

It has been over 12 hours since I made the change, so I would think everything would have been replicated to the other DC by now.

The rest of the stuff in the GPO is working, it's just not launching the login script.

Bound to be somehting simple I am missing.
0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Hi

Could you run a gpresult /v from a command line when you try the test logon and post it (minus any domain secific stuff for confidentiality),

When you double click the logon icon within the policy itself - under user configuration / windows settings / logon scripts, does the logon properties dialog box shows that the login script is attached?

Also the users are assigned to the ou as individual users, rather than as users contained in a custon security group?

Deb :))
0
 
LVL 4

Author Comment

by:averyb
Comment Utility
Each individual account is a member of the OU.  THe GPO is assigned to this OU. Apply GPO and Read rights are assigned to "Authenticated Users" for the GPO.

The login script name (stc.bat) does show in the list--it's the only one.  When I click "Show Files" it is in the displayed directory.

Here are the results from gpresult /v

Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999


Created on Friday, August 06, 2004 at 11:40:42 AM


Operating System Information:

Operating System Type:            Professional
Operating System Version:      5.0.2195.Service Pack 4
Terminal Server Mode:            Not supported

###############################################################

  User Group Policy results for:

  CN=MBA,OU=Users,DC=blah,DC=org

  Domain Name:            blah.com
  Domain Type:            Windows 2000
  Site Name:            Default-First-Site-Name

  Roaming profile:      \\Nmsserver\users\profiles\mba
  Local profile:      C:\Documents and Settings\mba

  The user is a member of the following security groups:

      blah\Domain Users
      \Everyone
      BUILTIN\Users
      NT AUTHORITY\INTERACTIVE
      NT AUTHORITY\Authenticated Users
      \LOCAL
      blah\Operators

  The user has the following security privileges:

      Bypass traverse checking
      Add workstations to domain
      Shut down the system


###############################################################

Last time Group Policy was applied: Friday, August 06, 2004 at 11:38:59 AM
Group Policy was applied from: Server1.blah.org


===============================================================


The user received "Registry" settings from these GPOs:

      User Standardization Policy
          Revision Number:      38
          Unique Name:      {19B889FB-5FCB-4F9B-BDE0-AFA0B96D0880}
          Domain Name:      blah.org
          Linked to:            Organizational Unit (OU=Users,DC=blah,DC=org)




      The following settings were applied from: User Standardization Policy

          KeyName:      Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
          ValueName:      NoWindowsUpdate
          ValueType:      REG_DWORD
          Value:      0x00000001

          KeyName:      Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
          ValueName:      DisablePersonalDirChange
          ValueType:      REG_DWORD
          Value:      0x00000001

          KeyName:      Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate
          ValueName:      DisableWindowsUpdateAccess
          ValueType:      REG_DWORD
          Value:      0x00000001

          KeyName:      Software\Policies\Microsoft\SystemCertificates\Trust\Certificates
          ValueName:      
          ValueType:      REG_NONE
          Value:      This key contains no values

          KeyName:      Software\Policies\Microsoft\SystemCertificates\Trust\CRLs
          ValueName:      
          ValueType:      REG_NONE
          Value:      This key contains no values

          KeyName:      Software\Policies\Microsoft\SystemCertificates\Trust\CTLs
          ValueName:      
          ValueType:      REG_NONE
          Value:      This key contains no values


===============================================================
The user received "Folder Redirection" settings from these GPOs:

      User Standardization Policy
          Revision Number:      5
          Unique Name:      {19B889FB-5FCB-4F9B-BDE0-AFA0B96D0880}
          Domain Name:      blah.org
          Linked to:            Organizational Unit (OU=Operators,DC=blah,DC=org)

      My Pictures is redirected to \\Server1\users\%username%\My Pictures.
      My Documents is redirected to \\Server1\users\%username%.


===============================================================
The user received "Scripts" settings from these GPOs:

      User Standardization Policy
          Revision Number:      38
          Unique Name:      {19B889FB-5FCB-4F9B-BDE0-AFA0B96D0880}
          Domain Name:      blah.org
          Linked to:            Organizational Unit (OU=Users,DC=blah,DC=org)


      Logon scripts specified in:  User Standardization Policy
          stc.bat


===============================================================
The user received "Internet Explorer Branding" settings from these GPOs:

      User Standardization Policy
          Revision Number:      38
          Unique Name:      {19B889FB-5FCB-4F9B-BDE0-AFA0B96D0880}
          Domain Name:      blah.org
          Linked to:            Organizational Unit (OU=Users,DC=blah,DC=org)


      Additional information is not available for this type of policy setting.



###############################################################

  Computer Group Policy results for:

  CN=STC-SA,CN=Computers,DC=blah,DC=org

  Domain Name:            blah
  Domain Type:            Windows 2000
  Site Name:            Default-First-Site-Name


  The computer is a member of the following security groups:

      BUILTIN\Administrators
      \Everyone
      BUILTIN\Users
      NT AUTHORITY\NETWORK
      NT AUTHORITY\Authenticated Users
      blah\SA$
      blah\Domain Computers

###############################################################

Last time Group Policy was applied: Friday, August 06, 2004 at 10:44:04 AM
Group Policy was applied from: Server1.blah.org


===============================================================


The computer received "Registry" settings from these GPOs:

      Local Group Policy
          Revision Number:      15
          Unique Name:      Local Group Policy
          Domain Name:      
          Linked to:            Local computer

      Default Domain Controllers Policy
          Revision Number:      57
          Unique Name:      {6AC1786C-016F-11D2-945F-00C04fB984F9}
          Domain Name:      blah.org
          Linked to:            Domain (DC=blah,DC=org)




      The following settings were applied from: Local Group Policy

          KeyName:      Software\Policies\Microsoft\SystemCertificates\EFS
          ValueName:      EFSBlob
          ValueType:      REG_BINARY
          Value:      Binary data.  Use the /S switch to display.

          KeyName:      Software\Policies\Microsoft\SystemCertificates\EFS\Certificates\E8BE6B2C985B427D8C068B20805FE140F5851172
          ValueName:      Blob
          ValueType:      REG_BINARY
          Value:      Binary data.  Use the /S switch to display.

          KeyName:      Software\Policies\Microsoft\SystemCertificates\EFS\CRLs
          ValueName:      
          ValueType:      REG_NONE
          Value:      This key contains no values

          KeyName:      Software\Policies\Microsoft\SystemCertificates\EFS\CTLs
          ValueName:      
          ValueType:      REG_NONE
          Value:      This key contains no values


      The following settings were applied from: Default Domain Controllers Policy

          KeyName:      Software\Policies\Microsoft\Windows\System
          ValueName:      AddAdminGroupToRUP
          ValueType:      REG_DWORD
          Value:      0x00000001


===============================================================
The computer received "Security" settings from these GPOs:

      Local Group Policy
          Revision Number:      15
          Unique Name:      Local Group Policy
          Domain Name:      
          Linked to:            Local computer

      Default Domain Controllers Policy
          Revision Number:      57
          Unique Name:      {6AC1786C-016F-11D2-945F-00C04fB984F9}
          Domain Name:      blah.ORG
          Linked to:            Domain (DC=blah,DC=org)


      Run the Security Configuration Editor for more information.


===============================================================
The computer received "EFS recovery" settings from these GPOs:

      Local Group Policy
          Revision Number:      15
          Unique Name:      Local Group Policy
          Domain Name:      
          Linked to:            Local computer


      Additional information is not available for this type of policy setting.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 20

Accepted Solution

by:
Debsyl99 earned 300 total points
Comment Utility
Hi

According to this the script is being applied, and it sounds like you have everything setup exactly as you should.

===============================================================
The user received "Scripts" settings from these GPOs:

     User Standardization Policy
         Revision Number:     38
         Unique Name:     {19B889FB-5FCB-4F9B-BDE0-AFA0B96D0880}
         Domain Name:     blah.org
         Linked to:          Organizational Unit (OU=Users,DC=blah,DC=org)


     Logon scripts specified in:  User Standardization Policy
         stc.bat


===============================================================

Could you post the content of your script? It does work ok? And if drive mappings are already working through your home folder then what else does it need to do?

From your initial question:

""When I click the Show Files button it expands to \\blah.com\SysVol\blah.com\Policies\{19B889FB-5FCB-4F9B-BDE0-AFA0B96D0880}\User\Scripts\Logon, but this directory is empty.""

When using the logon scripts assigned to a an ou via a gpo, that folder is where the script needs to be in order to be processed, which is why it works when you put the login script in there. When the user logs in, the group policy for that ou is processed according to that ou's settings - ie it doesn't look at netlogon to find a script.

Your questions.  
1) "Where should I put the login script and will it replicate to DC2? " In that folder where you said it worked when you put it there. Yes it should replicate to dc2 - from a command prompt type \\dc2\sysvol and expand the relevant policy and it should be there. Same for the netlogon. If this doesn't happen then we have a different problem.

2) "Why doesn't putting the script in the NETLOGON share work?" Because this only works when you enter the name of the script in the user profile logon script box in ad users and computers for that particular user. You only type the name of the script itself ie logon.bat, you don't need to specify a path because it already knows to look in the netlogon folder for it.

Let us know,

Deb :))




0
 
LVL 4

Author Comment

by:averyb
Comment Utility
Thanks for the clarification.  Good to ahve another pair of eyes looking at it.

This is the script
-------
@echo off
route delete 0.0.0.0

ifmember web_access
if not errorlevel 1 goto Everyone
echo Enabling Internet Access . . .
route add 0.0.0.0 MASK 0.0.0.0 10.55.5.190
echo Internet access enabled
sleep 2

:Everyone
echo Connecting network drives . . .
net use h: \\nmsserver\users\%username%
net use p: \\nmsserver\public
net use v: \\opentms\openroads
echo Network drives connected
sleep 2

-------
I know the script isn't running since the default gateway is still configured when looking at ipconfig.

0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Hi,

I am no script guru so we first need to rule out the fact that group policy is actually running the script. Just test it by replacing the entire content of your script in the batch file currently applied to the logon script in the gpo with

net send clientname test

Where clientname is simply the name of the pc that you are logging into with your test account - doesn't even need to be pcname.blah.com just pc name will do as you probably know. Then login with test account member of ou - if you get the message popup then you know that gpo running the script isn't the problem - it's the script.

If that does run ok - and from your gp result i think it will, does this script run locally ok - ie by just running the batch file ? If it does then the syntax is ok - just maybe missing some important environmental factors,

Deb :))

0
 
LVL 4

Author Comment

by:averyb
Comment Utility
Thanks for the help.  I'll have to test this next week.  Will post results then.
0
 
LVL 4

Author Comment

by:averyb
Comment Utility
I had to make one more change to the login script to get everything working.  Thanks for the information.  I attached the script in case anyone else wants to see it.

route delete 0.0.0.0 MASK 0.0.0.0

:Everyone
echo Connecting network drives . . .
net use h: \\server1\users\%username%
net use p: \\server1\public
net use v: \\server2\openroads
echo Network drives connected
sleep 2

ifmember web_access
if not errorlevel 1 exit
echo Enabling Internet Access . . .
route add 0.0.0.0 MASK 0.0.0.0 10.55.5.190
echo Internet access enabled
sleep 2

0
 

Expert Comment

by:Phipps-IT
Comment Utility
Hi,

I do have a similar problem which I desperately need help with it. There is a network shared printer in my organization which must be installed or mapped to users in different OUs. I created an OU and named it color copier, then created a security group named, FeiryColorCopier within the OU and added some users from different OUs, than created a logon GPO on the Color Copier OU with the script bellow:

@echo off

ifmember "FieryColorCopier"

if not errorlevel 1 goto quit

start /high \\printserver\FieryColorPrinter

:quit


RICHPROFILE.EXE PHMAIL1 %USERNAME% Phipps-%USERNAME% N D
Pause

When I attempt to log in with one on the accounts which is the member of the FieryColorPrinter security group, it dose not install the printer driver. I verified that the script works simply by executing it manually.

Please advise me on this. This is a critical case for me.

Thanks
Bobby
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
HOW TO: Install and Configure VMware vSphere Hypervisor 6.5 (ESXi 6.5), Step by Step Tutorial with screenshots. From Download, Checking Media, to Completed Installation.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now