GPO Logon Script on Server 2008 R2 RDS
I am having a lot of difficulty for some reason with a logon script. Currently we have all of our users with a logon batch file from the Profile tab of the user account in AD. These batch files are based off of the OU that the user is in for example:
a user in the Sales OU has a logon script named Sales.bat that is assigned in the Profile tab.
I am trying to move away from this by creating the Logon Scripts through a GPO. I have one Server 2003 PDC at the same site as the Server 2008 R2 RDS (terminal server) and a Server 2008 R2 DC that is the secondary and located at another site. I have tried working with the GPMC on the Server 2008 DC as well as the Group Policy tab on the properties of the OU in AD on the Server 2003 machine. Both show the same thing, the scripts and batch files are all replicating properly between the two. Replication between the two shows no errors and all seems well. Basically what I have done so far is create a new policy for an OU (IT OU that contains myself - using this for testing so I'll have admin privledges and I'll test a regular user once I can get it working for me) and went to User Configuration > Windows Settings > Scripts (Logon/Logoff) > Logon. Once there, I added two things, one is a batch file which I have tried saving in the Scripts folder and also saved in the Policies\{HEX}\User\Script
Logon Scripts:
GPO: IT Name: \\domain\sysvol\domain\scr
Last Executed: 6:16:17 PM
Name: ScriptName.vbs
Last Executed: 6:16:17 PM
but earlier today when I ran that on my local machine it showed LastExecuted: This script has not yet been executed.
even though it actually ran on my local machine and mapped all of the drives...
I have no clue what I am doing wrong or why this isn't working at this point and can't afford to spend days working on this one little thing so any help is GREATLY appreciated. The main reason I am trying to go to this is because I need more than one logon script to run for a few people. My plans are to migrate everyone from the individual logon script on the profile tab to the GPO logon script whether I can use the batch file or the vbs script (either way) so it frees up the logon script spot on the profile tab so I can select a few users that need an additional logon script. The reason for that is because they are scattered between OUs.
Sorry for the long, drawn out post but I wanted to get as much detail out as possible but any questions, feel free to ask.
As mentioned, any help is greatly appreciated.
Thanks
a user in the Sales OU has a logon script named Sales.bat that is assigned in the Profile tab.
I am trying to move away from this by creating the Logon Scripts through a GPO. I have one Server 2003 PDC at the same site as the Server 2008 R2 RDS (terminal server) and a Server 2008 R2 DC that is the secondary and located at another site. I have tried working with the GPMC on the Server 2008 DC as well as the Group Policy tab on the properties of the OU in AD on the Server 2003 machine. Both show the same thing, the scripts and batch files are all replicating properly between the two. Replication between the two shows no errors and all seems well. Basically what I have done so far is create a new policy for an OU (IT OU that contains myself - using this for testing so I'll have admin privledges and I'll test a regular user once I can get it working for me) and went to User Configuration > Windows Settings > Scripts (Logon/Logoff) > Logon. Once there, I added two things, one is a batch file which I have tried saving in the Scripts folder and also saved in the Policies\{HEX}\User\Script
Logon Scripts:
GPO: IT Name: \\domain\sysvol\domain\scr
Last Executed: 6:16:17 PM
Name: ScriptName.vbs
Last Executed: 6:16:17 PM
but earlier today when I ran that on my local machine it showed LastExecuted: This script has not yet been executed.
even though it actually ran on my local machine and mapped all of the drives...
I have no clue what I am doing wrong or why this isn't working at this point and can't afford to spend days working on this one little thing so any help is GREATLY appreciated. The main reason I am trying to go to this is because I need more than one logon script to run for a few people. My plans are to migrate everyone from the individual logon script on the profile tab to the GPO logon script whether I can use the batch file or the vbs script (either way) so it frees up the logon script spot on the profile tab so I can select a few users that need an additional logon script. The reason for that is because they are scattered between OUs.
Sorry for the long, drawn out post but I wanted to get as much detail out as possible but any questions, feel free to ask.
As mentioned, any help is greatly appreciated.
Thanks
ASKER
Thanks for the quick response. I followed the instructions on that link but still have no mapped drives...
I have the GPO that is for OUs that contain users but it isn't working when they log into the server. I went to the GPO, went to properties, Security and added the RDS Server computer as well as the Terminal Server Computers group which contains the server, and set them both with the permissions mentioned on the link provided (Allow for Read and Apply). Do I need to do anything else?
I have the GPO that is for OUs that contain users but it isn't working when they log into the server. I went to the GPO, went to properties, Security and added the RDS Server computer as well as the Terminal Server Computers group which contains the server, and set them both with the permissions mentioned on the link provided (Allow for Read and Apply). Do I need to do anything else?
No that should work. Try applying the GPO to the OU of your RDS/TS servers. Oh and don't forget to run a gpupdate after :)
ASKER
By the way, not sure if this is relevant or not or even why it is like this but I just ran gpresult /z again on the server and it has changed from the 6:16:17 PM time it had earlier when I made this post to 6:39:12 PM. This really makes no sense to me, especially since I am on Eastern Time Zone and so is this server so it is 2:50 PM right now anyway... Also, why would the time change if it didn't map the drives? Is it actually running but not mapping the drives? Why would it map them properly when I run them manually? Why is the time so off...? Don't mean to complicate things further but this has really confused me and I have no clue on it anymore.
Thanks
Thanks
Yes gpresult shows by GMT
ASKER
I did run a gpupdate /force after I made the change earlier but like I said, still no drives. What GPO am I applying to the OU of the RDS server? I am wanting a Logon script to run for each OU that contains users such as a GPO that runs a logon script for IT for the IT OU, a logon script for Sales for the Sales OU...
ASKER
So why does the gpresult show that it ran but I still have no mapped drives?
Just for a test apply any mapped drive GPO to your TS OU
ASKER
As a logon script?
ASKER
Ok. So now I have an OU called IT that contains my user. This OU has a GPO that maps drives with a logon script. I also have an OU called TerminalServers that contains the RDS server. This OU has a GPO that contains a logon script (under User) with the SAME bat file used in the IT GPO. I did a gpupdate /force, logged out and back in, still no mapped drives on the RDS server...
For clarification, loopback policy forces policies normally ignored to be applied IF and ONLY IF the Policy is a User policy and it is would normally be enforced on a Computer Object. For example, if you have a User Policy in a GPO applied to your TS Server OU, it would be skipped if the user is not in the OU, however, loopback will force GPO To apply User policies in that GPO if loopback is enabled regardless of the User's OU membership. So, if your GPO "IT Policy", which contains User policies, is applied at the User's OU, it will be applied to the user's login regardless of the server's OU membership. If the GPO "IT Policy" is applied at the TS Server OU, it will only apply to users who reside in that OU unless loopback is enabled, at which time it will apply to users who log into Computers in that OU.
Secondly, AD doesn't have a PDC (Primary Domain Controller) as NT4 did. What it does have is a FSMO role called PDCe (PDC Emulator). It is more correct to refer to the server which contains that FSMO Role as the PDCe (as opposed to the PDC).
What you need to do is employ two different tools. The first is simply a GPRESULT. This will list the GPOs which should be applied at the Computer and User level and which are ignored. But, if they conflict or have some error, you won't see it there. Secondly, you need to use RSOP.msc (resultant set of policies), which will aggregate all the GPOs applied in a GPMC type window.
Once you have run those two tools, report back the results, please.
DrUltima
Secondly, AD doesn't have a PDC (Primary Domain Controller) as NT4 did. What it does have is a FSMO role called PDCe (PDC Emulator). It is more correct to refer to the server which contains that FSMO Role as the PDCe (as opposed to the PDC).
What you need to do is employ two different tools. The first is simply a GPRESULT. This will list the GPOs which should be applied at the Computer and User level and which are ignored. But, if they conflict or have some error, you won't see it there. Secondly, you need to use RSOP.msc (resultant set of policies), which will aggregate all the GPOs applied in a GPMC type window.
Once you have run those two tools, report back the results, please.
DrUltima
ASKER
As for the PDC, PDCe, etc... I refer to it as the PDC because it was the original one, contains all the FSMO roles, etc. and in DNS is listed under Forward LZ > _msdcs.domain > pdc... That is basically irrelevant to the discussion though.
As for the discussion at hand, as mentioned, I have the IT OU with an IT GPO that has a logon script set. I also have a TerminalServers OU that has the IT GPO set on it per instructions above for "testing". I ran gpupdate /force afterwards, replicated, etc. and still no mapped drives. I just ran gpresult and under USER SETTINGS > Resultant Set Of Policies for User > Logon Scripts it shows:
GPO: IT
Name: \\domain\sysvol\domain\scr
Last Executed: 7:24:40 PM
Name: ScriptName.vbs
Last Executed: 7:24:40 PM
Also, I ran rsop.msc and went through User Configuration > Windows Settings > Scripts > Logon
From there it shows BOTH the bat file and the vbs script the same as the results from gpresult (with the exception of the time being formatted for my time zone in the rsop gui.
Although I see these results, I do NOT have any mapped drives... I can still go through the network, find the bat file and the vbs file and run them manually and they BOTH map the correct network drives with no issues...
What now...? I'm still lost.
As for the discussion at hand, as mentioned, I have the IT OU with an IT GPO that has a logon script set. I also have a TerminalServers OU that has the IT GPO set on it per instructions above for "testing". I ran gpupdate /force afterwards, replicated, etc. and still no mapped drives. I just ran gpresult and under USER SETTINGS > Resultant Set Of Policies for User > Logon Scripts it shows:
GPO: IT
Name: \\domain\sysvol\domain\scr
Last Executed: 7:24:40 PM
Name: ScriptName.vbs
Last Executed: 7:24:40 PM
Also, I ran rsop.msc and went through User Configuration > Windows Settings > Scripts > Logon
From there it shows BOTH the bat file and the vbs script the same as the results from gpresult (with the exception of the time being formatted for my time zone in the rsop gui.
Although I see these results, I do NOT have any mapped drives... I can still go through the network, find the bat file and the vbs file and run them manually and they BOTH map the correct network drives with no issues...
What now...? I'm still lost.
Would you mind posting the two scripts in question (it.bat and scriptname.vbs)?
DrUltima
DrUltima
ASKER
Why do I need the IT (or any for that matter) GPO applied to an OU that contains the RDS computer (or any computer)? Will this make the GPO run for any user that logs onto that computer? That is not what I am wanting. I want a GPO assigned to each OU that contains Users so that group of users has certain drives mapped.
No, your user policies should be applied to the OU which contains the users. You appear to have it set up correctly, which is why I asked for the code of your scripts.
DrUltima
DrUltima
ASKER
IT.bat
-------------
net use h: /home
net use O: \\server\sales /PERSISTENT:no
net use Q: \\server\Purchasing /PERSISTENT:no
net use M: \\server\reception /PERSISTENT:no
net use y: \\server\IT /PERSISTENT:no
--------------------------
Script.vbs
Set objNet = CreateObject("WScript.Netw
strCompName = objNet.ComputerName
strQuitVar = "0"
IF strCompName = "server" THEN
strQuitVar = "1"
END IF
IF strQuitVar = "0" THEN
Set objNetwork = CreateObject("WScript.Netw
objNetwork.MapNetworkDrive
END IF
Only things I changed while posting were server name and folder names... Otherwise same basically...
-------------
net use h: /home
net use O: \\server\sales /PERSISTENT:no
net use Q: \\server\Purchasing /PERSISTENT:no
net use M: \\server\reception /PERSISTENT:no
net use y: \\server\IT /PERSISTENT:no
--------------------------
Script.vbs
Set objNet = CreateObject("WScript.Netw
strCompName = objNet.ComputerName
strQuitVar = "0"
IF strCompName = "server" THEN
strQuitVar = "1"
END IF
IF strQuitVar = "0" THEN
Set objNetwork = CreateObject("WScript.Netw
objNetwork.MapNetworkDrive
END IF
Only things I changed while posting were server name and folder names... Otherwise same basically...
ASKER
So can I remove the GPO that I setup for the OU that contains the RDS server? What was the purpose in putting that there?
I'm assuming all I really need are to have the scripts in the GPO and have it applied to the user OU, correct...?
I'm assuming all I really need are to have the scripts in the GPO and have it applied to the user OU, correct...?
ASKER
I'm sure the VBS isn't the best but that was my first script so I was kind of winging it... Either way, it appears to work fine when I run the script manually, same with the bat file...
ASKER
Actually the vbs doesn't work like I want it to about checking the computer name but I can deal with that later. That's strictly a VBS question as far as coding it to handle checking a computer name before running the bulk of the script. I just need to know how to get the scripts to actually start running when users log in on ALL machines, including and especially the RDS server...
OK... In your IT.bat, let's echo back and see if the login script is really running:
Make sure the batch is echoing back to you so you can verify activity as it happens.
Next, let's modify your vbscript:
It looks to me, though, like you are using two scripts to map network drives. You can combine those:
The point, though, is that you need to make sure your batch files and vbscripts have proper exit clauses when run as scheduled tasks or as login scripts.
DrUltima
@echo off
REM - First, we will delete possibly mapped drives
net use H: /delete
IF %ERRORLEVEL% EQU 0 (ECHO Deleted Drive H.) ELSE (Echo An error was found deleting drive H.)
net use O: /delete
IF %ERRORLEVEL% EQU 0 (ECHO Deleted Drive O.) ELSE (Echo An error was found deleting drive O.)
net use Q: /delete
IF %ERRORLEVEL% EQU 0 (ECHO Deleted Drive Q.) ELSE (Echo An error was found deleting drive Q.)
net use M: /delete
IF %ERRORLEVEL% EQU 0 (ECHO Deleted Drive M.) ELSE (Echo An error was found deleting drive M.)
net use Y: /delete
IF %ERRORLEVEL% EQU 0 (ECHO Deleted Drive Y.) ELSE (Echo An error was found deleting drive Y.)
ECHO Finished Deleting Mapped Drives
REM - Second, we will map the desired drives
net use h: /home
IF %ERRORLEVEL% EQU 0 (ECHO Mapped Home Drive to H:) ELSE (Echo An error was found mapping drive H:)
net use O: \\server\sales /PERSISTENT:no
IF %ERRORLEVEL% EQU 0 (ECHO Mapped Sales Drive to O:) ELSE (Echo An error was found mapping drive O:)
net use Q: \\server\Purchasing /PERSISTENT:no
IF %ERRORLEVEL% EQU 0 (ECHO Mapped Purchasing Drive to Q:) ELSE (Echo An error was found mapping drive Q:)
net use M: \\server\reception /PERSISTENT:no
IF %ERRORLEVEL% EQU 0 (ECHO Mapped Reception Drive to M:) ELSE (Echo An error was found mapping drive M:)
net use y: \\server\IT /PERSISTENT:no
IF %ERRORLEVEL% EQU 0 (ECHO Mapped IT Drive to Y:) ELSE (Echo An error was found mapping drive Y:)
ECHO Finished Mapping Drives
REM - Finally, we will exit the batch file
EXITMake sure the batch is echoing back to you so you can verify activity as it happens.
Next, let's modify your vbscript:
Set objNet = CreateObject("WScript.Network")
strCompName = objNet.ComputerName
IF strCompName = "server" THEN
'Do Nothing
ELSE
Set objNetwork = CreateObject("WScript.Network")
objNetwork.MapNetworkDrive "P:" , "\\server\Shared_Folder"
END IF
WScript.QuitIt looks to me, though, like you are using two scripts to map network drives. You can combine those:
@echo off
REM - First, we will delete possibly mapped drives
net use H: /delete
IF %ERRORLEVEL% EQU 0 (ECHO Deleted Drive H.) ELSE (Echo An error was found deleting drive H.)
net use O: /delete
IF %ERRORLEVEL% EQU 0 (ECHO Deleted Drive O.) ELSE (Echo An error was found deleting drive O.)
net use Q: /delete
IF %ERRORLEVEL% EQU 0 (ECHO Deleted Drive Q.) ELSE (Echo An error was found deleting drive Q.)
net use M: /delete
IF %ERRORLEVEL% EQU 0 (ECHO Deleted Drive M.) ELSE (Echo An error was found deleting drive M.)
net use Y: /delete
IF %ERRORLEVEL% EQU 0 (ECHO Deleted Drive Y.) ELSE (Echo An error was found deleting drive Y.)
net use P: /delete
IF %ERRORLEVEL% EQU 0 (ECHO Deleted Drive P.) ELSE (Echo An error was found deleting drive P.)
ECHO Finished Deleting Mapped Drives
REM - Second, we will map the desired drives
net use h: /home
IF %ERRORLEVEL% EQU 0 (ECHO Mapped Home Drive to H:) ELSE (Echo An error was found mapping drive H:)
net use O: \\server\sales /PERSISTENT:no
IF %ERRORLEVEL% EQU 0 (ECHO Mapped Sales Drive to O:) ELSE (Echo An error was found mapping drive O:)
net use Q: \\server\Purchasing /PERSISTENT:no
IF %ERRORLEVEL% EQU 0 (ECHO Mapped Purchasing Drive to Q:) ELSE (Echo An error was found mapping drive Q:)
net use M: \\server\reception /PERSISTENT:no
IF %ERRORLEVEL% EQU 0 (ECHO Mapped Reception Drive to M:) ELSE (Echo An error was found mapping drive M:)
net use y: \\server\IT /PERSISTENT:no
IF %ERRORLEVEL% EQU 0 (ECHO Mapped IT Drive to Y:) ELSE (Echo An error was found mapping drive Y:)
IF "%COMPUTERNAME%" == "server" GOTO END ELSE
net use M: \\server\TheOtherShare /PERSISTENT:no
IF %ERRORLEVEL% EQU 0 (ECHO Mapped TheOtherDrive Drive to P:) ELSE (Echo An error was found mapping drive P:)
ECHO Finished Mapping Drives
:END
REM - Finally, we will exit the batch file
EXITThe point, though, is that you need to make sure your batch files and vbscripts have proper exit clauses when run as scheduled tasks or as login scripts.
DrUltima
Addendum, my reposting of your VB code was assuming your script was working... :)
-DrU
-DrU
ASKER
I will give that a try. The reason I have them as different scripts is mentioned above. I want GPO scripts that do the mapping for the OU (Sales, IT, etc.) and then the second one is actually going to be on the Profile tab in AD. I am trying to get the GPO logon scripts working to free up the profile tab area so I can have two scripts running for a select few people that are scattered in different OUs... I'll post back once I try the script you posted.
ASKER
Ok. Just updated the script to what you posted... gpupdate /force... Log out... Log in...
NOTHING...
Ran the script manually...
error found deleting drive h, o, q, m, y...
mapped drive h, o, q, m, y successfully...
finished mapping drives...
The only thing I changed from what you posted was:
\\server\ to the actual server name
added a PAUSE to the end right before EXIT... that way I could make sure I saw the results...
NOTHING...
Ran the script manually...
error found deleting drive h, o, q, m, y...
mapped drive h, o, q, m, y successfully...
finished mapping drives...
The only thing I changed from what you posted was:
\\server\ to the actual server name
added a PAUSE to the end right before EXIT... that way I could make sure I saw the results...
ASKER
The vbs script works as far as mapping the drive, it just doesn't work properly as far as checking the computer name and only running the script if the computer name doesn't match... Your version may though... I'll check that too but like I said, that isn't the important part right now. The main thing is that I need the scripts to actually run when a user logs in...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes. I have two DCs... One is Server 2003 and one is 2008 R2. You're saying use
User Configuration > Preferences > Windows Settings > Drive Maps...? Will that work on all of the computers in the domain (XP and Windows 7 mixed) as well as the 2008 RDS?
User Configuration > Preferences > Windows Settings > Drive Maps...? Will that work on all of the computers in the domain (XP and Windows 7 mixed) as well as the 2008 RDS?
ASKER
What do you mean item-level targeting?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I wouldn't just create a GPO for each OU and that GPO has the mapped drives for the OU just like the logon scripts...? I'm not sure what you are referring to as for the item level...
Look at that drive map option. I'm on my phone and not on a machine but u will have a tab for it when u add one. Take a look at your options
ASKER
Ok. I see the item targeting you were referring to... Will all of the options I can select there work on the individual machines (XP and Windows 7) as well as the 2008 RDS server though?
Thanks
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well.... (after deleting the two Logon scripts) I went to it, added 3 mapped drives one of which I put item targeting on just to test out, and NONE of the 3 drives got mapped on my machine or on the 2008 R2 RDS server.... After I added the 3 mapped drives, I ran gpupdate /force but still not working...
ASKER
I need the XP, Windows 7, and the 2008 R2 RDS server ALL to map the appropraite drives for the user when they log in. This should be done based on the OU that the user is in. I'm still stumped on this issue.... Any more ideas would be greatly appreciated... Thanks for all of the suggestions so far.
Have you modified the batch file I submitted to you, tied it to a login script GPO, linked the GPO to your IT OU, and then tested the TS server?
DrUltima
DrUltima
ASKER
Yes. I changed the server etc and put a pause at the end and it never popped up and mapped the drives..
ASKER
Look at my comment from 3:55 pm.
can you export the GPO you are using and put it here? It might make this process easier.
DrUltima
DrUltima
ASKER
I am no longer at the office. I will do it first thing in the morning.
ASKER
Not sure exactly what you were wanting me to export but the current GPO that I have is the drive mappings from the 2008 server and not the logon scripts but when exported it shows the following:
Name Order Action Path Reconnect
O: 1 Create \\server\Sales Yes
R: 3 Create \\server\trailer Yes
Y: 2 Create \\server\IT Yes
Name Order Action Path Reconnect
O: 1 Create \\server\Sales Yes
R: 3 Create \\server\trailer Yes
Y: 2 Create \\server\IT Yes
ASKER
I haven't heard anything from anyone today... Can someone help me with this?
Sorry... I have been putting out fires today. I will try to revisit this within the next couple of hours. I cannot devote any time to it at the moment. If you need other Experts to see this, use the Request Attention feature and ask the Moderators to broadcast your question to the Designated Experts for your Question's Zone.
ASKER
I still haven't had any comments on this post. Can anyone help me?
ASKER
Is there anyone out there that has any other ideas on this?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Not sure....
ASKER
I have awarded points for the advice and the steps given that were easy to follow because I think it was possible that all of this played a part in getting everything working for me. Like I said in my post, I'm not sure why it actually started working all of a sudden but once it did, I used the advice given here to set everything up.
Thanks for all of the help.
Thanks for all of the help.
Glad to hear you got it working!
http://support.microsoft.com/kb/260370