Solved

Logon script fails on Terminal Server

Posted on 2009-05-14
9
733 Views
Last Modified: 2013-11-10
Regular users fail to automatically get drive mappings (configured by group policy logon script) when logging on to our terminal server (Windows Server 2003). These same users get the drive mappings when logging on to their local workstations.

CRUCIAL: The regular users always get the drive mappings in the terminal server WHEN they execute the logon script MANUALLY. The logon script is the same file for all users in the domain.

However, Domain Admins users can AUTOMATICALLY get the drive mappings when logging on to our terminal server - just like logging on to their workstations.

HOW can I get regular users to automatically get drive mappings when logging on to the therminal server?
0
Comment
Question by:waforbes100
  • 5
  • 4
9 Comments
 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
Have you checked that the login script policy is actually applying to the users? Run an RSoP query on the TS server as one of the users (rsop.msc). Is it applying as a login script?

Could you possibly have a loopback policy on the the server blocking this login script which admins are exempt from?
0
 

Author Comment

by:waforbes100
Comment Utility
Hello Blunt Tony: RSoP never shows the application of login scripts (at least not for XP or Server 2003).
Also, note the following:
1. The same login script works perfectly when users logon their workstations.
2. No loopback processing is configured for the local terminal server nor the Active Directory group policy.
3. The login script works when placed into the "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" folder.

I hope the above three points are useful clues.
0
 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
You're correct about the login scripts - I was thinking startup scripts showing on an RSoP.

What about Terminal Services configuration? In the RDP-Tcp properties on the Client Settings tab there is an option to disable such things as Drive Mapping etc, also check the 'Permission Compatibility' option in the Server Settings container.

Why don't you try to add something to the script which will tell you whether it's being run at all, or whether just the mappings are failing? (e.g. a VB script MsgBox or similar).

0
 

Author Comment

by:waforbes100
Comment Utility
Hello bluntTony,
I've attached JPEGs of the Terminal Services Configuration Server Settings and RDP-Tcp Client Settings.
Below, I have provided RDP-Tcp Permissions:
1. Administrators = Full Control (Allow)
2. Remote Desktop Users = User Access, Guest Access (Allow)
3. LOCAL SERVICE = Query Information (Allow), Message (Allow)
4. NETWORK SERVICE = Query Information (Allow), Message (Allow)
5. SYSTEM = Full Control (Allow)

TSC-Server-Settings.JPG
Client-Settings-RDP-Tcp.JPG
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
Have you tried to add something to the script that would prove whether it's running or not?
0
 

Author Comment

by:waforbes100
Comment Utility
I don't know how to do this. I am attaching the VBS script as a TXT file for your review.
Mapdrives.txt
0
 
LVL 27

Accepted Solution

by:
bluntTony earned 500 total points
Comment Utility
I've added a line with a MsgBox command to throw up a window saying 'Script Running'. (near the top of the code)

Test this on a login and see if the box appears. If it does, the script is running but the mappings are failing, otherwise the script is not running.
Mapdrives.txt
0
 

Author Comment

by:waforbes100
Comment Utility
bluntTony, your suspicions were right: the login script only runs for admin users. The message does not appear for regular users who log on to the terminal server.
QUESTION: What setting on this terminal server can prevent scripts from running for regular users?
0
 

Author Closing Comment

by:waforbes100
Comment Utility
The solution provided allowed to determine the root of the problem; thus I was able to find a work-around: I placed the logon script in the "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" folder, which resolved the issue.
However, I still don't know WHY the domain logon script won't execute for regular users (that hasn't been corrected - only worked-around).
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
SolarWind and DNS Server 12 33
Active Directory Audit 18 68
Tembedded WB animatid gifs not animated on some pcs 2 23
lync 2013 7 29
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now