Startup Scripit doesn't work with GPO

Hi Guys

I have wrote a very simply startup script for installing SCCM 2007 Client in GPO.

client.cmd
================================
\\sccm01\sms_abc\client\ccmsetup.exe /MP:sccm01 /logon  SMSSITECODE=ABC
==============================

after GPO assign to the right OU (two client machines),

** run gpupdate /force in both DC and client mahines.
** reboot client mahchines
** login client machine
** no installed. It looks like the script wasn't executed during system startup.

I have try to run the client.cmd manually in the one of client machines, it works fine.

Why the GPO doesn't work?

THanks

Regards
mxgongAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

uboundCommented:
Permissions problem?  Do "Domain Computers" have access to \\sccm01\sms_abc?
0
mxgongAuthor Commented:
yes I try \\sccm01\sms_abc\client\ccmsetup.exe  in client machine, it can be accessed.

Thanks
0
uboundCommented:
What exactly are the:

1) Share permissions for \\sccm01\sms_abc
2) Directory permissions for ?:\sms_abc

I'm guessing the share permissions are "Everyone" has read access, cuz that's the default, but it's worth checking.  Other than Admins and Domain Users, who has permissions to the directory?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Thomas-MjeldeCommented:
To see if the script runs or not, just add this to the script:

echo Startup script has successfully ran >> c:\startupscript.txt

And look for the file on the computer.

Other than that, I have noticed multiple times that the share/ntfs permissions for sccm change. I think it happened when I repaired the site, so I decided to host the SCCM installation files on another fileserver to avoid this issue.

Remember that a startup script runs with the computer account, and not the user account. Hence the share needs to grant access to the computer accounts, and not the user accounts.
That might be why it runs successfully when you manually test it, but not via the GPO.
0
mxgongAuthor Commented:
Hi Guys

I am going to try your suggestion now, and get back to you ASAP.

Regards
0
mxgongAuthor Commented:
Hi Guys

Just a quick question, if I run the script as logon, the GPO should be attached to OU which has users' accounts, because it requires users logon.

if I run the script as startup, then the GPO should be attached to OU which has computer accoutns.

is it right?

Regards
0
mxgongAuthor Commented:
I have attahced the GPO to the OU which has client's machines accounts.

I have assign domain computers to the SMS_SYD folder as read & right permission.

After applying gpupdate /force and reboot the client machine, no luck, it still didnt install the client.

Any other idea?

Thanks
0
Thomas-MjeldeCommented:
Hi mxgong.

Yes, you are correct.
User policies applies to the OU where the user accounts reside
Computer policies applies to the OU where the computer accounts reside.

You can run the following command to generate a report of the current policies the computer gets:
GPRESULT /H GPReport.html

Also note that share permissions and NTFS permissions can collide. The most strict will always override.
If you don't grant permissions for both, then the computers won't be able to access the folder.

Also note that if you have multiple domain controllers, it might take a while for group policy changes to replicate to all domain controllers.

You can also verify that both user and computer settings are applied, and none are disabled
Do this in group policy management, find the policy, right click and select GPO Status -> Enabled
0
mxgongAuthor Commented:
Hi Thomas

"Also note that share permissions and NTFS permissions can collide. The most strict will always override.
If you don't grant permissions for both, then the computers won't be able to access the folder."

would you please give me more specs about this for computer account? I have assign share and security permission to domain computers, is it right?

Let me check other things you mentioned in the comments. I will get back to you after few mintues.

Thanks
0
mxgongAuthor Commented:
here is the report:

Name                    Parameters     Last Run                     Script Order in GPO                           Winning GPO
sccm_client.cmd                       12/12/2011 9:52:27 PM    Not configured                         [SCCM-SYD] Client Installation


it looks like the script was executed, but why I cannot see the "configurre manager" in the control panel? OS is win 7 64 b
0
Thomas-MjeldeCommented:
Also check this:
Open Group Policy Management, find the OU, check the Linked group policy objects tab, and the group policy inheritance tab and verify that your GPO is  there.

You should also check if any policies contain the same setting, which would make one of the policies not apply its settings correctly. To get around this, you can either block inheritance on the OU, change the link order, or make one policy enforced.
Note: Blocking inheritance will NOT block enforced policies.

The policy with the lowest link order takes precedence over the others, so the policy with link order 1 will always win if multiple policies contain the same setting.

That way you can have two enforced policies, and setting the link order to determine which take precedence.
0
Thomas-MjeldeCommented:
The SCCM client installation might take some time to finish up.
Does the SCCM client folder exist in c:\windows\syswow64\ccm ?
If it does, there should be log files there.
0
mxgongAuthor Commented:
now is nearly 11 PM, it needs 1.5 hours to install? And i didnt find c:\windows\syswow64\ccm folder.

Do I need to reboot the machine once to see it again?

Thanks for your help.

Regards
0
mxgongAuthor Commented:
i have checked the OU and GPO, it is linked and enfoced, and it is only one GPO for this OU at tht moment.

Thanks
0
Thomas-MjeldeCommented:
Do you have another CCM folder in syswow64?
0
mxgongAuthor Commented:
I didnt see c:\windows\syswow64\ccm  or CCM, or SCCM folder.

0
Thomas-MjeldeCommented:
First step of SCCM client is to copy installation files to %SYSTEMROOT%\SysWOW64\CCMSetup if my memory serves me right.
If you don't have any folders starting with CCM in syswow64, then I bet the setup has never run at all.

You could download psexec and try the ntfs/share permissions from the system account:

http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
run this command:
To run Command prompt using the system account:
psexec -s cmd

Then list the files on the share:
dir \\sccm01\sms_abc\client\
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mxgongAuthor Commented:
0
mxgongAuthor Commented:
0
mxgongAuthor Commented:
I have attached two screenshots for permission settings, is it right settings for computer accounts?

Thanks
0
Thomas-MjeldeCommented:
It's not possible to see which permissions you've granted for domain computers NTFS, as you've selected System in the screenshot.

It'd be better if you manually tested using psexec.
0
mxgongAuthor Commented:
Sorry, the NFT permission for computer accounts which is Modify + Read + Writer.

ok I try psexec now.

Regards
0
mxgongAuthor Commented:
Here is the message after run dir \\xxxx

C:\Windows\system32>dir \\fileserver\SMS_SYD\Client\
 Volume in drive \\fileserver\SMS_SYD has no label.
 Volume Serial Number is 6085-7F66

 Directory of \\fileserver\SMS_SYD\Client

File Not Found

C:\Windows\system32>
0
Thomas-MjeldeCommented:
Could you try to grant access to "everyone" on both share and ntfs, and see if you find the files with psexec then?
0
mxgongAuthor Commented:
I have decided to use client push installation which is more easy process.

Thanks for your help.

Cheers
0
mxgongAuthor Commented:
Thanks
0
Thomas-MjeldeCommented:
You could also chose logon script, instead of startup script. That's how I chose to do it, and it'll probably fix the permission errors you're getting.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.