Solved

Windows 7 Logon Script

Posted on 2011-09-12
19
1,262 Views
Last Modified: 2012-05-12
Hey everyone,

I did a search and found ideas of whats going on but none that I think address what I am seeing.  Most people say their scrips won't do what they want them to do, they won't even run etc.  I think my issue is different.

I have script that has been on the domain for quite some time and it doesn't seem to want to "auto run" on my Windows 7 Machines.  They won't run GP logon scripts at logon.  Thing is I can go directly to the server, go into policies and run the script manually.  It installs the printer, it maps the drives, it does everything you expect it to do except run on logon.

XP clients will run it at logon no problem.  It's the Windows 7 that doesn't.  Crazier yet, the script USED to work about a year ago on Windows 7.  I haven't changed it (that I can remember).  Also, "Machine Scripts" do not run unless I gpupdate /force.

It's a VBS script running as a GP on Server 2003 R2 domain controller.  The laptops are Windows 7 Pro x64.  Below is the simple little script I run for logon followed by startup.

ON ERROR RESUME NEXT
'***********************************************************
Dim net, objNetwork, WSHNetwork, strComputer, strDomain, objLocalGroup, objDomainGroup, shell, desktopPath, link, sys32Path
'***********************************************************
Set net = CreateObject("WScript.Network")
Set objNetwork = CreateObject("WScript.Network")
Set WSHNetwork = CreateObject("WScript.Network")
Set shell = WScript.CreateObject("Wscript.Shell")

'***********************************************************
'Adds the OKI and Toshiba Printer to Computer
'***********************************************************
net.AddWindowsPrinterConnection "\\OURDC\TOSHIBA 5520c"

'***********************************************************
'Adds the Common Drive and the Converted Scans folder
'***********************************************************

'WSHNetwork.RemoveNetworkDrive "Z:", True, True
'WSHNetwork.RemoveNetworkDrive "S:", True, True
objNetwork.MapNetworkDrive "Z:" , "\\OURFILESERVER\common", True
objNetwork.MapNetworkDrive "S:" , "\\OURDC\Converted Scans", True
objNetwork.MapNetworkDrive "x:" , "\\OURDC\Received Faxes", True
objNetwork.MapNetworkDrive "N:" , "\\OURFILESERVER\New Common", True

'***********************************************************
' Flush and Register DNS
'***********************************************************

Set WshObj = Wscript.CreateObject("WScript.Shell")
WshObj.Run "ipconfig /flushdns", 1, true
WScript.sleep 1
WshObj.Run "ipconfig /registerdns", 1, true

'***********************************************************
'Creates a Shortcut to the Z Drive
'***********************************************************

Set net = nothing
Set objNetwork = nothing
Set WSHNetwork = nothing
Set shell = nothing

STARTUP SCRIPT FOLLOWS

Option Explicit

Dim strDomain, objNetwork, strComputer, objLocalGroup, objDomainGroup

' Specify the NetBIOS name of the domain.
strDomain = "DOMAIN NAME"

' Retrieve NetBIOS name of local computer.
Set objNetwork = CreateObject("Wscript.Network")
strComputer = objNetwork.ComputerName

' Bind to local Administrators group.
Set objLocalGroup = GetObject("WinNT://" & strComputer _
& "/Administrators,group")

' Bind to domain group.
Set objDomainGroup = GetObject("WinNT://" & strDomain & "/Domain Users,group")

' Check if the domain group is already a member of the local group.
If Not objLocalGroup.IsMember(objDomainGroup.AdsPath) Then
' Add the domain group to the local group.
objLocalGroup.Add(objDomainGroup.AdsPath)
End If

' Clean up.
Set objNetwork = Nothing
Set objLocalGroup = Nothing
Set objDomainGroup = Nothing

I have changed names for annonymity.  Sorry I can't spell.





0
Comment
Question by:cat5net
  • 12
  • 5
  • 2
19 Comments
 
LVL 8

Expert Comment

by:Amitabh Singh
ID: 36523837
hi cat5net

i remember i also have same problem in windows 2008 servers wear my script not able to run normally but when i right click on script and choose runas administrator its run fine .

I resolved this issue by disabling UAC , try to disable UAC and then login to system again and check if script running fine

for disabling UAC you need to run fallowing command in cmd (runas administrator privileges )

%systemroot%\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
0
 
LVL 1

Author Comment

by:cat5net
ID: 36523868
I forgot to mention UAC is disabled.  I disable UAC on all comptuers that come in.  UNLESS this is different than the GUI which is set to "Never Notify"

Is that the case?
0
 
LVL 8

Expert Comment

by:Amitabh Singh
ID: 36523945
no its same , if UAC is set to "Never Notify" then it miens its disabled !  

so in your case you don't have problem with UAC ,

cat5net are you sure about user rights ? if user have such rights to perform action which you requested

check fallowing things

-> if user have rights to do the action which you requesting in script , example connect network drive , flush dns server , etc
- > check if windows 7 PCs are in Same OU as windows xp , if not then have same rights in GPO for both OU
-----------------------------------------------------------------------------------------------------------
apply this script as domain admin user login script and login to one windows 7 leptop for testing
0
 
LVL 8

Expert Comment

by:Amitabh Singh
ID: 36524002
and just for information lot of WMI classes are changed in windows 7 and windows 2008 so becouse of that lots of Vbs not working in win 7/2k8

last salutation will be for your problem is upgrade your script from Vbs to Power shell

hear is good example "How Do I Migrate My VBScript WMI Queries to Windows PowerShell"

http://blogs.technet.com/b/heyscriptingguy/archive/2009/03/04/how-do-i-migrate-my-vbscript-wmi-queries-to-windows-powershell.aspx
0
 
LVL 1

Author Comment

by:cat5net
ID: 36524018
Funny thing is one of the scripts, the Startup/Machine Script should be running without User elevation ie before the comptuer is supposed to log in doesn't run either.  That script is supposed to add the user to local admin group.

I also have a policy that is supposed to disable UAC automagically and that doesn't apply.  

If I go a gpupdate /force it will apply most GP.  Otherwise it is not applying.  

- > check if windows 7 PCs are in Same OU as windows xp , if not then have same rights in GPO for both OU  <------ These GP are applied across the whole domain and are sharing the same OU with the XP laptops.

-> if user have rights to do the action which you requesting in script , example connect network drive , flush dns server , etc <----  I can run the script under that user manually ie going to \\OURDC\SYSVOL\OURDOMAIN\SYSVOL\POLICIES\INSERTLONGSIDHERE\USER\SCRIPTS\LOGON\SCRIPTNAMEHERE, and it works like a charm, does all I want it to

0
 
LVL 1

Author Comment

by:cat5net
ID: 36524066
In respionse to your WMI comment, this is where I am confused a bit and left saying my situation is different.  I say that because I have seen many other posts stating that the script is "broken" and will not let it complete etc.  While my script will run and do everything perfect if I run it manually.  Drives will map, printers will install, users will be added to local admins etc.  Everything works, it just doesn't run automatically at logon.

I tested a "normal" user and myself on a brand new laptop (installing a batch of 5 today) and neither run the script.  My laptop I use daily, does run the script strangely enough, AND it's Windows 7.
0
 
LVL 1

Author Comment

by:cat5net
ID: 36524097
So I think the greater issue here is GPOs not applying at all.
0
 
LVL 1

Author Comment

by:cat5net
ID: 36524151
Ok, so I was digging some more and it seems that its picking whatever it wants to apply.  Ie - Folder Redirection is getting applied but others are not.
0
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 500 total points
ID: 36524832
The last part of your script should fail unless the user is already an administrator. Looking over your script, the drive mappings, printer additions, and local administrator group membership is all available via group policy preferences and restricted groups, which are standard group policy settings since Vista and backported to XP SP3 with the group policy preferences add-in. I would look at migrating your script over to the standard group policy methods.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 8

Expert Comment

by:Amitabh Singh
ID: 36525016
hmm interesting .. just for info you can use gpresult to see which GPOs are applying to the windows 7 computers .

regarding script may i ask you how you applying this script as windows startup in GPO or as login script for user ?  < -- because if you running this as as a system startup it will not work because no network access rights , if you want to use this script as windows startup we can use psexec to run that script .

Example
psexec  -u user -p pass "c:\windows\system32\cscript \\DC\netlogon\file.vbs"
0
 
LVL 1

Author Comment

by:cat5net
ID: 36525036
I could understand getting rid of the script using the other newer method and it is something I will play with.  Still leaves questions.

That said, if you manually force a gpupdate it ends up applying both the startup script and logon script and works perfect.  This still doesn't explain the script failing to run even if UAC is off and the user is an Administrator either locally or on the domain.  The script fails to run period.

The last part of your script should fail unless the user is already an administrator. <-----  If you are referring to the startup script, this exact script, places all users into the local admin group on that computer and works for Windows XP and up to a certain time worked for Windows 7, automatically.  

If I force a GPUPDATE on Windows 7, they sure enough get the policy at next boot and end up as a local admin, get the login script etc.  I can gpupdate /force just fine regardless of user credentials.  Also, that portion is not a logon script it is a startup script (ie machine script), I tried to explain that earlier sorry if that was confusing but should act independant of user credentials


Here is a recap.

Logon script will not run AUTOMATICALLY under Windows 7 - UAC on or off - XP works fine.
Users that are local/domain admins doesn't run either
Regular, non admin users can run the script manually by going into SYSVOL\Policies etc (All printers, drives etc map perfect)
Machine/startup scripts like the one I have posted do not run unless I gpupdate /force on Windows 7
Other Policies like Folder redirection do apply in Windows 7
There are no errors in logs
I can gpupdate /force on Windows 7 and restart and all is as it should be, users are part of local admin, login scripts run (and complete properly) etc. - It's almost like it's ignoring these scripts until I force it.
0
 
LVL 1

Author Comment

by:cat5net
ID: 36525048
Tech_Eng

I tried to explain that they are 2 separate scripts.  On is a Startup script and the other a Login script.  The Startup script adds domain users to local admins while the login does all the mapping.
0
 
LVL 1

Author Comment

by:cat5net
ID: 36525051
And gp results show it "applying" when I checked it.  
0
 
LVL 1

Author Comment

by:cat5net
ID: 36525108
Just wanted to say thanks for the ideas/help everyone.  Something strange just happened as well.  I have had this computer (Windows 7 newly added to the domain) sitting here, I logged in and all the scripts applied...
0
 
LVL 1

Author Comment

by:cat5net
ID: 36525177
Also, with GPP, how can I use this if my servers are 2003 R2?  Did I miss that?
0
 
LVL 8

Expert Comment

by:Amitabh Singh
ID: 36525226
same way as windows 7 , looks like you don't have problem with script but you have problem with GPO , GPO not applying to old systems ..

Easy way is rejoin that systems to domain again and it will apply .
0
 
LVL 1

Author Comment

by:cat5net
ID: 36525318
Also, with GPP, how can I use this if my servers are 2003 R2?  Did I miss that?  - Forget that, I am managing it from Windows 7 comptuer with Remote Admin - just didn't think they would apply via 2003 but they do.  
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 500 total points
ID: 36525638
Yes, you can manage GPP from Windows 7 with RSAT installed.
0
 
LVL 1

Author Closing Comment

by:cat5net
ID: 36546105
I am going to give the points to kevin as he has pushed me in the right direction for using RSAT.  While this wasn't the complete answer (scripts would run normally and give me all I wanted, wouldn't run automatically) it helped me get another solution to my problem.

Silly note is that when messing with RSAT, it started to accept and auto run the scripts again, go figure!

Thank you.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now