[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Access Denied When Using .vbs to Map Drives Through Group Policy

Posted on 2008-10-02
11
Medium Priority
?
1,043 Views
Last Modified: 2012-06-21
I am attempting to map a drive through a startup script using group policy and Windows 2003 AD. We are using .vbs files, creating a group policy object and then applying this to a computer group. Unfortunately, an error message is displaying and the drive is not mapping.

Error: Access Denied
Code: 80070005
Any input would help...thanks
0
Comment
Question by:tcat169
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 67

Expert Comment

by:sirbounty
ID: 22629121
Can you post the script you're using?
0
 
LVL 23

Expert Comment

by:Jeremy Weisinger
ID: 22629784
Yes, posting the script would be helpful.
But you say you're applying it to a computer group. A computer cannot map a drive. You need to apply it to users and it need to run as a logon script if you are to push it out through Group Policy.

If that is what you're doing then have a look at this to see if any of these problems and solutions apply to your situation http://www.computerperformance.co.uk/Logon/code/code_80070005.htm
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22631132
I ran into the same error and found the link that My Username provided was quite helpful:
________________________________________________________________________________
MY ERROR stemmed from Internet Explorer Enhanced Security preventing me from running VBS files from a remote location. As a test, I added the UNC path to the DC as a trusted site. I know it sounds odd, but it worked for me.
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23351830.html

Though VBS wasn't metioned in the files that are signled out, it is one of the group:

If IEES is your issue, like it was mine here are the workarounds and fixes:
What's effected:
http://support.microsoft.com/kb/815141

You have a couple choices:
Choice 1) Go to Add/remove programs and remove Internet Explorer Enhanced Security.
Choice 2) Tells you how to add your intranet sites as a trusted sites. UNC paths can use the *.* (meaning all) for a qualifier.

By IP block: (anything on this subnet is trusted)
\\10.10.10.*

By FQDN: (All on the fully qualified domain)
\\*.Fully.Qualified.domain.name

By netbios name: (All shares are this computer are trusted)
\\Computername

http://windowsitpro.com/article/articleid/78049/jsi-tip-6644-how-can-i-use-group-policy-to-add-a-site-to-the-trusted-sites-zone.html

I hope this helps.

0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 

Author Comment

by:tcat169
ID: 22634780
Thanks for the responses. I have attached the code that is run.  I believe you should be able to run a startup script on a computer vs.  user through group policy.  It is then applied to the computer (regardless of who logs in) .  

The first part of the code is what is applied through GP and the second part is the actual file that is run.  I am able to run the file once I am logged in.  The failure occurs at startup.  I will follow up on the IE suggestions and let you know.

Any additional help is appreciated.
\\sbcp.com\netlogon\verona_pb.vbs 
 
Set objNetwork = CreateObject("Wscript.Network")
	objNetwork.MapNetworkDrive "Y:", "\\sbcp.com\public\veronaexpedite"

Open in new window

0
 
LVL 23

Expert Comment

by:Jeremy Weisinger
ID: 22635009
The issue is that you're running the script as a Startup script. The computer cannot map a drive and that is the issue. To make the script apply to every user that logs on to it you need to put the script in the logon section (under User Configuration\Windows Settings\Script) and then enable loopback processing using the Merge option (Computer Configuration\Administrative Templates\System\Group Policy\User Group Policy loopback processing mode).
0
 

Author Comment

by:tcat169
ID: 22635457
I am not certain that you are correct, because we can map a drive to a computer (Startup Script) under Computer Configuration using \\servername\share, but the drive appears as "disconnected" and users with IE 7.0 have difficulty running executables from this "shared" drive.  We implemented DFS and are trying to map via \\domain\public.
0
 
LVL 23

Expert Comment

by:Jeremy Weisinger
ID: 22635569
Mapped drives are in the HKCU\Network key. Unless the script specifically modifies the HKU\ on the machine it is impossible for a startup script to map a drive.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22635936
Try putting the UNC path in trusted sites. I know it sounds odd, but it is a good test of IEES.
0
 

Author Comment

by:tcat169
ID: 22636981
I totally disabled IEES on my DCs and put the UNC ..still no luck .
0
 
LVL 23

Accepted Solution

by:
Jeremy Weisinger earned 1000 total points
ID: 22637054
Mapping network drives much be done under a user context. This means that you cannot map a drive with a startup script. You will continue to not have any luck until you start running it as a logon script.

In my post above I gave the general steps on how to apply a logon script to users based on computer. http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23783348.html?cid=238#a22635009

I can tell you how to apply a logon script to a specific computer in more detail if you need. Let me know.
0
 

Author Closing Comment

by:tcat169
ID: 31502579
The Loopback/Merge option worked.  Thanks for your help...I will not doubt again....
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question