Login Script / .Bat File Help

Ok I am a windows newbie so here it goes:

I am running a windows 2003 server as my dc. Last week I was having some issues and had to get Microsoft involved. One of the things I believe they did was reset my default domain policy. In doing this I believe they wiped out my login script which maps my users to the appropriate drives. I did a search for the .bat name and it showed the filename as a shortcut showing recent but the file did not exist. The path the .bat file was located at: C:\WINDOWS\SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Scripts\Startup

Fortunately I  had a copy of the .bat file and placed it back into the location above. The problem I am having is that if I disconnect all my network drives in explorer and reboot to test, I do not connect to my network drives. I also do not receive any errors either. Now if I place that same .bat file in

C:\WINDOWS\SYSVOL\domain\Scripts and go into AD and place the .bat file in my profile, it works fine. I can't figure out why it works one way and not the other. Can someone please advise me on what to do in simple terms on how to make this work without using the AD profile tab.

Thanks ahead of time...
djp12345Asked:
Who is Participating?
 
t_taylorConnect With a Mentor Commented:
On the settings tab, does it say disabled next to the User Settings?

I would suggest not having this in the default domain policy but creating another GPO and using it only to run this bat script on logon.  Link it to the domain if that's where you want it to be.  Then go down to the policy modeling and run a Resultant Set of Policy on a user to see if it is getting applied.
0
 
Haze0830Commented:
You've put it back into the folder but did you readd it to the policy?
0
 
djp12345Author Commented:
No... I didn't know I had to do that. Can you instuct me on how I make that happen
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Haze0830Commented:
Verify that it's been readded to the Default Domain Policy
User Config>Windows Settings>Scripts (Logon/Logoff)

I would reboot the machine you're testing from. I've had instances where the GPO's are not applied with a simple logoff/logon.

Check your security filtering on the policy to ensure it's getting applied to the appropriate users/groups.

If all else fails run an RSOP on the user you're testing with to see if there is a policy conflict somewhere (I can't imagine there would be in this case, but, just check for good measure)
0
 
Haze0830Commented:
Ok...that would be the first step I described in my post above.

You need to open the Group Policy Management Console, find your Default Domain Policy, right click 'Edit' and under User Configuration go to Windows Settings>Scripts (Logon/Logoff) and browse to your script and add it.
0
 
djp12345Author Commented:
ok I've got the change made. How long does it take before the policy takes effect? Should I run a gpupdate /force on my server?
0
 
t_taylorCommented:
Not entirely sure if this will happen or not, but just to keep it in mind.  The random seeming long group of letters and digits is the GUID of the policy.  If this is the default domain policy and they reset it, I am not entirely sure that the GUID is the same, as they are supposed to be unique and are generated on creation of the policy.  It is possible it was changed.  If what Haze told you to do doesn't work, do this.

Open GPMC.  
Edit the Default Domain Policy
Drill to logon scipts, right click props
Click Show Files...
Copy the .bat file used to map your drives into the explorer window that popped up.
Click Add, click Browse, Click OK twice.

That should reset it in the correct directory in there was a GUID change.
0
 
Haze0830Commented:
By default the refresh interval is 90 minutes for users/computers and 5 mins for DC's. Given the type of policy (logon/logoff) the script won't actually run until the next logon cycle. So if you want to test it, just logoff and logon a user.
0
 
djp12345Author Commented:
t taylor:

Still trying to find out if I need to run gpupdate /force on my server to refresh policy or does this change take effect instantly?
0
 
Haze0830Commented:
No you don't need to run it on the server.
0
 
t_taylorCommented:
I would run gpupdate /force /y just to be safe, but I don't think it is a big issue.  

The thing to keep in mind, however is that XP runs fast boot by default, unless you set a GPO to disable it (I would recommend this if you haven't done it yet and are planning on a good amount of GP updating).  That means it can take more than one reboot in some cases in order to get things to be updated as XP just caches the new policies, but doesn't implement them the first time it sees them.
0
 
djp12345Author Commented:
ok I forced group policy and when I check the event log I receive the following error:

The Group Policy client-side extension scripts failed  to execute....
0
 
t_taylorCommented:
Try to log onto one of the clients that it isn't working on locally.  Navigate to the bat file and execute it.  That should give us more info to go on.
0
 
djp12345Author Commented:
OK I hope I don't sound dumb here but do I copy the .bat file say to my desktop and run it to see what happens. Is that what you mean.
0
 
t_taylorCommented:
No, navigate to it.  so \\servername\folder1\folder2\blahblah\GUID\andonandon\file.bat  and execute that one.
0
 
djp12345Author Commented:
ok now I'm really lost. My machine is one of the one's that is not working. If I navigate to that folder on my server and executie it, won't that .bat file run against my server and not my machine?
0
 
t_taylorCommented:
The point of this is to make sure that you have access and permissions to the file, nothing more.  And no, it will execute on your machine.  It is being executed by the user, not by the computer on which it resides.
0
 
djp12345Author Commented:
ok I was able to go to a different machine and navigate and launch the file with no issues.
0
 
t_taylorCommented:
And you double checked to make sure that the bat file that is being executed is viewable if you go to the gpo, edit, drill to logon script, and click view files?

Have you double checked the security settings and the delegation to make sure users can apply the GPO?

Also, check and make sure that neither half, nor all of the GPO is disabled.
0
 
djp12345Author Commented:
Yes, Verified the file is viewable under Logon Scripts for Default Domain Policy

As far as your second statement about security settings and deligation, how do I verify that along with checking half, nor, or all of the GPO is disabled
0
 
t_taylorCommented:
Right click on the GPO and go to GPO Status.  There will be a check in front of Enabled, user disabled, computer disabled or all disabled.
0
 
t_taylorCommented:
Oh, as for security and delegation, just select the GPO and the first tab on the right is Scope.  You probably want Authenticated Users to be on the bottom half, Security Filtering.  On the fourth tab, Delegation, click Advanced and select Authenticated users (may want to make a note of all groups here though,) and make sure they have read and Apply Group Policy permissions.
0
 
djp12345Author Commented:
Do you mean the properties of the default domain policy? I afraid I can't keep up here. Give me a Novell Server anyday...... I'm afraid I don't know where to look..... Sorry for any inconvience
0
 
t_taylorCommented:
Okay, do you have GPMC installed?
0
 
djp12345Author Commented:
yes
0
 
t_taylorCommented:
Okay, drill down group policy management, domain, domainname, group policy objects.  If this is in the Default Domain Policy, select  that.  On the right is where you will see the tabs for scope, detail, settings, delegation.  Check the things on scope and delegation listed earlier.
0
 
djp12345Author Commented:
OK here is what I did. Open up AD. Right click on my domain and select properties.
Select Group Policy Tab
Under GP TAB I have on one entry - Default Domain Policy
Select properties button

I don't see any of the tabs you are referring to. Am I in the wron place?????
0
 
Haze0830Commented:
You don't want Active Directory. You want the Group Policy Management Console.
0
 
t_taylorCommented:
You are looking at GPOE, Group Policy Object Editor.  You want to be using GPMC, Group Policy Managment Console.  Download it from here http://www.microsoft.com/downloads/details.aspx?familyid=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en and install it.
0
 
Haze0830Commented:
Go to Start>Run>type 'GPMC.MSC' and hit enter.

Find your Default Domain Policy in the tree on the left. Once you click on it you'll see what Taylor is telling you to check.
0
 
Haze0830Commented:
Yeah, you need to install it first if you haven't already.
0
 
djp12345Author Commented:
My apologies....

GPO Status: Enables
Delegation:   Authenticated Users,Domain Admins, System, Etc. Inheritied is set to no.

What else should I be looking at?
0
 
t_taylorCommented:
The security under Scope tab.  That should have Authenticated Users as well as Delegation.  On the Delegation tab, select Advanced at the bottom and make sure that Authenticated Users has read and Apply Group Policy.
0
 
djp12345Author Commented:
Yes, Both of those are selected.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.