ras2a
asked on
Wireless Notebook not running Domain logon scripts?
I imagine that this has been asked before, but for some reason I couldn't access pertinent information on this site (kept asking me to sign up for premium account).
Just bought a Dell Inspiron 6400, have added the machine to my home domain (via wired connection) and now want to be able to use wireless. I have set everything up correctly and the machine appears to log on and I can access network resources (using UNC etc), but the domain logon script is not running. I assume this is because there is a delay before the wireless connection is established, therefore the script times out etc?
What are the possible solutions and workarounds to get the script to run? I've also read about using RADIUS/IAS etc for wireless authentication? Is this a 'requirement', or is this only needed for larger (corporate) deployments etc?
Cheers all
ras
Just bought a Dell Inspiron 6400, have added the machine to my home domain (via wired connection) and now want to be able to use wireless. I have set everything up correctly and the machine appears to log on and I can access network resources (using UNC etc), but the domain logon script is not running. I assume this is because there is a delay before the wireless connection is established, therefore the script times out etc?
What are the possible solutions and workarounds to get the script to run? I've also read about using RADIUS/IAS etc for wireless authentication? Is this a 'requirement', or is this only needed for larger (corporate) deployments etc?
Cheers all
ras
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ras,
One of your comments made me think about something...
You say that the domain logon script attempts to execute before the windows shell is run. That's actually not true. Assuming that you're running Windows 2000 or 2003, you've actually got four different kinds of scripts you can run:
1. Startup - executes prior to logon, but after the Windows shell executes (otherwise, how would the Windows Scripting Host execute the script?)
2. Logon - executes after logon
3. Logoff - executes during logoff
4. Shutdown - executes after logoff, but prior to shut down
If you're running Windows NT 4.0, then you've actually got only one type of script - logon scripts - and they execute at the same time as they do in a Win2K or 2K3 environment.
Anyway, it made me wonder about why the script isn't executing... I mean, if you've successfully authenticated to the domain, then you're wireless network card is working unless you're using cached credentials. Perhaps you could disable that (go to the Local Security Policy of the laptop in its Administrative Tools folder and then navigate to Local Policies\Security Options and set the "Interactive logon: Number of previous logons to cache (in case domain controller is not available)" to 0.) and force the computer to not used cached credentials. Then, you'll know for sure whether or not you're truly authenticating to the domain.
Anwyay, just a thought.
<-=+=->
One of your comments made me think about something...
You say that the domain logon script attempts to execute before the windows shell is run. That's actually not true. Assuming that you're running Windows 2000 or 2003, you've actually got four different kinds of scripts you can run:
1. Startup - executes prior to logon, but after the Windows shell executes (otherwise, how would the Windows Scripting Host execute the script?)
2. Logon - executes after logon
3. Logoff - executes during logoff
4. Shutdown - executes after logoff, but prior to shut down
If you're running Windows NT 4.0, then you've actually got only one type of script - logon scripts - and they execute at the same time as they do in a Win2K or 2K3 environment.
Anyway, it made me wonder about why the script isn't executing... I mean, if you've successfully authenticated to the domain, then you're wireless network card is working unless you're using cached credentials. Perhaps you could disable that (go to the Local Security Policy of the laptop in its Administrative Tools folder and then navigate to Local Policies\Security Options and set the "Interactive logon: Number of previous logons to cache (in case domain controller is not available)" to 0.) and force the computer to not used cached credentials. Then, you'll know for sure whether or not you're truly authenticating to the domain.
Anwyay, just a thought.
<-=+=->
Your issue might be that Slow Link Detection is turned on. Check the following article:
http://www.mydigitallife.info/2006/09/13/group-policy-login-or-logon-scripts-not-running-not-working-or-not-executing/
Hope this helps
Crow
http://www.mydigitallife.info/2006/09/13/group-policy-login-or-logon-scripts-not-running-not-working-or-not-executing/
Hope this helps
Crow
Crow,
I was thinking that, too, but keep in mind that by default Active Directory only categorizes a link as "slow" if it is less than 10Mbps. Even if ras is running 802.11b, he's still running at 11Mbps.
But, it's still a good idea to double-check.
<-=+=->
I was thinking that, too, but keep in mind that by default Active Directory only categorizes a link as "slow" if it is less than 10Mbps. Even if ras is running 802.11b, he's still running at 11Mbps.
But, it's still a good idea to double-check.
<-=+=->
ASKER
Hi Splinter,
Perhaps I worded my last comment wrong. What I should have said was 'before the GUI (desktop) is displayed. The script I want to run is obviously a logon script. It's not been assigned via GPO, but simply by specifying a batch file in the logon properties of the AD user. I will, however, be using the more robust GPO method shortly.
Btw: Running Win2k3 at the Server level and XP Pro on the Notebook
Anyway, MANY thanks indeed for all your help, this place is awesomely fast. I'll check everything else.
Is there any way I can split the points between you dudes? (",)
Cheers guy's
-ras-
Perhaps I worded my last comment wrong. What I should have said was 'before the GUI (desktop) is displayed. The script I want to run is obviously a logon script. It's not been assigned via GPO, but simply by specifying a batch file in the logon properties of the AD user. I will, however, be using the more robust GPO method shortly.
Btw: Running Win2k3 at the Server level and XP Pro on the Notebook
Anyway, MANY thanks indeed for all your help, this place is awesomely fast. I'll check everything else.
Is there any way I can split the points between you dudes? (",)
Cheers guy's
-ras-
If there are several people on a shared WAP then he could in theory be getting less then 10MB. I would test it anyway.
ASKER
Hiya, I must just point out that this is actually my own LAN/WLAN setup. I have a rock solid 54MB connection (never drops) to a Buffalo Wireless Router/AP (Bufallo are great, I must add). Also, I'm the only user connecting to the device and have MAC filtering in place (in addition to WPA-PSK encryption).
cheers
ras
cheers
ras
In that case don't worry about a split. Send the points to Splinter for the fix.
Hi,
Another thing to check is what control software the wireless network card are using. If you are using the built-in Windows Wireless configuration then I believe it gets everything together during system startup, and if it should be ready if you give it a little time before you log in. If you are using some other configuration software, it may not get called to start until you logon, which is too late for the domain script to run.
In addition, Windows XP, in an effort to get users to the desktop a little faster, actually defaults to allowing a logon before the system drivers are all loaded, including wireless adaptors in some cases. This can be tested by allowing a minute or two for the system to complete the startup before trying to log in. For more information, see:
http://support.microsoft.com/kb/305293
Radius/IAS can be used, but I doubt that it will have any effect on this problem. Radius/IAS is to allow a single user account database to exist so that passwords for multiple services stay in sync, which they would since there is only one database. Most often I see this used for domain users that are also VPN users and can't remember which username and password combination to use. Radius/IAS allows a domain password change, which is often forced periodically, to keep the VPN password matching. It's also used to get the account database off of the VPN, Wireless, or other edge service device and protect the database in a more secure locatoin.
Hope this helps,
Alan
Another thing to check is what control software the wireless network card are using. If you are using the built-in Windows Wireless configuration then I believe it gets everything together during system startup, and if it should be ready if you give it a little time before you log in. If you are using some other configuration software, it may not get called to start until you logon, which is too late for the domain script to run.
In addition, Windows XP, in an effort to get users to the desktop a little faster, actually defaults to allowing a logon before the system drivers are all loaded, including wireless adaptors in some cases. This can be tested by allowing a minute or two for the system to complete the startup before trying to log in. For more information, see:
http://support.microsoft.com/kb/305293
Radius/IAS can be used, but I doubt that it will have any effect on this problem. Radius/IAS is to allow a single user account database to exist so that passwords for multiple services stay in sync, which they would since there is only one database. Most often I see this used for domain users that are also VPN users and can't remember which username and password combination to use. Radius/IAS allows a domain password change, which is often forced periodically, to keep the VPN password matching. It's also used to get the account database off of the VPN, Wireless, or other edge service device and protect the database in a more secure locatoin.
Hope this helps,
Alan
ASKER
Alan, I think you may be onto something there. Pretty damn sure I've read this before (regarding mfctrs control s/w and not kicking in until 'after' startup, as it were). Whereas, as you say, if you let Windoze control the NIC, then connection is established beforehand.
I haven't tried any of the suggested remarks yet, but will be doing so tonight. I will then award points accordingly.
MANY thanks indeed for all your great (and rapid) comments. This place truly is superb
Cheers dudes
ras
I haven't tried any of the suggested remarks yet, but will be doing so tonight. I will then award points accordingly.
MANY thanks indeed for all your great (and rapid) comments. This place truly is superb
Cheers dudes
ras
ASKER
Ok, just re-enabled Wireless Zero service; whilst the connection 'does' appear to be established 'immediately' once desktop is displayed etc, the script still does not run. So that can be ruled out. I tried logging on and off several times to fully test this, but still the script would not run.
I wll check the other possible solutions later.
Will keep you posted
ras
I wll check the other possible solutions later.
Will keep you posted
ras
ASKER
Oh well, I've tried pretty much everything you guy's have suggested. Even tried adding delay to the logon script etc, no go. In the end, I've opted for the (not ideal) solution of copying the .bat across to the Notebook and dropping shortcut into the Startup folder. Again, thought not what I wanted, it works fine.
I've now awarded the points to Splinter.
Cheers all, appreciate your assistance
ras ♣
I've now awarded the points to Splinter.
Cheers all, appreciate your assistance
ras ♣
ASKER
1. Make sure it's working when you're wired >>
>>> It is
2. While wireless, make sure you can access the logon script
>>> Yep! As I said, I can access UNC paths, so I simply browse to \\server\c$\winnt\sysvol etc
3. While wireless, make sure you can execute the logon script
>>> Yep
Again, I think the reason the script won't run is due to the fact that the Wireless 'connection' is not esatablished with my Buffalo WAP until 'after' logging on (desktop displayed etc). Since the domain logon script attempts to execute 'before' windows shell is run etc, the script must time out?
I'm also looking into setting up PEAP etc, but that is for our work based WLAN, as I believe it's far more secure (digi certificates et al). But copying the script locally sounds fine as a workaround. Unless other's reply to this with more 'comprehensive' solutions, I'll award you the points!
Cheers mate
ras