Solved

W2K Server: Domain logon scrip does not run on client

Posted on 2004-08-05
30
2,041 Views
Last Modified: 2010-04-13
Hello, I have a W2K domain with a W2K server as a DC, and W2Kpro as clients.  In active directory, under users & computers -> [domain].org -> [orgn unit 1] -> users I have placed all the clients and defined a group policy which includes a simple batch file as a logon script.  The logon script is:
net use p: \\[server name]\[share name]
The commands run fine when typed into a command window.
When I logon to the workstation, the script doesn't run.  Here is what I've tried:
1)  typing the body of the script into a command window (works fine)
2)  ensuring the workstation is logging onto the network (vs. the local machine)
3)  ensuring the username is under [orgn unit 1] (it is)

I have checked everything I can think of against another network I administer, it all looks like it should be working, but I am somewhat new to working in AD, so I could be missing something simple.
I don't know what else to do;  any help is appreciated.
Thanks in advance!
0
Comment
Question by:starmonkey
  • 13
  • 8
  • 6
  • +3
30 Comments
 
LVL 11

Expert Comment

by:Eric
ID: 11730870
is "orgn unit 1" a group name?

is the GPO in the domain root or a OU?

in the properties | security tab , does the user have read, and apply group policy permission?
Try adding a pause to the end of the script.. or:
"net msg "yourcomputername" Script ran on %computername% by %username%"
this will display a popup on your computer comfirming execution of the script.
0
 
LVL 4

Author Comment

by:starmonkey
ID: 11731050
"orgn unit 1" is a group name
The GPO is in the OU, "USERS"
the directoy tree is:
domain root
->OU1 (custom OU)
->->users (custom OU)  this is the OU that houses the GPO, and it has all the user accounts under it
I added "everyone" with full control to the permissions (for troubleshooting, I'll edit it later).

I added the line, "net send [computer name] script ran" to the script.  I like that idea, I now know the script isn't running.

Are you recommending I put a script in the domain root for troubleshooting purposes?  I was led to believe that was a bad idea for day-to-day ops.
Thank you for your help.
0
 
LVL 11

Expert Comment

by:Eric
ID: 11731177
0
 
LVL 4

Author Comment

by:starmonkey
ID: 11731182
Update to my post:
I have tried to put a script in the domain root, it isn't working either.
I have joined my laptop to the domain (because it has run scripts in another domain) and logged on to the domain, it isn't running the script either.
So I know it is something on the server or the network.  It isn't the client computers.
0
 
LVL 4

Author Comment

by:starmonkey
ID: 11731197
ecszone:  the GPO name is "MNRC_ALL.bat"
That would have been nice though!
0
 
LVL 11

Expert Comment

by:Eric
ID: 11731207
All my scripts are in the domain root.  i know for things like security policys they have to be in the root.

I have seen GP problems due to this:
http://support.microsoft.com/default.aspx?scid=kb;en-us;328991

Next thing to try is this:
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult-o.asp

output the results to a text file and use verbose mode. (not very verbose.. its brutal!)
0
 
LVL 11

Expert Comment

by:Eric
ID: 11731221
you only have 1 server?
so no chance its not replicating the script???

how bout some firewall or something blocking some communications to your client.. like a software firewalll on the clients???
0
 
LVL 10

Expert Comment

by:dis1931
ID: 11731251
If you have multiple DCs in your environment are you sure the DC that they are using is accepting replication correctly.  Does it have sysvol and other DC folders populated to it.  The only time I saw something like this was with the server trying to replicate from a server that was set-up incorrectly and was not connecting properly to where it should be replicating.  For some reason the new server decided out of all the DCs that were in the network that it would replicate from the broken one and these folders had not populated over causing login scripts not to work among other things but they were still able to login to the network and had some functionality.  However, I thought that might be unique to my situation as there was something seriously wrong with that other server it was replicating from.
0
 
LVL 4

Author Comment

by:starmonkey
ID: 11731428
There is only 1 DC in this network.
The only firewall is between the network and the DSL modem.
0
 
LVL 4

Author Comment

by:starmonkey
ID: 11731526
ecszone:
where is the Scripts Policy Processing?  I can't seem to find it.
RE: 328991, The client PC is running SP4, if I'm reading this article correctly, SP4 should eliminate the problem.

RE: Gpresult.exe, I downloaded it and will try it out.

Thanks again to everyone!  I'll be back.
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 11731562
Hi

First rename the gpo to MNRC_ALL, not sure that calling it MNRC_ALL.bat will help. Also group policy won't apply to groups, you need to move the individual users into the ou. Where have you put the script, and have you set it as a logon script in the ou ie configured logon scripts in the ou itself and made sure it links to the batch file in the relevant scripts folder for that gpo? On the security settings of the gpo authenticated users need read and apply group policy permissions. Then from a command prompt run the following command to propagate the settings:
secedit /refreshpolicy user_policy
Wait a few minutes, and then logon with a test account from that gpo to see if the drive maps,

Deb :))

0
 
LVL 4

Author Comment

by:starmonkey
ID: 11731939
OK, I've changed things a bit for clarification and troubleshooting purposes:
I am running the script from the domain root, so the name of the GPO is "default domin policy"  The name of the script is test.bat.this is so there is no question about he user being in the wrong group.

I have configured the logon script itself.  the location of hte script is  \\SF-mnrc.org\sysvol\SF-mnrc.org\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\Scripts\Logon   This is the folder that comes up when you click the "show files" button.

There is only 1 DC, so propigation isn't an issue.
0
 
LVL 4

Author Comment

by:starmonkey
ID: 11731973
ecszone:
the following is the results of Gpresult.exe

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\Administrator.SF-MNRC>gpresult /v
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999


Created on Thursday, August 05, 2004 at 5:17:21 PM


Operating System Information:

Operating System Type:          Professional
Operating System Version:       5.0.2195.Service Pack 4
Terminal Server Mode:           Not supported

###############################################################

  User Group Policy results for:



  Domain Name:          SF-MNRC
  Domain Type:          Windows 2000
  Site Name:            Default-First-Site-Name

  Roaming profile:      (None)
  Local profile:        C:\Documents and Settings\Administrator.SF-MNRC

  The user is a member of the following security groups:


  The user has the following security privileges:

        Bypass traverse checking
        Shut down the system
        Remove computer from docking station
        Manage auditing and security log
        Back up files and directories
        Restore files and directories
        Change the system time
        Force shutdown from a remote system
        Take ownership of files or other objects
        Debug programs
        Modify firmware environment values
        Profile system performance
        Profile single process
        Increase scheduling priority
        Load and unload device drivers
        Create a pagefile
        Increase quotas
        Impersonate a client after authentication
        Create global objects


###############################################################

Last time Group Policy was applied: Thursday, August 05, 2004 at 5:15:03 PM



###############################################################

  Computer Group Policy results for:



  Domain Name:          SF-MNRC
  Domain Type:          Windows 2000
  Site Name:            Default-First-Site-Name


  The computer is a member of the following security groups:

        BUILTIN\Administrators
        \Everyone
        NT AUTHORITY\Authenticated Users

###############################################################

Last time Group Policy was applied: Thursday, August 05, 2004 at 4:53:50 PM


===============================================================


The computer received "Registry" settings from these GPOs:

        Local Group Policy
            Revision Number:    131074
            Unique Name:        Local Group Policy
            Domain Name:




        The following settings were applied from: Local Group Policy

            KeyName:    Software\Policies\Microsoft\SystemCertificates\EFS
            ValueName:  EFSBlob
            ValueType:  REG_BINARY
            Value:      Binary data.  Use the /S switch to display.

            KeyName:    Software\Policies\Microsoft\SystemCertificates\EFS\Certi
ficates\1AB86BF5089C8DDC6BECA576553DB80323D443F3
            ValueName:  Blob
            ValueType:  REG_BINARY
            Value:      Binary data.  Use the /S switch to display.

            KeyName:    Software\Policies\Microsoft\SystemCertificates\EFS\CRLs
            ValueName:
            ValueType:  REG_NONE
            Value:      This key contains no values

            KeyName:    Software\Policies\Microsoft\SystemCertificates\EFS\CTLs
            ValueName:
            ValueType:  REG_NONE
            Value:      This key contains no values


===============================================================
The computer received "EFS recovery" settings from these GPOs:

        Local Group Policy
            Revision Number:    131074
            Unique Name:        Local Group Policy
            Domain Name:


        Additional information is not available for this type of policy setting.
0
 
LVL 6

Expert Comment

by:youre1m
ID: 11733722
If your users are in the Users container you should create a new OU called something else and put them in there. Users is a built in container which gives you no facility to apply GPO's to the OU. Try that and test again.
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 11734138
Hi

Sorry my previous post was maybe misleading regarding security groups, but please read this post very carefully as you are going to get into serious trouble with this if this is your live domain. Now: Different people are saying different things here so it can get really confusing for you so you need to be very careful. I'd also suggest that you read as much as you can on windows 2000 group policy before testing things out.

MOST IMPORTANT*** - Bear in mind that if you apply testing to the default domain policy - this policy applies to everyone in the domain, admins, you, everyone. The default domain policy should NEVER NEVER NEVER be used for testing as you could inadvertently lock everyone out, including yourself. Your earlier concern over this was absolutely correct and if you have given everyone group full security permissions on the default domain policy PLEASE change it back asap!!!! (can't stress this enough)
When you do make any changes to group policy, ALWAYS document those changes so you can undo them if necessary, make sure you have a good back up set, and really you should be testing these out on a test system first (not always practical I know).

Let us know if you have trouble putting these permissions back - hopefully you've kept a note of what they were.

The default permissions on the default domain policy - should be something like:
Authenticated Users - read and apply group policy
Creator Owner - no permissions
Domain Admins - read, write, create all child objects, delete all child objects
Enterprise Admins - read, write, create all child objects, delete all child objects
System - read, write, create all child objects, delete all child objects
Notice that no-one has full control by default, and only authenticated users have apply group policy permissions.

Now on to your problem:
From your gpresult your logon isn't a member of any security groups, and needs to be which is maybe where I caused confusion earlier. When I mentioned that group policy doesn't apply to groups - I meant that if you create a new security group in ad users and computers, add users to it, and then put that group into an ou, it won't apply to the users contained within that security group. You need to add the users to that ou directly.

Firstly I'd get your default domain policy back to what it was, remove the login script from it completely. Do not delete the default domain policy. Delete any ou's you have created to test this on so far and only those - do not delete any default containers or anything else - making sure that you move any users in them or groups for that matter back to the default users container (NOT the users ou container that you created )first, delete the group policy from them completely, then delete the ou. In short I suggest you start from a clean slate.

From your gpresult:

 "The user is a member of the following security groups:

/**** nothing listed*****/

  The user has the following security privileges:"

It should look something like:

The user is a member of the following security groups:

      YourDomain\Domain Users
      \Everyone
      BUILTIN\Users
      NT AUTHORITY\INTERACTIVE
      NT AUTHORITY\Authenticated Users
      \LOCAL

Make sure that the user you're using to test is a member of domain users - Double click the user in ad users and computers, go to "member of " tab and make sure that they're members of the domain users group. This should automatically apply as a default setting when you create a new user.

Now create a new ou, call it something different to any of the existing built in containers that will enable you to recognise what it is exactly, and document what you do.

Right-click the ou, click properties, group policy and click new. Again call this policy something recognisable for that ou, that isn't the same name as anything else you may have.

Then edit it and go through the steps to add a logon script to that ou, which looks like you had done correctly earlier, making sure that your bat file is present in the relevant scripts folder that opens when you click browse when adding a logon script.

Apply, and click ok to close the logon script dialog, and close. On the group policy itself, click properties, security and make sure that authenticated users have read and apply group policy permissions. You don't need to add anything else or remove anything else, or give full control.

Make sure you don't check disable user configuration or disable anything else either.

Make sure that your test user is a member of domain users and move them into that ou - rightl click the user in ad users and computers, click move and highlight your new ou. Make sure they appear in there.

Close all, then again from a command prompt type:

secedit /refreshpolicy user_policy. Wait a few minutes, then logon with your test account.

Again from a command prompt type: gpresult /v and post the results.

I hope that this makes things a little clearer, but I really suggest that you research all you can about group policy before starting to configure it as it can cause a mine of problems if things go wrong.

If there is anything that you are remotely unsure about, please post - I am on a different time zone I suspect - uk - gmt but I will help.

Deb :))














0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 11

Expert Comment

by:Eric
ID: 11736657
Yea that gpresult is baked.    Im not sure its doing anything.... do any of your policys work?????????/   I see no reason it should

you sure your logging into the domain?????????  :|

my outpus is 7 pages long!

it starts like this::

RSOP results for mydomain\myusername on mycomputername : Logging Mode

yours shows no identification to the domain at all.

It shows no domain security groups. not good
it shows no domain policys being run.  
Short example:

Resultant Set Of Policies for Computer:
    ----------------------------------------

        Software Installations
        ----------------------
            N/A

        Startup Scripts
        ---------------
            N/A

        Shutdown Scripts
        ----------------
            N/A

        Account Policies
        ----------------
            GPO: Default Domain Policy
                Policy:            MinimumPasswordAge
                Computer Setting:  N/A

            GPO: Default Domain Policy
                Policy:            PasswordHistorySize
                Computer Setting:  1

            GPO: Default Domain Policy
                Policy:            LockoutDuration
                Computer Setting:  5

            GPO: Default Domain Policy
                Policy:            ResetLockoutCount
                Computer Setting:  5

            GPO: Default Domain Policy
                Policy:            MinimumPasswordLength
                Computer Setting:  6

            GPO: Default Domain Policy
                Policy:            LockoutBadCount
                Computer Setting:  5

            GPO: Default Domain Policy
                Policy:            MaximumPasswordAge
                Computer Setting:  180

        Audit Policy
        ------------
            GPO: Default Domain Policy
                Policy:            AuditAccountLogon
                Computer Setting:  Success, Failure
------------------------------------------------------------------

i dont  do scripts in the default domain policy (i dont recomend changin default at all actually... i didi this before i knew that.)
buty ou can seee the changed I made to this policy are applied...
0
 
LVL 4

Author Comment

by:starmonkey
ID: 11737039
Thanks again to everyone for all the help!

Debsyl99:  I agree with you, so I've un-done everything and started with a clean slate.  I never trust my memory, so I have been taking screen shots before every change.  Incidently, the permissions were set (before I changed them) exactly as you listed.
We are in dif time zones; I'm in California.
I read through your post and I think I have a better idea of what is happening, but I am taking your advice and reading up on W2K GP before I go further.

ecszone:  Yea it does look messed up, but now I have a better idea of what to look for.  Thanks!
I am sure I am logging on to the domain, though I know it looks like I'm not.

I'll post back soon...
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 11737137
Cool :))
0
 
LVL 11

Expert Comment

by:Eric
ID: 11737210
"but I am taking your advice and reading up on W2K GP before I go further"

buy some redbull or make a trip to starbucks.. you will need it :)
0
 
LVL 4

Author Comment

by:starmonkey
ID: 11739959
OK.
I have checked the account in AD and made sure it was a member of the group domain users and administrators.  I even removed domain users and re-added it.
I'm still seeing the following line when I run gpresult.exe from the workstation after I logon with the test account:

 The user is a member of the following security groups:



##############################################################

(nothing listed)

please correct me if I'm wrong, but it should list all the groups the test acount is a member of, right?
Is there some windows componant I need to install?


I have also tried removing the computer from the domain and re-adding it, but I got the same result.

I'm starting to think the administrator I replaced may have messed up something in AD on the server.  If re-building the server is the only solution, I'll do it; but I'd be gratfull for a less drastic solution.
I would need to haul another PC over here, install W2Kserver, install AD and make it a DC, wait for AD to replicate, demote the server, rebuild it, and do the whole thing again.  This seems like it would be about as fun as dental reconstruction.
*frustrated*
0
 
LVL 4

Author Comment

by:starmonkey
ID: 11740144
More info:
I noticed gpresult.exe seems to work dif on W2k and WinXP, so I tried it on an XP workstation after logging on / the test accnt.  Here is what I got:

INFO:  The user "<domain>\<TestAcnt>" does not have RSOP data

I forsee a rebuilt server in my future.
0
 
LVL 11

Accepted Solution

by:
Eric earned 150 total points
ID: 11740461
question is... will the server replicate then? :|

i never seen this. If I were you I would not use EE for this situation.   This place is a great help, but this could be  a very complicated issue.    Maybe the x employee nuked something on purpose?  you sure he does not have any backdoors?

For 250.00 MS will do phone support
or you can do what I often use.. email support.
its only 99 bucks.
http://support.microsoft.com/default.aspx?scid=fh;en-us;prodoffer11a&sd=GN


This is deeper than I care to go here.  I never seen this and assume its not good.  Maybe someone else can help.  But for 99 bucks... it may save your company money to just get it fixed.
0
 
LVL 20

Assisted Solution

by:Debsyl99
Debsyl99 earned 250 total points
ID: 11740906
Hi
Unfortunately something is really wrong. Check the event logs on the server - all of them, and post what you find, and check any dates of error logs that may coincide with changes made - for no other reason than to see if we can help advise on what you're dealing with before you spend stacks on calling microsoft - I don't think any of us in this thread will pretend we know a solution if we don't. A rebuilt server is no really big deal - making sure the data is safe and restorable is the big deal at the end of the day. How many users have you got? Have they not reported any problems?

Deb :))
0
 
LVL 4

Author Comment

by:starmonkey
ID: 11753936
Debsyl99:
Luckily, this it one of our smaller networks, only about 10 users.  The server is also managing 5 network printers.  Rebuilding it isn’t that big of a deal.
There have been problems with this network, now that this has all come to light; I think it may be a related problem:  In the past when I’ve gone to make admin changes and logged on to a workstation with the domain admin account, I was denied admin access unless I logged on with the local admin account.
Now that I’ve seen the output of gpresult.exe, I think the problem is that the admin GP isn’t loading on any of the workstations.
I’m going to bring another W2K server and make it a DC to act as a life-boat for AD, while I re-build the server.
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 11754041
Hi,

Just remember that the problem here could well be with AD itself - It certainly does sound like there's some very major problems going on. A new build may well be the best course of action with such a small network so let us know how you get on.

Deb :))
0
 
LVL 4

Author Comment

by:starmonkey
ID: 11778981
It is going to be some time before I get authorization to re-build the server, so I'm going to close this and split the points between ecszone and Debsyl99.  Thanks again for everyone's help!
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 11779291
Sorry we didn't manage to fix it for you directly but definitely more going on than meets the eye here - post again if you need any help,

Best wishes

Deb :))
0
 
LVL 11

Expert Comment

by:Eric
ID: 11779840
Thanks good luck
0
 
LVL 1

Expert Comment

by:matheson
ID: 12005096
Just outta curiosity do you have the logon script in GP Computer settings or User settings...

It should be in User settings as sometimes in computer settings thing run differntly

A similar situation happened to me recently and that was the problem
0
 
LVL 4

Author Comment

by:starmonkey
ID: 12009448
User setting.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article explains how to prepare an HTML email signature template file containing dynamic placeholders for users' Azure AD data. Furthermore, it explains how to use this file to remotely set up a department-wide email signature policy in Office …
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now