Solved

Login Script / .Bat File Help

Posted on 2007-11-19
34
602 Views
Last Modified: 2008-06-01
Ok I am a windows newbie so here it goes:

I am running a windows 2003 server as my dc. Last week I was having some issues and had to get Microsoft involved. One of the things I believe they did was reset my default domain policy. In doing this I believe they wiped out my login script which maps my users to the appropriate drives. I did a search for the .bat name and it showed the filename as a shortcut showing recent but the file did not exist. The path the .bat file was located at: C:\WINDOWS\SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Scripts\Startup

Fortunately I  had a copy of the .bat file and placed it back into the location above. The problem I am having is that if I disconnect all my network drives in explorer and reboot to test, I do not connect to my network drives. I also do not receive any errors either. Now if I place that same .bat file in

C:\WINDOWS\SYSVOL\domain\Scripts and go into AD and place the .bat file in my profile, it works fine. I can't figure out why it works one way and not the other. Can someone please advise me on what to do in simple terms on how to make this work without using the AD profile tab.

Thanks ahead of time...
0
Comment
Question by:djp12345
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 13
  • 8
34 Comments
 
LVL 2

Expert Comment

by:Haze0830
ID: 20313438
You've put it back into the folder but did you readd it to the policy?
0
 

Author Comment

by:djp12345
ID: 20313468
No... I didn't know I had to do that. Can you instuct me on how I make that happen
0
 
LVL 2

Expert Comment

by:Haze0830
ID: 20313482
Verify that it's been readded to the Default Domain Policy
User Config>Windows Settings>Scripts (Logon/Logoff)

I would reboot the machine you're testing from. I've had instances where the GPO's are not applied with a simple logoff/logon.

Check your security filtering on the policy to ensure it's getting applied to the appropriate users/groups.

If all else fails run an RSOP on the user you're testing with to see if there is a policy conflict somewhere (I can't imagine there would be in this case, but, just check for good measure)
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 2

Expert Comment

by:Haze0830
ID: 20313491
Ok...that would be the first step I described in my post above.

You need to open the Group Policy Management Console, find your Default Domain Policy, right click 'Edit' and under User Configuration go to Windows Settings>Scripts (Logon/Logoff) and browse to your script and add it.
0
 

Author Comment

by:djp12345
ID: 20313553
ok I've got the change made. How long does it take before the policy takes effect? Should I run a gpupdate /force on my server?
0
 
LVL 2

Expert Comment

by:t_taylor
ID: 20313562
Not entirely sure if this will happen or not, but just to keep it in mind.  The random seeming long group of letters and digits is the GUID of the policy.  If this is the default domain policy and they reset it, I am not entirely sure that the GUID is the same, as they are supposed to be unique and are generated on creation of the policy.  It is possible it was changed.  If what Haze told you to do doesn't work, do this.

Open GPMC.  
Edit the Default Domain Policy
Drill to logon scipts, right click props
Click Show Files...
Copy the .bat file used to map your drives into the explorer window that popped up.
Click Add, click Browse, Click OK twice.

That should reset it in the correct directory in there was a GUID change.
0
 
LVL 2

Expert Comment

by:Haze0830
ID: 20313582
By default the refresh interval is 90 minutes for users/computers and 5 mins for DC's. Given the type of policy (logon/logoff) the script won't actually run until the next logon cycle. So if you want to test it, just logoff and logon a user.
0
 

Author Comment

by:djp12345
ID: 20313598
t taylor:

Still trying to find out if I need to run gpupdate /force on my server to refresh policy or does this change take effect instantly?
0
 
LVL 2

Expert Comment

by:Haze0830
ID: 20313624
No you don't need to run it on the server.
0
 
LVL 2

Expert Comment

by:t_taylor
ID: 20313633
I would run gpupdate /force /y just to be safe, but I don't think it is a big issue.  

The thing to keep in mind, however is that XP runs fast boot by default, unless you set a GPO to disable it (I would recommend this if you haven't done it yet and are planning on a good amount of GP updating).  That means it can take more than one reboot in some cases in order to get things to be updated as XP just caches the new policies, but doesn't implement them the first time it sees them.
0
 

Author Comment

by:djp12345
ID: 20314019
ok I forced group policy and when I check the event log I receive the following error:

The Group Policy client-side extension scripts failed  to execute....
0
 
LVL 2

Expert Comment

by:t_taylor
ID: 20314035
Try to log onto one of the clients that it isn't working on locally.  Navigate to the bat file and execute it.  That should give us more info to go on.
0
 

Author Comment

by:djp12345
ID: 20314259
OK I hope I don't sound dumb here but do I copy the .bat file say to my desktop and run it to see what happens. Is that what you mean.
0
 
LVL 2

Expert Comment

by:t_taylor
ID: 20314291
No, navigate to it.  so \\servername\folder1\folder2\blahblah\GUID\andonandon\file.bat  and execute that one.
0
 

Author Comment

by:djp12345
ID: 20314333
ok now I'm really lost. My machine is one of the one's that is not working. If I navigate to that folder on my server and executie it, won't that .bat file run against my server and not my machine?
0
 
LVL 2

Expert Comment

by:t_taylor
ID: 20314440
The point of this is to make sure that you have access and permissions to the file, nothing more.  And no, it will execute on your machine.  It is being executed by the user, not by the computer on which it resides.
0
 

Author Comment

by:djp12345
ID: 20314488
ok I was able to go to a different machine and navigate and launch the file with no issues.
0
 
LVL 2

Expert Comment

by:t_taylor
ID: 20315037
And you double checked to make sure that the bat file that is being executed is viewable if you go to the gpo, edit, drill to logon script, and click view files?

Have you double checked the security settings and the delegation to make sure users can apply the GPO?

Also, check and make sure that neither half, nor all of the GPO is disabled.
0
 

Author Comment

by:djp12345
ID: 20315211
Yes, Verified the file is viewable under Logon Scripts for Default Domain Policy

As far as your second statement about security settings and deligation, how do I verify that along with checking half, nor, or all of the GPO is disabled
0
 
LVL 2

Expert Comment

by:t_taylor
ID: 20315294
Right click on the GPO and go to GPO Status.  There will be a check in front of Enabled, user disabled, computer disabled or all disabled.
0
 
LVL 2

Expert Comment

by:t_taylor
ID: 20315309
Oh, as for security and delegation, just select the GPO and the first tab on the right is Scope.  You probably want Authenticated Users to be on the bottom half, Security Filtering.  On the fourth tab, Delegation, click Advanced and select Authenticated users (may want to make a note of all groups here though,) and make sure they have read and Apply Group Policy permissions.
0
 

Author Comment

by:djp12345
ID: 20315452
Do you mean the properties of the default domain policy? I afraid I can't keep up here. Give me a Novell Server anyday...... I'm afraid I don't know where to look..... Sorry for any inconvience
0
 
LVL 2

Expert Comment

by:t_taylor
ID: 20315471
Okay, do you have GPMC installed?
0
 

Author Comment

by:djp12345
ID: 20315488
yes
0
 
LVL 2

Expert Comment

by:t_taylor
ID: 20315507
Okay, drill down group policy management, domain, domainname, group policy objects.  If this is in the Default Domain Policy, select  that.  On the right is where you will see the tabs for scope, detail, settings, delegation.  Check the things on scope and delegation listed earlier.
0
 

Author Comment

by:djp12345
ID: 20315660
OK here is what I did. Open up AD. Right click on my domain and select properties.
Select Group Policy Tab
Under GP TAB I have on one entry - Default Domain Policy
Select properties button

I don't see any of the tabs you are referring to. Am I in the wron place?????
0
 
LVL 2

Expert Comment

by:Haze0830
ID: 20315699
You don't want Active Directory. You want the Group Policy Management Console.
0
 
LVL 2

Expert Comment

by:t_taylor
ID: 20315708
You are looking at GPOE, Group Policy Object Editor.  You want to be using GPMC, Group Policy Managment Console.  Download it from here http://www.microsoft.com/downloads/details.aspx?familyid=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en and install it.
0
 
LVL 2

Expert Comment

by:Haze0830
ID: 20315715
Go to Start>Run>type 'GPMC.MSC' and hit enter.

Find your Default Domain Policy in the tree on the left. Once you click on it you'll see what Taylor is telling you to check.
0
 
LVL 2

Expert Comment

by:Haze0830
ID: 20315721
Yeah, you need to install it first if you haven't already.
0
 

Author Comment

by:djp12345
ID: 20315825
My apologies....

GPO Status: Enables
Delegation:   Authenticated Users,Domain Admins, System, Etc. Inheritied is set to no.

What else should I be looking at?
0
 
LVL 2

Expert Comment

by:t_taylor
ID: 20316021
The security under Scope tab.  That should have Authenticated Users as well as Delegation.  On the Delegation tab, select Advanced at the bottom and make sure that Authenticated Users has read and Apply Group Policy.
0
 

Author Comment

by:djp12345
ID: 20319297
Yes, Both of those are selected.
0
 
LVL 2

Accepted Solution

by:
t_taylor earned 50 total points
ID: 20322548
On the settings tab, does it say disabled next to the User Settings?

I would suggest not having this in the default domain policy but creating another GPO and using it only to run this bat script on logon.  Link it to the domain if that's where you want it to be.  Then go down to the policy modeling and run a Resultant Set of Policy on a user to see if it is getting applied.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question