Solved

Wireless Notebook not running Domain logon scripts?

Posted on 2006-11-01
13
1,035 Views
Last Modified: 2012-06-27
I imagine that this has been asked before, but for some reason I couldn't access pertinent information on this site (kept asking me to sign up for premium account).

Just bought a Dell Inspiron 6400, have added the machine to my home domain (via wired connection) and now want to be able to use wireless. I have set everything up correctly and the machine appears to log on and I can access network resources (using UNC etc), but the domain logon script is not running.  I assume this is because there is a delay before the wireless connection is established, therefore the script times out etc?

What are the possible solutions and workarounds to get the script to run?  I've also read about using RADIUS/IAS etc for wireless authentication? Is this a 'requirement', or is this only needed for larger (corporate) deployments etc?

Cheers all

ras
0
Comment
Question by:ras2a
  • 6
  • 3
  • 3
  • +1
13 Comments
 
LVL 13

Accepted Solution

by:
Joseph Hornsey earned 125 total points
ID: 17850604
Well,  a quick workaround would be to copy the script to your laptop and then place a shortcut to the script in "C:\Documents and Settings\All Users\Start Menu\Programs\Startup".  This would put the shortcut to the script in the Startup folder for every user of the laptop and would execute the script when the user logged on.

I think the best thing to do, however, is troubleshoot why the script isn't working.  I'd start with the basics:

1. Make sure it's working when you're wired.
2. While wireless, make sure you can access the logon script
3. While wireless, make sure you can execute the logon script

If this is all working, then check the properties of the Wireless network in wireless setup (go to Network Connections, right-click on the wireless connection and go to Properties.  Go to the Wireless Networks tab, find your wireless network, select it and click Properties.)  Go to the Authentication tab and make sure that there's a check in the "Authenticate as computer when computer information is available" check box.  If not, then the computer is not authenticating its account with the domain, so your logon scripts will not work.

Let me know what happens.

<-=+=->

0
 

Author Comment

by:ras2a
ID: 17850735
Hiya mate - cheers for the quick response. I can answer yes to all of those points:

1. Make sure it's working when you're wired >>
>>> It is
2. While wireless, make sure you can access the logon script
>>> Yep! As I said, I can access UNC paths, so I simply browse to \\server\c$\winnt\sysvol etc
3. While wireless, make sure you can execute the logon script
>>> Yep

Again, I think the reason the script won't run is due to the fact that the Wireless 'connection' is not esatablished with my Buffalo WAP until 'after' logging on (desktop displayed etc).  Since the domain logon script attempts to execute 'before' windows shell is run etc, the script must time out?

I'm also looking into setting up PEAP etc, but that is for our work based WLAN, as I believe it's far more secure (digi certificates et al).  But copying the script locally sounds fine as a workaround.  Unless other's reply to this with more 'comprehensive' solutions, I'll award you the points!

Cheers mate

ras
0
 
LVL 13

Expert Comment

by:Joseph Hornsey
ID: 17851366
ras,

One of your comments made me think about something...

You say that the domain logon script attempts to execute before the windows shell is run.  That's actually not true.  Assuming that you're running Windows 2000 or 2003, you've actually got four different kinds of scripts you can run:

1. Startup - executes prior to logon, but after the Windows shell executes (otherwise, how would the Windows Scripting Host execute the script?)
2. Logon - executes after logon
3. Logoff - executes during logoff
4. Shutdown - executes after logoff, but prior to shut down

If you're running Windows NT 4.0, then you've actually got only one type of script - logon scripts - and they execute at the same time as they do in a Win2K or 2K3 environment.

Anyway, it made me wonder about why the script isn't executing... I mean, if you've successfully authenticated to the domain, then you're wireless network card is working unless you're using cached credentials.  Perhaps you could disable that (go to the Local Security Policy of the laptop in its Administrative Tools folder and then navigate to Local Policies\Security Options and set the "Interactive logon: Number of previous logons to cache (in case domain controller is not available)" to 0.) and force the computer to not used cached credentials.  Then, you'll know for sure whether or not you're truly authenticating to the domain.

Anwyay, just a thought.

<-=+=->
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17852353
Your issue might be that Slow Link Detection is turned on.  Check the following article:
http://www.mydigitallife.info/2006/09/13/group-policy-login-or-logon-scripts-not-running-not-working-or-not-executing/

Hope this helps
Crow
0
 
LVL 13

Expert Comment

by:Joseph Hornsey
ID: 17852480
Crow,

I was thinking that, too, but keep in mind that by default Active Directory only categorizes a link as "slow" if it is less than 10Mbps.  Even if ras is running 802.11b, he's still running at 11Mbps.

But, it's still a good idea to double-check.

<-=+=->
0
 

Author Comment

by:ras2a
ID: 17852640
Hi Splinter,

Perhaps I worded my last comment wrong. What I should have said was 'before the GUI (desktop) is displayed.  The script I want to run is obviously a logon script. It's not been assigned via GPO, but simply by specifying a batch file in the logon properties of the AD user. I will, however, be using the more robust GPO method shortly.  

Btw: Running Win2k3 at the Server level and XP Pro on the Notebook

Anyway, MANY thanks indeed for all your help, this place is awesomely fast.  I'll check everything else.

Is there any way I can split the points between you dudes? (",)

Cheers guy's

-ras-
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17852939
If there are several people on a shared WAP then he could in theory be getting less then 10MB.  I would test it anyway.
0
 

Author Comment

by:ras2a
ID: 17853252
Hiya, I must just point out that this is actually my own LAN/WLAN setup.  I have a rock solid 54MB connection (never drops) to a Buffalo Wireless Router/AP (Bufallo are great, I must add).  Also, I'm the only user connecting to the device and have MAC filtering in place (in addition to WPA-PSK encryption).

cheers

ras
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 17853963
In that case don't worry about a split.  Send the points to Splinter for the fix.
0
 
LVL 8

Expert Comment

by:saw830
ID: 17854802
Hi,

Another thing to check is what control software the wireless network card are using.  If you are using the built-in Windows Wireless  configuration then I believe it gets everything together during system startup, and if it should be ready if you give it a little time before you log in.  If you are using some other configuration software, it may not get called to start until you logon, which is too late for the domain script to run.

In addition, Windows XP, in an effort to get users to the desktop a little faster, actually defaults to allowing a logon before the system drivers are all loaded, including wireless adaptors in some cases.  This can be tested by allowing a minute or two for the system to complete the startup before trying to log in.  For more information, see:
http://support.microsoft.com/kb/305293

Radius/IAS can be used, but I doubt that it will have any effect on this problem.  Radius/IAS is to allow a single user account database to exist so that passwords for multiple services stay in sync, which they would since there is only one database.  Most often I see this used for domain users that are also VPN users and can't remember which username and password combination to use.  Radius/IAS allows a domain password change, which is often forced periodically, to keep the VPN password matching.  It's also used to get the account database off of the VPN, Wireless, or other edge service device and protect the database in a more secure locatoin.

Hope this helps,
Alan
0
 

Author Comment

by:ras2a
ID: 17856694
Alan, I think you may be onto something there. Pretty damn sure I've read this before (regarding mfctrs control s/w and not kicking in until 'after' startup, as it were).  Whereas, as you say, if you let Windoze control the NIC, then connection is established beforehand.  

I haven't tried any of the suggested remarks yet, but will be doing so tonight. I will then award points accordingly.

MANY thanks indeed for all your great (and rapid) comments. This place truly is superb

Cheers dudes

ras
0
 

Author Comment

by:ras2a
ID: 17856803
Ok, just re-enabled Wireless Zero service; whilst the connection 'does' appear to be established 'immediately' once desktop is displayed etc, the script still does not run. So that can be ruled out.  I tried logging on and off several times to fully test this, but still the script would not run.

I wll check the other possible solutions later.

Will keep you posted

ras
0
 

Author Comment

by:ras2a
ID: 17860494
Oh well, I've tried pretty much everything you guy's have suggested. Even tried adding delay to the logon script etc, no go. In the end, I've opted for the (not ideal) solution of copying the .bat across to the Notebook and dropping shortcut into the Startup folder. Again, thought not what I wanted, it works fine.

I've now awarded the points to Splinter.

Cheers all, appreciate your assistance

ras &#9827;
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Greetings, Experts! First let me state that this website is top notch. I thoroughly enjoy the community that is shared here; those seeking help and those willing to sacrifice their time to help. It is fantastic. I am writing this article at th…
Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now