Leandronn
asked on
Loading your settings failed (Access is denied) Windows Script Host Active Directory
Hi experts,
I've configured one server to be a domain server.
I've made a roaming profile for each user.
Every rule is working well except for the LOGON scripts.
When running with the user profile, an error message appears:
Loading your settings failed (Access is denied)
I've shared the folder containing the scripts, giving the user group full permissions.
Also i've given the user full permissions on HKEY_LOCAL_MACHINE\SOFTWAR E\Windows\ Windows script Host\Settings
I've also tried giving permissions over the exe file wscript.exe
Run the gpupdate /force in case there were troubles with the policies.
Everytime, error message is returned.
ANY, really, any help would be appreciated!
Thanks in advance.
Regards,
Leandro Nuñez.
I've configured one server to be a domain server.
I've made a roaming profile for each user.
Every rule is working well except for the LOGON scripts.
When running with the user profile, an error message appears:
Loading your settings failed (Access is denied)
I've shared the folder containing the scripts, giving the user group full permissions.
Also i've given the user full permissions on HKEY_LOCAL_MACHINE\SOFTWAR
I've also tried giving permissions over the exe file wscript.exe
Run the gpupdate /force in case there were troubles with the policies.
Everytime, error message is returned.
ANY, really, any help would be appreciated!
Thanks in advance.
Regards,
Leandro Nuñez.
ASKER
@CitizenRon: Thanks for your answer.
May you explain me how to do that? I'm kinda new in AD, I've reached that point where everything seems blurred...
Thank you so much!
Regards,
Leandro Nuñez.
May you explain me how to do that? I'm kinda new in AD, I've reached that point where everything seems blurred...
Thank you so much!
Regards,
Leandro Nuñez.
The Default Network Profile is actually fairly easy to do. All you do is get a computer, configure it the way you want for your "base settings" and then copy the profile to the "SYSVOL\NetLogon\Default User" folder on your domain controller.
This takes two different users on the machine your going to configure. One to configure it the way you want and another to copy the profile to the DC which needs to be a Domain Admin.
Login in as a regular user and configure your computer the way you want everyone else's to start out. Be sure that this user does NOT already have a Roaming Profile folder on the DC. Once you're done configuring, restart the comptuer (make sure you restart and not just log off!!) and log back in as a Domain Admin. Now you need to copy the profile you just created. In Windows XP, you right click "My Computer", pick "Properties", click the "Advanced" tab then the User Profiles' "Settings" button.
Left click to highlight the User Profile you want to use (you can't pick the one for the currently logged-on user) and click the "Copy To" button. In the "Copy Profile To" section, type in \\SERVERNAME\SysVol\NetLogon\Default User but change servername to the name of your Domain Controller. Click the "Change" button underneath "Permitted to use" and select your "Domain Users" group. Click "Ok" and it will copy to your DC and then when a user logs into a workstation and they don't have a roaming profile, the DC will copy the "SysVol\NetLogon\Default User" folder to their roaming profile as a base new profile.
Doing this for all your users will require that you delete or move the profile folders that are already in your roaming profile folder on your server so that AD can create the new roaming profiles automatically for your users when they log in the first time.
This takes two different users on the machine your going to configure. One to configure it the way you want and another to copy the profile to the DC which needs to be a Domain Admin.
Login in as a regular user and configure your computer the way you want everyone else's to start out. Be sure that this user does NOT already have a Roaming Profile folder on the DC. Once you're done configuring, restart the comptuer (make sure you restart and not just log off!!) and log back in as a Domain Admin. Now you need to copy the profile you just created. In Windows XP, you right click "My Computer", pick "Properties", click the "Advanced" tab then the User Profiles' "Settings" button.
Left click to highlight the User Profile you want to use (you can't pick the one for the currently logged-on user) and click the "Copy To" button. In the "Copy Profile To" section, type in \\SERVERNAME\SysVol\NetLogon\Default User but change servername to the name of your Domain Controller. Click the "Change" button underneath "Permitted to use" and select your "Domain Users" group. Click "Ok" and it will copy to your DC and then when a user logs into a workstation and they don't have a roaming profile, the DC will copy the "SysVol\NetLogon\Default User" folder to their roaming profile as a base new profile.
Doing this for all your users will require that you delete or move the profile folders that are already in your roaming profile folder on your server so that AD can create the new roaming profiles automatically for your users when they log in the first time.
please check if your users have ownership and "Full Control" of the entire HKCU key
and for this path SOFTWARE\Windows\Windows script
and for this path SOFTWARE\Windows\Windows script
the right path is HKEY_CURRENT_USER\Software \Microsoft \Windows Script Host\Settings
ASKER
@CitizenRon: have tried what you suggested but still getting the same error.
@yehudaha: Thanks for your answer.
I've given those privileges to that key to the group, not just to one user, if so, I should give permissions for 47 different users.
@yehudaha: Thanks for your answer.
I've given those privileges to that key to the group, not just to one user, if so, I should give permissions for 47 different users.
of curse didn't mean to add 47 users
did you check ownership as i sad and not just permission ?
and to duble check again you check permission to HKCU and HKLM Keys ?
and try this to
Try creating the registry key:
HKEY_USERS\.DEFAULT\Softwa re\Microso ft\Windows Script\Settings
(no default value)
did you check ownership as i sad and not just permission ?
and to duble check again you check permission to HKCU and HKLM Keys ?
and try this to
Try creating the registry key:
HKEY_USERS\.DEFAULT\Softwa
(no default value)
ASKER
@yehudaha: Thanks again for your answer.
I checked and double checked.
But, thinking a little, I have a stupid question that deserves to be asked:
Do I have to do this permission change in every machine that the user is going to log on?
If so, this solution doesn't fit my necessities because the user may log on 26 different machines...
Therefore, is there other way to add a printer to an especific group of user when logon?
Thanks!
I checked and double checked.
But, thinking a little, I have a stupid question that deserves to be asked:
Do I have to do this permission change in every machine that the user is going to log on?
If so, this solution doesn't fit my necessities because the user may log on 26 different machines...
Therefore, is there other way to add a printer to an especific group of user when logon?
Thanks!
"@CitizenRon: have tried what you suggested but still getting the same error."
Did you try it with new user profiles made from the Default profile? I.e. you renamed/removed/deleted the user's current roaming profile folder from the profile server and the one from their local machine and then had them log in and the DC server created a brand-new Roaming Profile for them?
Are the profiles being created properly on the workstation? If you open a command window and type SET USERPROFILE do you get USERPROFILE=C:\Documents and Settings\USERNAME or is it USERPROFILE=C:\Documents and Settings\TEMP?
When I would have those odd "Access is Denied" messages pop up, something usually went wrong with the profile creation and they ended up with USERPROFILE=C:\Documents and Settings\TEMP for their Profile path and we had to remove the locally cached profile as well as the roaming profile and have the system recreate them.
Also, if you're checking the Registry permissions and ownership, are you seeing any odd-looking GUIDs in the access lists instead of user or group names?
Did you try it with new user profiles made from the Default profile? I.e. you renamed/removed/deleted the user's current roaming profile folder from the profile server and the one from their local machine and then had them log in and the DC server created a brand-new Roaming Profile for them?
Are the profiles being created properly on the workstation? If you open a command window and type SET USERPROFILE do you get USERPROFILE=C:\Documents and Settings\USERNAME or is it USERPROFILE=C:\Documents and Settings\TEMP?
When I would have those odd "Access is Denied" messages pop up, something usually went wrong with the profile creation and they ended up with USERPROFILE=C:\Documents and Settings\TEMP for their Profile path and we had to remove the locally cached profile as well as the roaming profile and have the system recreate them.
Also, if you're checking the Registry permissions and ownership, are you seeing any odd-looking GUIDs in the access lists instead of user or group names?
ASKER
@CitizenRon: Thanks for your answer.
Everything goes well with the profiles...
The problem is that I cannot run any logon script.
Tried everything, also reinstalling one of the client machines in case there were some policies crashing but still the same error...
The error appears each time a script executes... I can say so, cause I have 3 scripts and there are 3 error messages.
Thanks a lot.
Everything goes well with the profiles...
The problem is that I cannot run any logon script.
Tried everything, also reinstalling one of the client machines in case there were some policies crashing but still the same error...
The error appears each time a script executes... I can say so, cause I have 3 scripts and there are 3 error messages.
Thanks a lot.
What happens if you log onto the machine as a user that has "Administrators" rights to the local machine? Perhaps you could temporarily add a User's domain credentials to the local workstation's "Administrators" group and have them log in.
If they work fine after doing that, you've definitely proved it's a issue of permissions on the local workstation. I just can't find any other information on what it's actually trying to access. Have you checked the Event Viewer for errors?
"I've given those privileges to that key to the group, not just to one user, if so, I should give permissions for 47 different users."
That's not a very good thing to do security-wise. Probably not a horrible thing but nonetheless. HKEY_CURRENT_USER is not an actual key in the registry. It's like a shortcut on your desktop. It redirects to HKEY_USERS\BIGFREAKYLONGNU MBER where "BIGFREAKYLONGNUMBER" is the GUID of the currently logged in user. So if you grant access to the entire "HKCU" registry hive to a Domain Group of users, then all of those domain users will have access to the personal Registry Hive of the User that was logged in at the time on that local workstation.
If they work fine after doing that, you've definitely proved it's a issue of permissions on the local workstation. I just can't find any other information on what it's actually trying to access. Have you checked the Event Viewer for errors?
"I've given those privileges to that key to the group, not just to one user, if so, I should give permissions for 47 different users."
That's not a very good thing to do security-wise. Probably not a horrible thing but nonetheless. HKEY_CURRENT_USER is not an actual key in the registry. It's like a shortcut on your desktop. It redirects to HKEY_USERS\BIGFREAKYLONGNU
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
When you say you "made a roaming profile for each user" do you mean that you did it manually? I've never been able to modify roaming profile folders and get them to work again. Something about the permissions and access rights. On my system, the "Domain Admins" group don't even have the right rights to be able to even look inside a users roaming Profile folder on the server. If we need to do anything with it, we have to take ownership of it which completely breaks the profile's ability to be a roaming profile.
My suggestion is to create your Default Network Profile as you want it for all users then let AD create the roaming profiles on the fly when users log in. If you upload the Default Profile to your profile server, it will use that as a template to create any new profiles.