Log In Script for Domain Controller

ben1211
ben1211 used Ask the Experts™
on
We have a log in script for our Domain Controller whereby when users log on to the domain, drives are mapped etc via the log on script.

I now need to get a patch (exe) file to execute the moments the users log on to the domain.

How do I do this? I have a logon.bat script that executes.

This is what it looks like. How can I include an exe file to be executed the moment the users log on? There are also startup scripts. Is this done on the domain, and how do I create a startup script?

net use w: /d
net use S: /d
net use P: /d
net use F: /d
net use N: /d

net use W: \\wvm-srv01\Simma
net use S: \\wvm-srv01\FileServer
net use P: \\WVM-SRV01\MarCom
net use F: \\server1\FaxCore
net use N: \\wvm-srv01\scan_doc
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
I am running Windows 2003 Server.

Need help urgently please.
Distinguished Expert 2017

Commented:
Could you add some detail?  Running a patch exe will be with the access rights of the user, which often will not work if the user is a limited/restricted user account.

start "" pathtofileyouwanttorun\file.exe
SteveIT Manager

Commented:
Scripts are usually stored in the netlogon folder of the server and associated through ADUC.

if you copied the patch to the netlogon folder you could create a unc reference to it in the logon script at the top so the file is run when the user logs on, however this would run every time the user logs on
Become a CompTIA Certified Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

Author

Commented:
sgsm81 the logon script is stored in the sysvol folder under Windows.

Where is the netlogon script located?

can this be done via Group Policy....if so please guide me how to do this.

Author

Commented:
where is the netlogon folder located? on the Windows 2003 Domain server?

Author

Commented:
i can't find a netlogon folder in my sysvol folder.

Author

Commented:
Guys, this is exactly what I want to do. I want to place an mcfee-agent.exe file on the Domain Server. When the users log on to the domain, I want this exe file to be executed. How do I do this?

Can I add this task into the logon.bat script file which runs the moment the user logs on to the domain? Which means, I want to the agentch.exe file to be executed the moment the user logs on to the domain. With this exe only resident on the domain controller and not on each individual user's PC, will it run if I were to just put in a: Call C:\agent\agentch.exe?

Mike ThomasConsultant
Top Expert 2010

Commented:
You would typically deploy MacAfee usinge Policy Orchestrator (ePO) Server, are you not running this? if not trying extracting the exe to an msi file (EPO server does this for you iirc when you import the package)

Once you have an MSI file you can then deploy it using group policy easily but how easy this is depends on how much user interaction the agent needs to install and how you deal with that ineraction, some apps suppoer transform file and some msi can be edited using tools like Orca.

Check http://www.appdeploy.com/ for what others have done.

Distinguished Expert 2017

Commented:
The location of a login script in a GPO is in the c:\windows\sysvol\domain\policy\<{policy-unique-iD}\User\scripts\logon or logoff on the DC
Access by way of a share
(\\domain or \\dc)\sysvol\<AD_domainname>\Policies\<{Unique-policy-ID>\User\scripts\logon or logoff.

You might be better off running this through the startup/shutdown process since that runs with the rights of the SYSTEM and has install rights, but what you are running has to be preconfigured, without prompts or interactive.
If an MSI and you know the correct switches that need to be used to provide the installer all the information it needs complete the install.  If as MojoTech pointed out, you have another mechanism that deploys these i.e. a server based component that can push the update to the individual workstaion by way of the client application already installed, that is the route you should go.  IF the vendor provides for a preconfigured software package deployment where all the parameters are included and the install can run quietly, that is the second preferred approach.
Distinguished Expert 2017

Commented:
P.S. a login script on a DC will only be run when an Administrative user logs in anyway, unless the default domain controller policy was altered to allow other individuals access or this is an SBS system.

Author

Commented:
hi arnold, the login script that I have sits on the sysvol folder and on each user's profile, I have stated that this login.bat script needs to run. So the moment the users log in, the login.bat script runs and it maps several drives for the users.

The users do not have local admin rights. The moment they logon to the domain controller, the login.bat script tied to their profile runs - mapping drives to their PC's.

You mentioned I would be better off running this through the startup/shutdown process.
Could you guide me step by step as to how I should do this?

I have so far opened MMC and added the group policy objects. What do I do next?

This file that I plan on running is called agentch.exe (exact filename).
Distinguished Expert 2017
Commented:
THis is within the GPO computer configuration\windows settings\

You better off using GPMC to manage Domain GPOS.
If you do not have it already, you can get it from:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887

Does it need any interaction when you run it as an administrator?
run the command with agentch.exe /? see if it generates a help window that displays what switches it can handle and which switches provide the answers to the questions it might have when run in interactive mode.
You would need to make sure that either it can run on its own without the need for user input, or that the information can be included as part of the command.

What is your answer to MojoTech's question dealing with Mcaffee possible tools that deal with deployment/updates of the client systems?

Author

Commented:
hi arnold, from the command prompt window, I typed agentch.exe /? and it merely popped up a window requesting if I wanted to overight files that already existed.

With regards to McAfee's ePO server and deploying of updates, we have an ePO that is able to push updates. The problem is, the users PC's are unable at this point to communicate with the ePO server. And so an agent update is needed for the users PC's to be able to begin communication with the ePO server.

For that to happen, we have to install this agentch.exe on several PC's. Instead of going from one PC to another, we are wondering if this can be done though a login script.

Arnold...I've attached the agentch.exe file to this reply. When you double click on this file, if its run on Windows 7, window pops up asking you if it ok to run this blah blah blah. On WIN 2K3, it just runs. Likewise I assume it would be the same for Windows XP.

Arnold I have downloaded the gpmc.msi and installed it on my domain. I need your guidance as to how to use it for this case.
Please let me know how to work this, please.
agentch.exe

Author

Commented:
arnold....the login script now looks like this:
net use w: /d
net use S: /d
net use P: /d
net use F: /d
net use N: /d

net use W: \\wvm-srv01\Simma
net use S: \\wvm-srv01\FileServer
net use P: \\WVM-SRV01\MarCom
net use F: \\server1\FaxCore
net use N: \\wvm-srv01\scan_doc

the domain server's ip address is 198.1.1.1

I'm wondering if I can add in the line at the bottom of the script:
call \\198.1.1.1\netlogon\agentch.exe

I have also placed the agentch.exe file in the netlogon folder. Please do note though, the users do not have local admin rights. So they can't install anything on their PC's. We are hoping that when they log on to the domain, this command runs :call \\198.1.1.1\netlogon\agentch.exe and the agent gets installed.
Distinguished Expert 2017
Commented:
You can, the problem is that the script will run with the credential of the user that just logged in and if the user does not have power user rights or is an administrative, the install will fail.

Using GPMC you should see your domain, then you should see the organizational layout of your system.
Create a OU where you will place the workstation to test.
Within that OU create and link a new GPO. name it something that will tell what the GPO is supposed to do i.e. "install _agentch"
Now navigate to computer configuration\windows settings\scripts\startup
use the show files so that you can see where the location is.  Create a new .bat file with the
call \\servername\sharename\agentch.exe

Close and save the new .bat file and close out. Then assign a workstation into this OU that is currently in need of this update. reboot the system and see whether the install occurred as expected.

The suggestion MojoTech had with the MSI fle is that you could use the software deployment option under the computer configuration.

Another option is to use the loopback  processing of a computer GPO that may possibly reprocess the login script. http://support.microsoft.com/kb/231287

Another option is to copy the agentch.exe or modify the registry through GPO for the hkey_local_machine\software\microsoft\windows\currentversion\runonce

agentch.exe REG_SZ "\\servername\sharename\agentch.exe"
 
It could be part of a startup script that will add this entry on the first run, and then execute it on the second reboot.

 

Author

Commented:
arnold, I am totally LOST by all that you said above. Especially with the changes in registry etc.

If I have a log in script, how will that work, considering that you mentioned that the users need to be power users or have administrative rights? Right now, they are neither of those two groups. Otherwise, the line that I inserted into the current log on script, would work, wouldn't it? the line :
call \\198.1.1.1\netlogon\agentch.exe

arnold, I'm very much a rookie with AD. So you may need to walk me through this step by step please?
To start off with....how do I create an OU and where do I do this please?

Author

Commented:
with your instructions for GPMC...you said to create a new .bat file. and in that batch file add the line call \\servername\sharename\agentch.exe

Will that be the same as adding the line below?
call \\198.1.1.1\netlogon\agentch.exe

Author

Commented:
with GPMC you can also deploy MSI packages right? would you know how this is done?

Author

Commented:
the agentch.exe file that I have is an exe file. How do I convert it to a MSI file?
Distinguished Expert 2017
Commented:
There are many ways to get the application to run. There are several consideration.  
If you must run it in a login script, You Must grant each user the install software right or as a temporary measure make all domain users, administrators/power users on the workstations (GPO restricted groups under the computer configuration\windows settings\security settings)

open GPMC, it should have A forest heading that references your AD domain. Expand that.
You then have domains, sites, Group Policyetc Modeling/results. (these two can be used to see how a change will impact the workstation/user following a considered change, while the other shows how the current policies apply to a computer/user). Back to the topic.
Expand the domain tree.
Here you should see your AD domain/s Expand the one that you want to work on.
The default layout has the Default (Domain controllers, Group Policy Objects  and WMI Filters)
To create an OU, you would right-click on the AD domain and select "New Organizational Unit"  This can also be done in the AD user and computers in a similar way.
Once there, select and then right-click on the OU you just created and select the create and link a GPO here. Once you've done that you will be prompted for a name for the new GPO. under the OU now there is the GPO that applies to it. Select the newly created GPO, right-click and select edit.
Navigate to computer configuration\windows settings\scripts (startup\shutdown)\startup

Click show files.
Copy agentch.exe into this location. return to the startup properties window (it closes when show files is clicked).
Click add, enter agentch.exe and in the parameter section any parameters you've learned are needed. However, if you want to log on which computers this GPO ran and when, you would have to use a bat file that will output data into a shared file i.e.
echo On %date% %time% a %COMPUTERNAME% run the agentch.exe >> \\server\sharename\files_writable_by_everyone.log
Depending on how good you are with batch files, you could use the bat file to test the condition under which the agentch ran i.e. did it complete the task, or did it error out and record that.

You are done with creating the GPO and applying it to the OU (only)
Close everything until you get to the GPMC, while the newly created GPO is selected, right click select GPO status\ and select here "User configuration settings disabled".  This is a computer based GPO and there is no need for the workstations\servers to attempt to apply this GPO on every user login.

Using the AD user and computer interface, move one of the workstations into the newly created OU. You can run gpupdate /force after you login. Then reboot the system and see whether the agentch.exe run and did what you expect. If it has and you are confident, you can apply this GPO to the rest of the Computers in the AD. If you only use the default AD organization where you have Computers is the Computers entry, the only way to apply a GPO is to add it to the AD Domain (top of the domain hierarchy). This will apply to all the systems (servers\workstations\Domain controllers)
You could specify to which this GPO applies, by removing the authenticated_users from the GPO's Scope tab\Security settings\ and then adding the computers to which this GPO should apply one at a time, or if you have all the computers in a defined group, you should add this group.  using the built-in "Domain computers" group will include all systems with the exclusion of the domain controllers.

To your second post on whether the startup/login script are equivalent http:#a35774952.
The way the script is executed/runs it is equivalent, the major and most important difference is the rights with which the script runs.
As a startup script, it runs with the rights of the System which has full install rights on the system/workstation/server.
When it runs as a login, it derives the rights based on the user's account. So a limited/restricted user will start the process and generate an error to the effect, "you do not have the rights to install this here"

Software deployment:
http://technet.microsoft.com/en-us/library/cc739305%28WS.10%29.aspx
http://support.microsoft.com/kb/816102 


At times, software distributors use a setup.exe which is a package of an MSI file with the proper instruction set file.  When you run the setup.exe it expands and creates a temporary directory in %TEMP% c:\windows\temp or at times in %userprofile%\local settings\temp\
Within this temporary folder you can find the MSI and the instruction file.
Not all EXE's do this.
Here is an discussion on the exe to msi converter discussion:
http://www.petri.co.il/forums/showthread.php?t=23146

I think I answered the four post you made.



Author

Commented:
Hi Arnold...I'm following your GPMC Instructions.

I can't find this part that you have mentioned:
You are done with creating the GPO and applying it to the OU (only)
Close everything until you get to the GPMC, while the newly created GPO is selected, right click select GPO status\ and select here "User configuration settings disabled".  This is a computer based GPO and there is no need for the workstations\servers to attempt to apply this GPO on every user login.

Author

Commented:
Arnold, please take a look at my screen capture. I don't see the GPO Status\ and select here "User configurations settings disabled".

Please guide me.
GPMC---Agent-install.jpg

Author

Commented:
Arnold....how do I do this:
Using the AD user and computer interface, move one of the workstations into the newly created OU.

When you say this:
You can run gpupdate /force after you login. Then reboot the system and see whether the agentch.exe run and did what you expect.

Reboot which system? Any of the user's PCs?

Author

Commented:
Arnold....I don't understand this. Need more details from you. Could you break down the instructions here please? Especially the part where you say how to apply it to all systems.

Using the AD user and computer interface, move one of the workstations into the newly created OU. You can run gpupdate /force after you login. Then reboot the system and see whether the agentch.exe run and did what you expect. If it has and you are confident, you can apply this GPO to the rest of the Computers in the AD. If you only use the default AD organization where you have Computers is the Computers entry, the only way to apply a GPO is to add it to the AD Domain (top of the domain hierarchy). This will apply to all the systems (servers\workstations\Domain controllers)
You could specify to which this GPO applies, by removing the authenticated_users from the GPO's Scope tab\Security settings\ and then adding the computers to which this GPO should apply one at a time, or if you have all the computers in a defined group, you should add this group.  using the built-in "Domain computers" group will include all systems with the exclusion of the domain controllers.

Author

Commented:
Arnold....I went to AD Users and Computers. Under the section of Computers, I found a PC WVM-DR13. I highlighted this PC and then right click and selected MOVE. I then moved it to "install_agents" OU. That computer then disappeared from the computers OU and was moved to the "install_agents". Is this incorrect?

Author

Commented:
arnold, i did as per your instructions....and performed a gpupdate on the domain server. i then got the PC WVM-DR13 to perform a reboot. but nothing happened :(

Author

Commented:
for software installation...don't you need a MSI file?

the agentch.exe has batch scripts in this exe file. one batch script and some other files. did you take a look at the agentch.exe file that I attached?

Author

Commented:
does the user of WVM-DR13 have to be a local admin in order for this to happen?

Arnold, isn't Startup scripts meant only for scripts? We are trying this with an exe file. Can it work when we use an exe file under startup scripts?
Distinguished Expert 2017

Commented:
Starting at the begining post:
YOu highlighted the OU.  to change the mode of the GPO, you need to highlite/select the GPO age.
The gpupdate /force needs to run on the computer, or it will usually take to restarts for the GPO to apply.

The reboot applies to the System that you moved into the newly created OU.

Once you are satisfied that it works, you can link this GPO (Agentch) at the top of the list Domain\wvm.com as there are currently wvm.com GPO or to the MYSO if that is a computer OU.

I did not download nor try to run the file you attached since it serves no purpose and I can not replicate the environment in which you are trying to use it.

The software distribution/install functionality in GPOs requires an MSI since it uses Windows Installer for processing.  The startup/shutdown and login/logout can run .bat, .vbs,  and .exe.

The only issue is whether the agentch.exe when run does not/Must not try to interact with the user. When you run it as administrator on a workstation, does it just go through and done.  If there are additional files on which it relies, those files must be copied to the startup folder where you placed agentch.exe \\domain\sysvol\wvm.com\Policies\{unique-id-for-agentch}\scripts\startup\


If the agentch.exe

Author

Commented:
Arnold, it didn't work with the restart of the user's computer.

The agentch.exe file consists of a batch file and addtional files from which the batch files reads prameters/information from these other files.

When I execute this exe file on my computer, I'm prompted first by a window which ask if I trust the publisher. After that it just intalls the file and then finally a window pops up saying that the agent has been successfully installed. And I need to hit the OK button.

From this, we can gather that no user intervention is needed, right? Or am I wrong?

So what did I do wrong that it didn't work when the user rebooted the PC?

What about permissions? Now it is set to Authenticated users.

Also, I hope I have read you correctly...the gpupdate /force needs to be run on the users PC, correct?
Distinguished Expert 2017
Commented:
Ok,
You need to get the copy of the certificate for which you were being prompted.
What we first must do on the system where you imported the certificate as trusted is export it in a format that you'll need to use in the section below.
To access the certificate store, start\run. In here type mmc to get the Microsoft Management Console opened. Select File add/remove snap-in. Click add which will open another pane with the various options, locate the certificates and click add. You will be prompted for which store you want to access: My User Account, Service Account, Computer. Unfortunately, I am not sure to which store it was added so if I am wrong with the following guess, you would need to repeat the prior direction and then choose one of the other stores until you locate the certificate of interest in this case.  With that said, choose the my user account and click Finish.  Now hit Close, and ok.
now you are at the console root and you have a Certificates tool. Navigate to the trusted root certification authority, and locate the certificate you added. Right click on the certificate and choose the export option. The option you should select is the p7b and check the box below to export all certificates in the path if possible. note where you save this pb7 file.

Now using the GPMC tool create a new GPO that you will add to the top of the domain.  The purpose for this GPO is to add this certificate to the trusted list.
You should be using the install_OU from the prior setting to which this GPO will be linked for the purposes of the tests.  I am also relying on you that you copied all the files into the same location as agentch.exe is within the prior GPO
The new GPO
Computer configuration\windows settings\security settings\public key policies\trusted root Certificate Authority
Here you will click import, and browse to where the p7b file you created earlier.  This process will add the certificate as a trusted through out the AD.

However, while typing this, I went back and downloaded the file and checked what it does. which is it copies reqseckey.bin into c:\agentch

So now we need to modify the prior agentch GPO by including the four files that are created in c:\agentch when the agentch.exe is run.
Then instead of running agentch.exe which is effectively a compressed package designed to expand into c:\agentch. You should use regsga.bat as the program to run during startup.

You could modify the bat file to see whether the frminst.exe command can take the /sil for silent or /q for quite switch at which point it will run without generating output since there is no one there to see it.
/forceinstall is another switch option.
https://community.mcafee.com/thread/8349

Another option is to use a script that will do the work. psexec with the sitelist.xml stored in a shared location.
the below deals with uninstalling, but can be easily converted into the install agent that you want/looking for.
http://www.tek-tips.com/viewthread.cfm?qid=1352508&page=3

I think I've exceeded the amount of data to include in a single post.  See whether this route works for you, or whether you want to open another path for a solution.

Author

Commented:
Arnold....the certificate bit is for Windows 7. But most PC's are Windows XP and I can't work GPMC even with Windows XP.
Distinguished Expert 2017

Commented:
I do not understand the last post.
The prior direction with GPO, I was under the impression that agentch.exe is actully doing the agent install.  In my prior reply while trying to see what certificate you are being prompted with, I ran the exe in a VM, and all it does is expand and create a folder c:\agentch with four files in it. two .bin files, a bat file and a sitelist.xml file. The bat file runs the mcaffee framework with the /install=agent reference to the sitelist.xml.

After seeing this, that is what you need. These four files copied into the startup folder
and the bat file replacing the .exe file.

The only other possible modification if the mcaffee framework  does not have 64 and 32 bit version (32 bit only), the startup will run fine on 32 bit system and will not on a 64 since it references the c:\program files\ location.  Presumably all the workstations have the application installed in the same location.

Author

Commented:
hi Arnold....i'm sorry. Maybe I'm confused by your message. Well you are right, there are four files from the agentch.exe that are extracted. The batch file runs and takes variables from the other 3 files I believe.

So the thing is, how do we implement this?

Arnold, we have two files that we can choose to deploy. One is the agentch.exe, which has 4 files within it. And second is another exe file, when extracted has a FrmPkg.exe file in it. Its a single exe file.

Can you work with me to help me deploy this the users PC via GPMC? Assuming we were to deploy just the single exe file. Would that be easier?

I also noticed that in GPMC there is a software installation option. This I believe accepts only MSI files. If a MSI file were to be available, can it be deployed to all PC's?

Having said all of this, what about user permissions on individual PC's. The users may not have the necessary access rights to install any software.

Author

Commented:
Arnold, you have stated to copy these four files into the startup folder. which startup folder and where? on the Domain Server?
Distinguished Expert 2017
Commented:
Take the four files that are extracted when running agentch.exe.
Copy it into \\domain\sysvol\domain\policies\{}\scripts\startup to get there use GPMC
See directions below.

Open GPMC, navigate to the agentch GPO select it. Right click and select edit.
navigate to computer configuration\windows settings\scripts\startup click the show files
Copy the four files in the startup folder.
Go back to GPMC and once again double click on the startup, remove the run agentch, and instead replace it with the bat file.
The bat file may need to be modified to reference the full path to the sitelist.xml on the share instead of in c:\agentch\ which I think is what it has as a default.

The show files can be used to copy the path to the file.

On another thought,  on the system/s you are/were testing, see if you have c:\agentch folder with the four files? This will confirm that agentch.exe was run when the GPO was applied.

Author

Commented:
Arnold, I have another question. If I have a MSI package, can I deploy it using the Software Installation option from GPMC?

How is this done and executed on users PC's?

Distinguished Expert 2017
Commented:
I think the question is veering into a new subject. And should probably be asked on its own.
At this point, Did the startup script approach install the agent on the system?

It depends on the MSI whether it is interactive or whether all the parameters that are needed are included in the msi or can be included as part of the settings file.
It depends on what type of software deployment/installation you are looking at, per user or per system.  With per user with the user not having administrative rights, you most likely will have to use the loopback GPO.

Some references to GPO for software install.
http://technet.microsoft.com/en-us/library/cc738858%28WS.10%29.aspx
http://support.microsoft.com/kb/816102
http://technet.microsoft.com/en-us/library/bb742421.aspx
http://oreilly.com/pub/a/windows/2006/11/14/how-to-deploy-software-using-group-policy.html

Author

Commented:
I'm testing this on my virtual server/pc and I'm not sure it its been set up well (as in the AD). It seems all that I have tried from the above mentioned posts, doesn't seem to work at all.
Distinguished Expert 2017

Commented:
You can join the VM into the AD and test away by placing the VM's computer account into the OU where you have the software policy.

Author

Commented:
i've not resolved this problem. I need help to look at my virtual servers and assist me with my problems. Sorry, the problem was not resolved.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial