Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

GPO Logon Script on Server 2008 R2 RDS

Posted on 2011-05-12
51
Medium Priority
?
4,629 Views
Last Modified: 2012-05-11
I am having a lot of difficulty for some reason with a logon script. Currently we have all of our users with a logon batch file from the Profile tab of the user account in AD. These batch files are based off of the OU that the user is in for example:
a user in the Sales OU has a logon script named Sales.bat that is assigned in the Profile tab.
I am trying to move away from this by creating the Logon Scripts through a GPO. I have one Server 2003 PDC at the same site as the Server 2008 R2 RDS (terminal server) and a Server 2008 R2 DC that is the secondary and located at another site. I have tried working with the GPMC on the Server 2008 DC as well as the Group Policy tab on the properties of the OU in AD on the Server 2003 machine. Both show the same thing, the scripts and batch files are all replicating properly between the two. Replication between the two shows no errors and all seems well. Basically what I have done so far is create a new policy for an OU (IT OU that contains myself - using this for testing so I'll have admin privledges and I'll test a regular user once I can get it working for me) and went to User Configuration > Windows Settings > Scripts (Logon/Logoff) > Logon. Once there, I added two things, one is a batch file which I have tried saving in the Scripts folder and also saved in the Policies\{HEX}\User\Scripts\Logon folder and neither method is working. The other I used was a vbs file saved in Policies\{HEX}\User\Scripts\Logon folder. Neither of these are running when I remote into the 2008 R2 RDS. They run on my workstation when I log in but not when I connect to the RDS. In the process of searching for a resolution to this, I have ran both the bat file and the vbs manually and both process fine and map the drives properly. In addition to this, I have tried running gpupdate /force but that makes no difference (I logged out and back in afterwards, still nothing). I have also ran gpresult /z and it shows different results sometimes but it shows:
Logon Scripts:
GPO: IT Name: \\domain\sysvol\domain\scripts\IT.bat
Last Executed: 6:16:17 PM
Name: ScriptName.vbs
Last Executed: 6:16:17 PM

but earlier today when I ran that on my local machine it showed LastExecuted: This script has not yet been executed.
even though it actually ran on my local machine and mapped all of the drives...

I have no clue what I am doing wrong or why this isn't working at this point and can't afford to spend days working on this one little thing so any help is GREATLY appreciated. The main reason I am trying to go to this is because I need more than one logon script to run for a few people. My plans are to migrate everyone from the individual logon script on the profile tab to the GPO logon script whether I can use the batch file or the vbs script (either way) so it frees up the logon script spot on the profile tab so I can select a few users that need an additional logon script. The reason for that is because they are scattered between OUs.

Sorry for the long, drawn out post but I wanted to get as much detail out as possible but any questions, feel free to ask.

As mentioned, any help is greatly appreciated.

Thanks
0
Comment
Question by:SE-Pneumatic
  • 31
  • 10
  • 8
49 Comments
 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 35749058
You need to set your loopback policy:

http://support.microsoft.com/kb/260370
0
 
LVL 2

Author Comment

by:SE-Pneumatic
ID: 35749179
Thanks for the quick response. I followed the instructions on that link but still have no mapped drives...
I have the GPO that is for OUs that contain users but it isn't working when they log into the server. I went to the GPO, went to properties, Security and added the RDS Server computer as well as the Terminal Server Computers group which contains the server, and set them both with the permissions mentioned on the link provided (Allow for Read and Apply). Do I need to do anything else?
0
 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 35749236
No that should work. Try applying the GPO to the OU of your RDS/TS servers. Oh and don't forget to run a gpupdate after :)
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
LVL 2

Author Comment

by:SE-Pneumatic
ID: 35749239
By the way, not sure if this is relevant or not or even why it is like this but I just ran gpresult /z again on the server and it has changed from the 6:16:17 PM time it had earlier when I made this post to 6:39:12 PM. This really makes no sense to me, especially since I am on Eastern Time Zone and so is this server so it is 2:50 PM right now anyway... Also, why would the time change if it didn't map the drives? Is it actually running but not mapping the drives? Why would it map them properly when I run them manually? Why is the time so off...? Don't mean to complicate things further but this has really confused me and I have no clue on it anymore.

Thanks
0
 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 35749255
Yes gpresult shows by GMT
0
 
LVL 2

Author Comment

by:SE-Pneumatic
ID: 35749260
I did run a gpupdate /force after I made the change earlier but like I said, still no drives. What GPO am I applying to the OU of the RDS server? I am wanting a Logon script to run for each OU that contains users such as a GPO that runs a logon script for IT for the IT OU, a logon script for Sales for the Sales OU...
0
 
LVL 2

Author Comment

by:SE-Pneumatic
ID: 35749267
So why does the gpresult show that it ran but I still have no mapped drives?
0
 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 35749280
Just for a test apply any mapped drive GPO to your TS OU
0
 
LVL 2

Author Comment

by:SE-Pneumatic
ID: 35749369
As a logon script?
0
 
LVL 2

Author Comment

by:SE-Pneumatic
ID: 35749441
Ok. So now I have an OU called IT that contains my user. This OU has a GPO that maps drives with a logon script. I also have an OU called TerminalServers that contains the RDS server. This OU has a GPO that contains a logon script (under User) with the SAME bat file used in the IT GPO. I did a gpupdate /force, logged out and back in, still no mapped drives on the RDS server...
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35749487
For clarification, loopback policy forces policies normally ignored to be applied IF and ONLY IF the Policy is a User policy and it is would normally be enforced on a Computer Object.  For example, if you have a User Policy in a GPO applied to your TS Server OU, it would be skipped if the user is not in the OU, however, loopback will force GPO To apply User policies in that GPO if loopback is enabled regardless of the User's OU membership.  So, if your GPO "IT Policy", which contains User policies, is applied at the User's OU, it will be applied to the user's login regardless of the server's OU membership.  If the GPO "IT Policy" is applied at the TS Server OU, it will only apply to users who reside in that OU unless loopback is enabled, at which time it will apply to users who log into Computers in that OU.

Secondly, AD doesn't have a PDC (Primary Domain Controller) as NT4 did.  What it does have is a FSMO role called PDCe (PDC Emulator).  It is more correct to refer to the server which contains that FSMO Role as the PDCe (as opposed to the PDC).

What you need to do is employ two different tools.  The first is simply a GPRESULT.  This will list the GPOs which should be applied at the Computer and User level and which are ignored.  But, if they conflict or have some error, you won't see it there.  Secondly, you need to use RSOP.msc (resultant set of policies), which will aggregate all the GPOs applied in a GPMC type window.

Once you have run those two tools, report back the results, please.

DrUltima
0
 
LVL 2

Author Comment

by:SE-Pneumatic
ID: 35749607
As for the PDC, PDCe, etc... I refer to it as the PDC because it was the original one, contains all the FSMO roles, etc. and in DNS is listed under Forward LZ > _msdcs.domain > pdc... That is basically irrelevant to the discussion though.

As for the discussion at hand, as mentioned, I have the IT OU with an IT GPO that has a logon script set. I also have a TerminalServers OU that has the IT GPO set on it per instructions above for "testing". I ran gpupdate /force afterwards, replicated, etc. and still no mapped drives. I just ran gpresult and under USER SETTINGS > Resultant Set Of Policies for User > Logon Scripts it shows:

GPO: IT
Name: \\domain\sysvol\domain\scripts\IT.bat
Last Executed: 7:24:40 PM
Name: ScriptName.vbs
Last Executed: 7:24:40 PM

Also, I ran rsop.msc and went through User Configuration > Windows Settings > Scripts > Logon
From there it shows BOTH the bat file and the vbs script the same as the results from gpresult (with the exception of the time being formatted for my time zone in the rsop gui.

Although I see these results, I do NOT have any mapped drives... I can still go through the network, find the bat file and the vbs file and run them manually and they BOTH map the correct network drives with no issues...

What now...? I'm still lost.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35749645
Would you mind posting the two scripts in question (it.bat and scriptname.vbs)?

DrUltima
0
 
LVL 2

Author Comment

by:SE-Pneumatic
ID: 35749662
Why do I need the IT (or any for that matter) GPO applied to an OU that contains the RDS computer (or any computer)? Will this make the GPO run for any user that logs onto that computer? That is not what I am wanting. I want a GPO assigned to each OU that contains Users so that group of users has certain drives mapped.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35749671
No, your user policies should be applied to the OU which contains the users.  You appear to have it set up correctly, which is why I asked for the code of your scripts.

DrUltima
0
 
LVL 2

Author Comment

by:SE-Pneumatic
ID: 35749703
IT.bat
-------------
net use h: /home
net use O: \\server\sales /PERSISTENT:no
net use Q: \\server\Purchasing /PERSISTENT:no
net use M: \\server\reception /PERSISTENT:no
net use y: \\server\IT /PERSISTENT:no

-----------------------------------------------------------------------
Script.vbs

Set objNet = CreateObject("WScript.Network")
strCompName = objNet.ComputerName
strQuitVar = "0"

IF strCompName = "server" THEN
      strQuitVar = "1"
END IF

IF strQuitVar = "0" THEN
      Set objNetwork = CreateObject("WScript.Network")
      objNetwork.MapNetworkDrive "P:" , "\\server\Shared_Folder"
END IF



Only things I changed while posting were server name and folder names... Otherwise same basically...
0
 
LVL 2

Author Comment

by:SE-Pneumatic
ID: 35749710
So can I remove the GPO that I setup for the OU that contains the RDS server? What was the purpose in putting that there?

I'm assuming all I really need are to have the scripts in the GPO and have it applied to the user OU, correct...?
0
 
LVL 2

Author Comment

by:SE-Pneumatic
ID: 35749774
I'm sure the VBS isn't the best but that was my first script so I was kind of winging it... Either way, it appears to work fine when I run the script manually, same with the bat file...
0
 
LVL 2

Author Comment

by:SE-Pneumatic
ID: 35749837
Actually the vbs doesn't work like I want it to about checking the computer name but I can deal with that later. That's strictly a VBS question as far as coding it to handle checking a computer name before running the bulk of the script. I just need to know how to get the scripts to actually start running when users log in on ALL machines, including and especially the RDS server...
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35750078
OK... In your IT.bat, let's echo back and see if the login script is really running:

@echo off

REM - First, we will delete possibly mapped drives
     net use H:  /delete
     IF %ERRORLEVEL% EQU 0 (ECHO Deleted Drive H.) ELSE (Echo An error was found deleting drive H.)
     net use O: /delete
     IF %ERRORLEVEL% EQU 0 (ECHO Deleted Drive O.) ELSE (Echo An error was found deleting drive O.)
     net use Q: /delete
     IF %ERRORLEVEL% EQU 0 (ECHO Deleted Drive Q.) ELSE (Echo An error was found deleting drive Q.)
     net use M: /delete
     IF %ERRORLEVEL% EQU 0 (ECHO Deleted Drive M.) ELSE (Echo An error was found deleting drive M.)
     net use Y: /delete
     IF %ERRORLEVEL% EQU 0 (ECHO Deleted Drive Y.) ELSE (Echo An error was found deleting drive Y.)
     ECHO Finished Deleting Mapped Drives

REM - Second, we will map the desired drives
     net use h: /home
     IF %ERRORLEVEL% EQU 0 (ECHO Mapped Home Drive to H:) ELSE (Echo An error was found mapping drive H:)
     net use O: \\server\sales /PERSISTENT:no
     IF %ERRORLEVEL% EQU 0 (ECHO Mapped Sales Drive to O:) ELSE (Echo An error was found mapping drive O:)
     net use Q: \\server\Purchasing /PERSISTENT:no
     IF %ERRORLEVEL% EQU 0 (ECHO Mapped Purchasing Drive to Q:) ELSE (Echo An error was found mapping drive Q:)
     net use M: \\server\reception /PERSISTENT:no
     IF %ERRORLEVEL% EQU 0 (ECHO Mapped Reception Drive to M:) ELSE (Echo An error was found mapping drive M:)
     net use y: \\server\IT /PERSISTENT:no
     IF %ERRORLEVEL% EQU 0 (ECHO Mapped IT Drive to Y:) ELSE (Echo An error was found mapping drive Y:)
     ECHO Finished Mapping Drives

REM - Finally, we will exit the batch file
     EXIT

Open in new window


Make sure the batch is echoing back to you so you can verify activity as it happens.

Next, let's modify your vbscript:

Set objNet = CreateObject("WScript.Network")
strCompName = objNet.ComputerName

IF strCompName = "server" THEN
      'Do Nothing
ELSE
      Set objNetwork = CreateObject("WScript.Network")
      objNetwork.MapNetworkDrive "P:" , "\\server\Shared_Folder"
END IF

WScript.Quit

Open in new window


It looks to me, though, like you are using two scripts to map network drives.   You can combine those:

@echo off

REM - First, we will delete possibly mapped drives
     net use H:  /delete
     IF %ERRORLEVEL% EQU 0 (ECHO Deleted Drive H.) ELSE (Echo An error was found deleting drive H.)
     net use O: /delete
     IF %ERRORLEVEL% EQU 0 (ECHO Deleted Drive O.) ELSE (Echo An error was found deleting drive O.)
     net use Q: /delete
     IF %ERRORLEVEL% EQU 0 (ECHO Deleted Drive Q.) ELSE (Echo An error was found deleting drive Q.)
     net use M: /delete
     IF %ERRORLEVEL% EQU 0 (ECHO Deleted Drive M.) ELSE (Echo An error was found deleting drive M.)
     net use Y: /delete
     IF %ERRORLEVEL% EQU 0 (ECHO Deleted Drive Y.) ELSE (Echo An error was found deleting drive Y.)
     net use P: /delete
     IF %ERRORLEVEL% EQU 0 (ECHO Deleted Drive P.) ELSE (Echo An error was found deleting drive P.)
     ECHO Finished Deleting Mapped Drives

REM - Second, we will map the desired drives
     net use h: /home
     IF %ERRORLEVEL% EQU 0 (ECHO Mapped Home Drive to H:) ELSE (Echo An error was found mapping drive H:)
     net use O: \\server\sales /PERSISTENT:no
     IF %ERRORLEVEL% EQU 0 (ECHO Mapped Sales Drive to O:) ELSE (Echo An error was found mapping drive O:)
     net use Q: \\server\Purchasing /PERSISTENT:no
     IF %ERRORLEVEL% EQU 0 (ECHO Mapped Purchasing Drive to Q:) ELSE (Echo An error was found mapping drive Q:)
     net use M: \\server\reception /PERSISTENT:no
     IF %ERRORLEVEL% EQU 0 (ECHO Mapped Reception Drive to M:) ELSE (Echo An error was found mapping drive M:)
     net use y: \\server\IT /PERSISTENT:no
     IF %ERRORLEVEL% EQU 0 (ECHO Mapped IT Drive to Y:) ELSE (Echo An error was found mapping drive Y:)
     IF "%COMPUTERNAME%" == "server" GOTO END ELSE
           net use M: \\server\TheOtherShare /PERSISTENT:no
           IF %ERRORLEVEL% EQU 0 (ECHO Mapped TheOtherDrive Drive to P:) ELSE (Echo An error was found mapping drive P:)
     ECHO Finished Mapping Drives

:END
REM - Finally, we will exit the batch file
     EXIT

Open in new window


The point, though, is that you need to make sure your batch files and vbscripts have proper exit clauses when run as scheduled tasks or as login scripts.

DrUltima
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35750091
Addendum, my reposting of your VB code was assuming your script was working... :)

-DrU
0
 
LVL 2

Author Comment

by:SE-Pneumatic
ID: 35750110
I will give that a try. The reason I have them as different scripts is mentioned above. I want GPO scripts that do the mapping for the OU (Sales, IT, etc.) and then the second one is actually going to be on the Profile tab in AD. I am trying to get the GPO logon scripts working to free up the profile tab area so I can have two scripts running for a select few people that are scattered in different OUs... I'll post back once I try the script you posted.
0
 
LVL 2

Author Comment

by:SE-Pneumatic
ID: 35750233
Ok. Just updated the script to what you posted... gpupdate /force... Log out... Log in...
NOTHING...

Ran the script manually...

error found deleting drive h, o, q, m, y...

mapped drive h, o, q, m, y successfully...
finished mapping drives...

The only thing I changed from what you posted was:
\\server\ to the actual server name
added a PAUSE to the end right before EXIT... that way I could make sure I saw the results...
0
 
LVL 2

Author Comment

by:SE-Pneumatic
ID: 35750248
The vbs script works as far as mapping the drive, it just doesn't work properly as far as checking the computer name and only running the script if the computer name doesn't match... Your version may though... I'll check that too but like I said, that isn't the important part right now. The main thing is that I need the scripts to actually run when a user logs in...
0
 
LVL 8

Accepted Solution

by:
ShareefHuddle earned 1200 total points
ID: 35750261
Do you have a 2008 ad controller? If so then don't use drive mapping script. Use drive mapping gpo and use item-level targeting to push to certain ou's, groups, users, or computers
0
 
LVL 2

Author Comment

by:SE-Pneumatic
ID: 35750287
Yes. I have two DCs... One is Server 2003 and one is 2008 R2. You're saying use
User Configuration > Preferences > Windows Settings > Drive Maps...? Will that work on all of the computers in the domain (XP and Windows 7 mixed) as well as the 2008 RDS?
0
 
LVL 2

Author Comment

by:SE-Pneumatic
ID: 35750290
What do you mean item-level targeting?
0
 
LVL 8

Assisted Solution

by:ShareefHuddle
ShareefHuddle earned 1200 total points
ID: 35750299
Yes and then u can use item level to give u control on who or what u want to apply it to
0
 
LVL 2

Author Comment

by:SE-Pneumatic
ID: 35750312
I wouldn't just create a GPO for each OU and that GPO has the mapped drives for the OU just like the logon scripts...? I'm not sure what you are referring to as for the item level...
0
 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 35750313
Look at that drive map option. I'm on my phone and not on a machine but u will have a tab for it when u add one. Take a look at your options
0
 
LVL 2

Author Comment

by:SE-Pneumatic
ID: 35750361
Ok. I see the item targeting you were referring to... Will all of the options I can select there work on the individual machines (XP and Windows 7) as well as the 2008 RDS server though?

Thanks
0
 
LVL 31

Assisted Solution

by:Justin Owens
Justin Owens earned 600 total points
ID: 35750451
No, Windows XP will not work because that is not a Group Policy Object (GPO) but rather a Group Policy Preference (GPP).  You CAN make some GPPs work on XP, but it requires the Client Side Extensions be installed on the XP machines.

That is why I was sticking with a login script rather that GPP.

DrUltima
0
 
LVL 2

Author Comment

by:SE-Pneumatic
ID: 35750460
Well.... (after deleting the two Logon scripts) I went to it, added 3 mapped drives one of which I put item targeting on just to test out, and NONE of the 3 drives got mapped on my machine or on the 2008 R2 RDS server.... After I added the 3 mapped drives, I ran gpupdate /force but still not working...
0
 
LVL 2

Author Comment

by:SE-Pneumatic
ID: 35750493
I need the XP, Windows 7, and the 2008 R2 RDS server ALL to map the appropraite drives for the user when they log in. This should be done based on the OU that the user is in. I'm still stumped on this issue.... Any more ideas would be greatly appreciated... Thanks for all of the suggestions so far.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35750690
Have you modified the batch file I submitted to you, tied it to a login script GPO, linked the GPO to your IT OU, and then tested the TS server?

DrUltima
0
 
LVL 2

Author Comment

by:SE-Pneumatic
ID: 35750716
Yes. I changed the server etc and put a pause at the end and it never popped up and mapped the drives..
0
 
LVL 2

Author Comment

by:SE-Pneumatic
ID: 35750725
Look at my comment from 3:55 pm.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35750752
can you export the GPO you are using and put it here?  It might make this process easier.

DrUltima
0
 
LVL 2

Author Comment

by:SE-Pneumatic
ID: 35750762
I am no longer at the office. I will do it first thing in the morning.
0
 
LVL 2

Author Comment

by:SE-Pneumatic
ID: 35753631
Not sure exactly what you were wanting me to export but the current GPO that I have is the drive mappings from the 2008 server and not the logon scripts but when exported it shows the following:

Name      Order      Action      Path      Reconnect
O:      1      Create      \\server\Sales      Yes
R:      3      Create      \\server\trailer      Yes
Y:      2      Create      \\server\IT      Yes
0
 
LVL 2

Author Comment

by:SE-Pneumatic
ID: 35756966
I haven't heard anything from anyone today... Can someone help me with this?
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35756989
Sorry... I have been putting out fires today.  I will try to revisit this within the next couple of hours.  I cannot devote any time to it at the moment.  If you need other Experts to see this, use the Request Attention feature and ask the Moderators to broadcast your question to the Designated Experts for your Question's Zone.
0
 
LVL 2

Author Comment

by:SE-Pneumatic
ID: 35772828
I still haven't had any comments on this post. Can anyone help me?
0
 
LVL 2

Author Comment

by:SE-Pneumatic
ID: 35776574
Is there anyone out there that has any other ideas on this?
0
 
LVL 2

Assisted Solution

by:SE-Pneumatic
SE-Pneumatic earned 0 total points
ID: 35793760
Not exactly sure what it was but something changed in the last couple of days and the GPO started working when going through the server 2008 DC and setting up Mapped drives under preferences and using item level targeting to single out the computer name that I don't want the script to run on. Thanks for all of the help everyone offered. Like I said, not sure what I changed or what happened but it is working now.
0
 
LVL 31

Assisted Solution

by:Justin Owens
Justin Owens earned 600 total points
ID: 35793999
Perhaps there was a replication error which resolved itself.  Regardless, I am glad that you are now able to work as desired.

DrUltima
0
 
LVL 2

Author Comment

by:SE-Pneumatic
ID: 35811630
Not sure....
0
 
LVL 2

Author Closing Comment

by:SE-Pneumatic
ID: 35865578
I have awarded points for the advice and the steps given that were easy to follow because I think it was possible that all of this played a part in getting everything working for me. Like I said in my post, I'm not sure why it actually started working all of a sudden but once it did, I used the advice given here to set everything up.

Thanks for all of the help.
0
 
LVL 8

Expert Comment

by:ShareefHuddle
ID: 35867121
Glad to hear you got it working!
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question