Solved

Login Script / .Bat File Help

Posted on 2007-11-19
34
598 Views
Last Modified: 2008-06-01
Ok I am a windows newbie so here it goes:

I am running a windows 2003 server as my dc. Last week I was having some issues and had to get Microsoft involved. One of the things I believe they did was reset my default domain policy. In doing this I believe they wiped out my login script which maps my users to the appropriate drives. I did a search for the .bat name and it showed the filename as a shortcut showing recent but the file did not exist. The path the .bat file was located at: C:\WINDOWS\SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Scripts\Startup

Fortunately I  had a copy of the .bat file and placed it back into the location above. The problem I am having is that if I disconnect all my network drives in explorer and reboot to test, I do not connect to my network drives. I also do not receive any errors either. Now if I place that same .bat file in

C:\WINDOWS\SYSVOL\domain\Scripts and go into AD and place the .bat file in my profile, it works fine. I can't figure out why it works one way and not the other. Can someone please advise me on what to do in simple terms on how to make this work without using the AD profile tab.

Thanks ahead of time...
0
Comment
Question by:djp12345
  • 13
  • 13
  • 8
34 Comments
 
LVL 2

Expert Comment

by:Haze0830
Comment Utility
You've put it back into the folder but did you readd it to the policy?
0
 

Author Comment

by:djp12345
Comment Utility
No... I didn't know I had to do that. Can you instuct me on how I make that happen
0
 
LVL 2

Expert Comment

by:Haze0830
Comment Utility
Verify that it's been readded to the Default Domain Policy
User Config>Windows Settings>Scripts (Logon/Logoff)

I would reboot the machine you're testing from. I've had instances where the GPO's are not applied with a simple logoff/logon.

Check your security filtering on the policy to ensure it's getting applied to the appropriate users/groups.

If all else fails run an RSOP on the user you're testing with to see if there is a policy conflict somewhere (I can't imagine there would be in this case, but, just check for good measure)
0
 
LVL 2

Expert Comment

by:Haze0830
Comment Utility
Ok...that would be the first step I described in my post above.

You need to open the Group Policy Management Console, find your Default Domain Policy, right click 'Edit' and under User Configuration go to Windows Settings>Scripts (Logon/Logoff) and browse to your script and add it.
0
 

Author Comment

by:djp12345
Comment Utility
ok I've got the change made. How long does it take before the policy takes effect? Should I run a gpupdate /force on my server?
0
 
LVL 2

Expert Comment

by:t_taylor
Comment Utility
Not entirely sure if this will happen or not, but just to keep it in mind.  The random seeming long group of letters and digits is the GUID of the policy.  If this is the default domain policy and they reset it, I am not entirely sure that the GUID is the same, as they are supposed to be unique and are generated on creation of the policy.  It is possible it was changed.  If what Haze told you to do doesn't work, do this.

Open GPMC.  
Edit the Default Domain Policy
Drill to logon scipts, right click props
Click Show Files...
Copy the .bat file used to map your drives into the explorer window that popped up.
Click Add, click Browse, Click OK twice.

That should reset it in the correct directory in there was a GUID change.
0
 
LVL 2

Expert Comment

by:Haze0830
Comment Utility
By default the refresh interval is 90 minutes for users/computers and 5 mins for DC's. Given the type of policy (logon/logoff) the script won't actually run until the next logon cycle. So if you want to test it, just logoff and logon a user.
0
 

Author Comment

by:djp12345
Comment Utility
t taylor:

Still trying to find out if I need to run gpupdate /force on my server to refresh policy or does this change take effect instantly?
0
 
LVL 2

Expert Comment

by:Haze0830
Comment Utility
No you don't need to run it on the server.
0
 
LVL 2

Expert Comment

by:t_taylor
Comment Utility
I would run gpupdate /force /y just to be safe, but I don't think it is a big issue.  

The thing to keep in mind, however is that XP runs fast boot by default, unless you set a GPO to disable it (I would recommend this if you haven't done it yet and are planning on a good amount of GP updating).  That means it can take more than one reboot in some cases in order to get things to be updated as XP just caches the new policies, but doesn't implement them the first time it sees them.
0
 

Author Comment

by:djp12345
Comment Utility
ok I forced group policy and when I check the event log I receive the following error:

The Group Policy client-side extension scripts failed  to execute....
0
 
LVL 2

Expert Comment

by:t_taylor
Comment Utility
Try to log onto one of the clients that it isn't working on locally.  Navigate to the bat file and execute it.  That should give us more info to go on.
0
 

Author Comment

by:djp12345
Comment Utility
OK I hope I don't sound dumb here but do I copy the .bat file say to my desktop and run it to see what happens. Is that what you mean.
0
 
LVL 2

Expert Comment

by:t_taylor
Comment Utility
No, navigate to it.  so \\servername\folder1\folder2\blahblah\GUID\andonandon\file.bat  and execute that one.
0
 

Author Comment

by:djp12345
Comment Utility
ok now I'm really lost. My machine is one of the one's that is not working. If I navigate to that folder on my server and executie it, won't that .bat file run against my server and not my machine?
0
 
LVL 2

Expert Comment

by:t_taylor
Comment Utility
The point of this is to make sure that you have access and permissions to the file, nothing more.  And no, it will execute on your machine.  It is being executed by the user, not by the computer on which it resides.
0
 

Author Comment

by:djp12345
Comment Utility
ok I was able to go to a different machine and navigate and launch the file with no issues.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 2

Expert Comment

by:t_taylor
Comment Utility
And you double checked to make sure that the bat file that is being executed is viewable if you go to the gpo, edit, drill to logon script, and click view files?

Have you double checked the security settings and the delegation to make sure users can apply the GPO?

Also, check and make sure that neither half, nor all of the GPO is disabled.
0
 

Author Comment

by:djp12345
Comment Utility
Yes, Verified the file is viewable under Logon Scripts for Default Domain Policy

As far as your second statement about security settings and deligation, how do I verify that along with checking half, nor, or all of the GPO is disabled
0
 
LVL 2

Expert Comment

by:t_taylor
Comment Utility
Right click on the GPO and go to GPO Status.  There will be a check in front of Enabled, user disabled, computer disabled or all disabled.
0
 
LVL 2

Expert Comment

by:t_taylor
Comment Utility
Oh, as for security and delegation, just select the GPO and the first tab on the right is Scope.  You probably want Authenticated Users to be on the bottom half, Security Filtering.  On the fourth tab, Delegation, click Advanced and select Authenticated users (may want to make a note of all groups here though,) and make sure they have read and Apply Group Policy permissions.
0
 

Author Comment

by:djp12345
Comment Utility
Do you mean the properties of the default domain policy? I afraid I can't keep up here. Give me a Novell Server anyday...... I'm afraid I don't know where to look..... Sorry for any inconvience
0
 
LVL 2

Expert Comment

by:t_taylor
Comment Utility
Okay, do you have GPMC installed?
0
 

Author Comment

by:djp12345
Comment Utility
yes
0
 
LVL 2

Expert Comment

by:t_taylor
Comment Utility
Okay, drill down group policy management, domain, domainname, group policy objects.  If this is in the Default Domain Policy, select  that.  On the right is where you will see the tabs for scope, detail, settings, delegation.  Check the things on scope and delegation listed earlier.
0
 

Author Comment

by:djp12345
Comment Utility
OK here is what I did. Open up AD. Right click on my domain and select properties.
Select Group Policy Tab
Under GP TAB I have on one entry - Default Domain Policy
Select properties button

I don't see any of the tabs you are referring to. Am I in the wron place?????
0
 
LVL 2

Expert Comment

by:Haze0830
Comment Utility
You don't want Active Directory. You want the Group Policy Management Console.
0
 
LVL 2

Expert Comment

by:t_taylor
Comment Utility
You are looking at GPOE, Group Policy Object Editor.  You want to be using GPMC, Group Policy Managment Console.  Download it from here http://www.microsoft.com/downloads/details.aspx?familyid=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en and install it.
0
 
LVL 2

Expert Comment

by:Haze0830
Comment Utility
Go to Start>Run>type 'GPMC.MSC' and hit enter.

Find your Default Domain Policy in the tree on the left. Once you click on it you'll see what Taylor is telling you to check.
0
 
LVL 2

Expert Comment

by:Haze0830
Comment Utility
Yeah, you need to install it first if you haven't already.
0
 

Author Comment

by:djp12345
Comment Utility
My apologies....

GPO Status: Enables
Delegation:   Authenticated Users,Domain Admins, System, Etc. Inheritied is set to no.

What else should I be looking at?
0
 
LVL 2

Expert Comment

by:t_taylor
Comment Utility
The security under Scope tab.  That should have Authenticated Users as well as Delegation.  On the Delegation tab, select Advanced at the bottom and make sure that Authenticated Users has read and Apply Group Policy.
0
 

Author Comment

by:djp12345
Comment Utility
Yes, Both of those are selected.
0
 
LVL 2

Accepted Solution

by:
t_taylor earned 50 total points
Comment Utility
On the settings tab, does it say disabled next to the User Settings?

I would suggest not having this in the default domain policy but creating another GPO and using it only to run this bat script on logon.  Link it to the domain if that's where you want it to be.  Then go down to the policy modeling and run a Resultant Set of Policy on a user to see if it is getting applied.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
Learn about cloud computing and its benefits for small business owners.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now