Log In Script for Domain Controller

I am running Windows 2003 Server.

Need help urgently please.

Could you add some detail?  Running a patch exe will be with the access rights of the user, which often will not work if the user is a limited/restricted user account.

start "" pathtofileyouwanttorun\file.exe

Scripts are usually stored in the netlogon folder of the server and associated through ADUC.

if you copied the patch to the netlogon folder you could create a unc reference to it in the logon script at the top so the file is run when the user logs on, however this would run every time the user logs on

sgsm81 the logon script is stored in the sysvol folder under Windows.

Where is the netlogon script located?

can this be done via Group Policy....if so please guide me how to do this.

where is the netlogon folder located? on the Windows 2003 Domain server?

i can't find a netlogon folder in my sysvol folder.

Guys, this is exactly what I want to do. I want to place an mcfee-agent.exe file on the Domain Server. When the users log on to the domain, I want this exe file to be executed. How do I do this?

Can I add this task into the logon.bat script file which runs the moment the user logs on to the domain? Which means, I want to the agentch.exe file to be executed the moment the user logs on to the domain. With this exe only resident on the domain controller and not on each individual user's PC, will it run if I were to just put in a: Call C:\agent\agentch.exe?

You would typically deploy MacAfee usinge Policy Orchestrator (ePO) Server, are you not running this? if not trying extracting the exe to an msi file (EPO server does this for you iirc when you import the package)

Once you have an MSI file you can then deploy it using group policy easily but how easy this is depends on how much user interaction the agent needs to install and how you deal with that ineraction, some apps suppoer transform file and some msi can be edited using tools like Orca.

Check http://www.appdeploy.com/ for what others have done.

The location of a login script in a GPO is in the c:\windows\sysvol\domain\policy\<{policy-unique-iD}\User\scripts\logon or logoff on the DC
Access by way of a share
(\\domain or \\dc)\sysvol\<AD_domainname>\Policies\<{Unique-policy-ID>\User\scripts\logon or logoff.

You might be better off running this through the startup/shutdown process since that runs with the rights of the SYSTEM and has install rights, but what you are running has to be preconfigured, without prompts or interactive.
If an MSI and you know the correct switches that need to be used to provide the installer all the information it needs complete the install.  If as MojoTech pointed out, you have another mechanism that deploys these i.e. a server based component that can push the update to the individual workstaion by way of the client application already installed, that is the route you should go.  IF the vendor provides for a preconfigured software package deployment where all the parameters are included and the install can run quietly, that is the second preferred approach.

P.S. a login script on a DC will only be run when an Administrative user logs in anyway, unless the default domain controller policy was altered to allow other individuals access or this is an SBS system.

hi arnold, the login script that I have sits on the sysvol folder and on each user's profile, I have stated that this login.bat script needs to run. So the moment the users log in, the login.bat script runs and it maps several drives for the users.

The users do not have local admin rights. The moment they logon to the domain controller, the login.bat script tied to their profile runs - mapping drives to their PC's.

You mentioned I would be better off running this through the startup/shutdown process.
Could you guide me step by step as to how I should do this?

I have so far opened MMC and added the group policy objects. What do I do next?

This file that I plan on running is called agentch.exe (exact filename).

hi arnold, from the command prompt window, I typed agentch.exe /? and it merely popped up a window requesting if I wanted to overight files that already existed.

With regards to McAfee's ePO server and deploying of updates, we have an ePO that is able to push updates. The problem is, the users PC's are unable at this point to communicate with the ePO server. And so an agent update is needed for the users PC's to be able to begin communication with the ePO server.

For that to happen, we have to install this agentch.exe on several PC's. Instead of going from one PC to another, we are wondering if this can be done though a login script.

Arnold...I've attached the agentch.exe file to this reply. When you double click on this file, if its run on Windows 7, window pops up asking you if it ok to run this blah blah blah. On WIN 2K3, it just runs. Likewise I assume it would be the same for Windows XP.

Arnold I have downloaded the gpmc.msi and installed it on my domain. I need your guidance as to how to use it for this case.
Please let me know how to work this, please.
agentch.exe

arnold....the login script now looks like this:
net use w: /d
net use S: /d
net use P: /d
net use F: /d
net use N: /d

net use W: \\wvm-srv01\Simma
net use S: \\wvm-srv01\FileServer
net use P: \\WVM-SRV01\MarCom
net use F: \\server1\FaxCore
net use N: \\wvm-srv01\scan_doc

the domain server's ip address is 198.1.1.1

I'm wondering if I can add in the line at the bottom of the script:
call \\198.1.1.1\netlogon\agentch.exe

I have also placed the agentch.exe file in the netlogon folder. Please do note though, the users do not have local admin rights. So they can't install anything on their PC's. We are hoping that when they log on to the domain, this command runs :call \\198.1.1.1\netlogon\agentch.exe and the agent gets installed.

arnold, I am totally LOST by all that you said above. Especially with the changes in registry etc.

If I have a log in script, how will that work, considering that you mentioned that the users need to be power users or have administrative rights? Right now, they are neither of those two groups. Otherwise, the line that I inserted into the current log on script, would work, wouldn't it? the line :
call \\198.1.1.1\netlogon\agentch.exe

arnold, I'm very much a rookie with AD. So you may need to walk me through this step by step please?
To start off with....how do I create an OU and where do I do this please?

with your instructions for GPMC...you said to create a new .bat file. and in that batch file add the line call \\servername\sharename\agentch.exe

Will that be the same as adding the line below?
call \\198.1.1.1\netlogon\agentch.exe

with GPMC you can also deploy MSI packages right? would you know how this is done?

the agentch.exe file that I have is an exe file. How do I convert it to a MSI file?

Hi Arnold...I'm following your GPMC Instructions.

I can't find this part that you have mentioned:
You are done with creating the GPO and applying it to the OU (only)
Close everything until you get to the GPMC, while the newly created GPO is selected, right click select GPO status\ and select here "User configuration settings disabled".  This is a computer based GPO and there is no need for the workstations\servers to attempt to apply this GPO on every user login.

Arnold, please take a look at my screen capture. I don't see the GPO Status\ and select here "User configurations settings disabled".

Please guide me.
GPMC---Agent-install.jpg

Arnold....how do I do this:
Using the AD user and computer interface, move one of the workstations into the newly created OU.

When you say this:
You can run gpupdate /force after you login. Then reboot the system and see whether the agentch.exe run and did what you expect.

Reboot which system? Any of the user's PCs?

Arnold....I don't understand this. Need more details from you. Could you break down the instructions here please? Especially the part where you say how to apply it to all systems.

Using the AD user and computer interface, move one of the workstations into the newly created OU. You can run gpupdate /force after you login. Then reboot the system and see whether the agentch.exe run and did what you expect. If it has and you are confident, you can apply this GPO to the rest of the Computers in the AD. If you only use the default AD organization where you have Computers is the Computers entry, the only way to apply a GPO is to add it to the AD Domain (top of the domain hierarchy). This will apply to all the systems (servers\workstations\Domain controllers)
You could specify to which this GPO applies, by removing the authenticated_users from the GPO's Scope tab\Security settings\ and then adding the computers to which this GPO should apply one at a time, or if you have all the computers in a defined group, you should add this group.  using the built-in "Domain computers" group will include all systems with the exclusion of the domain controllers.

Arnold....I went to AD Users and Computers. Under the section of Computers, I found a PC WVM-DR13. I highlighted this PC and then right click and selected MOVE. I then moved it to "install_agents" OU. That computer then disappeared from the computers OU and was moved to the "install_agents". Is this incorrect?

arnold, i did as per your instructions....and performed a gpupdate on the domain server. i then got the PC WVM-DR13 to perform a reboot. but nothing happened :(

for software installation...don't you need a MSI file?

the agentch.exe has batch scripts in this exe file. one batch script and some other files. did you take a look at the agentch.exe file that I attached?

does the user of WVM-DR13 have to be a local admin in order for this to happen?

Arnold, isn't Startup scripts meant only for scripts? We are trying this with an exe file. Can it work when we use an exe file under startup scripts?

Starting at the begining post:
YOu highlighted the OU.  to change the mode of the GPO, you need to highlite/select the GPO age.
The gpupdate /force needs to run on the computer, or it will usually take to restarts for the GPO to apply.

The reboot applies to the System that you moved into the newly created OU.

Once you are satisfied that it works, you can link this GPO (Agentch) at the top of the list Domain\wvm.com as there are currently wvm.com GPO or to the MYSO if that is a computer OU.

I did not download nor try to run the file you attached since it serves no purpose and I can not replicate the environment in which you are trying to use it.

The software distribution/install functionality in GPOs requires an MSI since it uses Windows Installer for processing.  The startup/shutdown and login/logout can run .bat, .vbs,  and .exe.

The only issue is whether the agentch.exe when run does not/Must not try to interact with the user. When you run it as administrator on a workstation, does it just go through and done.  If there are additional files on which it relies, those files must be copied to the startup folder where you placed agentch.exe \\domain\sysvol\wvm.com\Policies\{unique-id-for-agentch}\scripts\startup\


If the agentch.exe

Arnold, it didn't work with the restart of the user's computer.

The agentch.exe file consists of a batch file and addtional files from which the batch files reads prameters/information from these other files.

When I execute this exe file on my computer, I'm prompted first by a window which ask if I trust the publisher. After that it just intalls the file and then finally a window pops up saying that the agent has been successfully installed. And I need to hit the OK button.

From this, we can gather that no user intervention is needed, right? Or am I wrong?

So what did I do wrong that it didn't work when the user rebooted the PC?

What about permissions? Now it is set to Authenticated users.

Also, I hope I have read you correctly...the gpupdate /force needs to be run on the users PC, correct?

Arnold....the certificate bit is for Windows 7. But most PC's are Windows XP and I can't work GPMC even with Windows XP.

I do not understand the last post.
The prior direction with GPO, I was under the impression that agentch.exe is actully doing the agent install.  In my prior reply while trying to see what certificate you are being prompted with, I ran the exe in a VM, and all it does is expand and create a folder c:\agentch with four files in it. two .bin files, a bat file and a sitelist.xml file. The bat file runs the mcaffee framework with the /install=agent reference to the sitelist.xml.

After seeing this, that is what you need. These four files copied into the startup folder
and the bat file replacing the .exe file.

The only other possible modification if the mcaffee framework  does not have 64 and 32 bit version (32 bit only), the startup will run fine on 32 bit system and will not on a 64 since it references the c:\program files\ location.  Presumably all the workstations have the application installed in the same location.

hi Arnold....i'm sorry. Maybe I'm confused by your message. Well you are right, there are four files from the agentch.exe that are extracted. The batch file runs and takes variables from the other 3 files I believe.

So the thing is, how do we implement this?

Arnold, we have two files that we can choose to deploy. One is the agentch.exe, which has 4 files within it. And second is another exe file, when extracted has a FrmPkg.exe file in it. Its a single exe file.

Can you work with me to help me deploy this the users PC via GPMC? Assuming we were to deploy just the single exe file. Would that be easier?

I also noticed that in GPMC there is a software installation option. This I believe accepts only MSI files. If a MSI file were to be available, can it be deployed to all PC's?

Having said all of this, what about user permissions on individual PC's. The users may not have the necessary access rights to install any software.

Arnold, you have stated to copy these four files into the startup folder. which startup folder and where? on the Domain Server?

Arnold, I have another question. If I have a MSI package, can I deploy it using the Software Installation option from GPMC?

How is this done and executed on users PC's?

I'm testing this on my virtual server/pc and I'm not sure it its been set up well (as in the AD). It seems all that I have tried from the above mentioned posts, doesn't seem to work at all.

You can join the VM into the AD and test away by placing the VM's computer account into the OU where you have the software policy.

i've not resolved this problem. I need help to look at my virtual servers and assist me with my problems. Sorry, the problem was not resolved.