[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Userinit 1000 error, can't run GPO based logon script.

Posted on 2009-04-30
11
Medium Priority
?
1,833 Views
Last Modified: 2012-05-06
I have a GPO based logon script that gathers computer inventory information for me. I have an OU for my terminal server that has a policy applied to it that locks a lot of things down. When these users log on, I receive this error:

----------
Event Type:      Error
Event Source:      UserInit
Event Category:      None
Event ID:      1000
Date:            4/30/2009
Time:            11:18:00 AM
User:            N/A
Computer:      OKC-TS-01
Description:
Could not execute the following script \\mydomain.local\SysVol\mydomain.local\Policies\{6EE65577-C6D9-4C1F-9B63-BBA90333892E}\User\Scripts\Logon\computer-inventory.vbs. .

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
----------

I have software restrictions in place, but I've added "computer-inventory.vbs" and "cscript.exe" to the GPO under "User Config\Admin Templates\ System\Run only allowed Windows applications"

and also an "Unrestricted" hash for the file in "User Config\Windows Settings\Security Settings\Software Restrictions\Additional Rules"

I've got to be missing something, but I don't know what it is - I need this script to be able to run for all users, regardless of what restrictions they have in place.

Any help is appreciated!
0
Comment
Question by:InterWorks
  • 6
  • 5
11 Comments
 
LVL 13

Expert Comment

by:martin_babarik
ID: 24272552
Hello,

I'd say the problem is in the fact that you are trying to run the script directly.
What about making a batch file where will be written something like "cscript computer-inventory.vbs" and add this batch file to the GPO?

Also run the Group Policy Results wizard from Group Policy Management Console to see, whether these SW restrictions settings aren't blocking your script.
Martin
0
 
LVL 1

Author Comment

by:InterWorks
ID: 24273462
What would I look for on GPR to determine if it's blocking the script or not? The bat file is likely to do the same thing, since it's just a different type of script calling yet another script.
0
 
LVL 13

Expert Comment

by:martin_babarik
ID: 24273665
In the Settings tab you should verify that the GPO is in use (click Show All in the upper right corner).
The bat file isn't the same. It depends which script interpreter you have set as default on the system (it's wscript by default, which is really not the best in this case).

Also try to run the script manually using the UNC path pointing to the script - just to see whether this way it works.
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
LVL 1

Author Comment

by:InterWorks
ID: 24295861
I can't run it with UNC with the settings enabled, it says "Access to this path has been disallowed."
0
 
LVL 13

Expert Comment

by:martin_babarik
ID: 24296069
Ok thank you for updating. In this case I think it's obvious - the path in which you have the script is disallowed (likely by your SW restriction policy).
Just to make sure - disable the GPO link (the one which contains SW restrictions), and then on the target computer run gpupdate /force (then restart it). Now it should be able to run the script.

I don't know how exactly you configured the restrictions, but if you have some path set as disallowed and you add a hash rule for some file to be unrestricted, whereas the file is in the path, it's can't be executed.
I suggest to remove this GPO and start with completely another one from scratch. Try to test and learn the rules of SW restrictions on some virtual machine before implementing to production environment, as the impact of using these restrictions might be very destructive.
Martin
0
 
LVL 1

Author Comment

by:InterWorks
ID: 24297249
Does anybody else know where this path might be blocked? I'd like to get it working without rebuilding the settings from scratch, since it's a production server. I unlinked the GPO and tried to run the script, successfully. When I relink the GPO, it tells me access denied when trying to execute the script.

Any ideas would be appreciated!
0
 
LVL 13

Expert Comment

by:martin_babarik
ID: 24297383
Sorry but why do you ask where this path might be blocked? You saw for yourself, that it's blocked in your GPO containing these restrictions.
If you can, please export the settings of the SW restrictions (or make a screenshot) and put it here.
0
 
LVL 1

Author Comment

by:InterWorks
ID: 24298135
I know it's blocked in the GPO, but I'm not familiar enough with GPOs and software restrictions to know how or where within the GPO it's blocked. I modeled the results of a user with this restriction in place, and have attached them here. If you can tell me what exception I might need to add, and where to add it, I'd love it. More good karma if you can explain why! :-)

Thanks
outest.html.txt
0
 
LVL 13

Accepted Solution

by:
martin_babarik earned 1500 total points
ID: 24299120
Thanks. I read it 10 times but don't see the cause of the problem.
Just one idea: you have cscript listed under allowed apps. Try to add also wscript, as this is the default script interpretter.
Also try to set the default interpretter to cscript by using this command on the target: cscript //h:cscript

0
 
LVL 1

Author Closing Comment

by:InterWorks
ID: 31576530
The answer: add wscript.exe as an allowed application - wscript was the default script interpreter just as you said. Once I added that, the script ran without problems. (Actually, i needed to edit one more path to allow it to write its results, but that was easy and out of scope of this question).

Thanks for the help!
0
 
LVL 13

Expert Comment

by:martin_babarik
ID: 24299412
Glad you did it. Thanks for the points.
Martin
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question