Solved

Access Denied When Using .vbs to Map Drives Through Group Policy

Posted on 2008-10-02
11
1,005 Views
Last Modified: 2012-06-21
I am attempting to map a drive through a startup script using group policy and Windows 2003 AD. We are using .vbs files, creating a group policy object and then applying this to a computer group. Unfortunately, an error message is displaying and the drive is not mapping.

Error: Access Denied
Code: 80070005
Any input would help...thanks
0
Comment
Question by:tcat169
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 67

Expert Comment

by:sirbounty
Comment Utility
Can you post the script you're using?
0
 
LVL 18

Expert Comment

by:Jeremy Weisinger
Comment Utility
Yes, posting the script would be helpful.
But you say you're applying it to a computer group. A computer cannot map a drive. You need to apply it to users and it need to run as a logon script if you are to push it out through Group Policy.

If that is what you're doing then have a look at this to see if any of these problems and solutions apply to your situation http://www.computerperformance.co.uk/Logon/code/code_80070005.htm
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
I ran into the same error and found the link that My Username provided was quite helpful:
________________________________________________________________________________
MY ERROR stemmed from Internet Explorer Enhanced Security preventing me from running VBS files from a remote location. As a test, I added the UNC path to the DC as a trusted site. I know it sounds odd, but it worked for me.
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23351830.html

Though VBS wasn't metioned in the files that are signled out, it is one of the group:

If IEES is your issue, like it was mine here are the workarounds and fixes:
What's effected:
http://support.microsoft.com/kb/815141

You have a couple choices:
Choice 1) Go to Add/remove programs and remove Internet Explorer Enhanced Security.
Choice 2) Tells you how to add your intranet sites as a trusted sites. UNC paths can use the *.* (meaning all) for a qualifier.

By IP block: (anything on this subnet is trusted)
\\10.10.10.*

By FQDN: (All on the fully qualified domain)
\\*.Fully.Qualified.domain.name

By netbios name: (All shares are this computer are trusted)
\\Computername

http://windowsitpro.com/article/articleid/78049/jsi-tip-6644-how-can-i-use-group-policy-to-add-a-site-to-the-trusted-sites-zone.html

I hope this helps.

0
 

Author Comment

by:tcat169
Comment Utility
Thanks for the responses. I have attached the code that is run.  I believe you should be able to run a startup script on a computer vs.  user through group policy.  It is then applied to the computer (regardless of who logs in) .  

The first part of the code is what is applied through GP and the second part is the actual file that is run.  I am able to run the file once I am logged in.  The failure occurs at startup.  I will follow up on the IE suggestions and let you know.

Any additional help is appreciated.
\\sbcp.com\netlogon\verona_pb.vbs 
 

Set objNetwork = CreateObject("Wscript.Network")

	objNetwork.MapNetworkDrive "Y:", "\\sbcp.com\public\veronaexpedite"

Open in new window

0
 
LVL 18

Expert Comment

by:Jeremy Weisinger
Comment Utility
The issue is that you're running the script as a Startup script. The computer cannot map a drive and that is the issue. To make the script apply to every user that logs on to it you need to put the script in the logon section (under User Configuration\Windows Settings\Script) and then enable loopback processing using the Merge option (Computer Configuration\Administrative Templates\System\Group Policy\User Group Policy loopback processing mode).
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:tcat169
Comment Utility
I am not certain that you are correct, because we can map a drive to a computer (Startup Script) under Computer Configuration using \\servername\share, but the drive appears as "disconnected" and users with IE 7.0 have difficulty running executables from this "shared" drive.  We implemented DFS and are trying to map via \\domain\public.
0
 
LVL 18

Expert Comment

by:Jeremy Weisinger
Comment Utility
Mapped drives are in the HKCU\Network key. Unless the script specifically modifies the HKU\ on the machine it is impossible for a startup script to map a drive.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Try putting the UNC path in trusted sites. I know it sounds odd, but it is a good test of IEES.
0
 

Author Comment

by:tcat169
Comment Utility
I totally disabled IEES on my DCs and put the UNC ..still no luck .
0
 
LVL 18

Accepted Solution

by:
Jeremy Weisinger earned 250 total points
Comment Utility
Mapping network drives much be done under a user context. This means that you cannot map a drive with a startup script. You will continue to not have any luck until you start running it as a logon script.

In my post above I gave the general steps on how to apply a logon script to users based on computer. http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23783348.html?cid=238#a22635009

I can tell you how to apply a logon script to a specific computer in more detail if you need. Let me know.
0
 

Author Closing Comment

by:tcat169
Comment Utility
The Loopback/Merge option worked.  Thanks for your help...I will not doubt again....
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
This article is the result of a quest to better understand Task Scheduler 2.0 and all the newer objects available in vbscript in this version over  the limited options we had scripting in Task Scheduler 1.0.  As I started my journey of knowledge I f…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now