Startup Scripit doesn't work with GPO

Permissions problem?  Do "Domain Computers" have access to \\sccm01\sms_abc?

yes I try \\sccm01\sms_abc\client\ccmsetup.exe  in client machine, it can be accessed.

Thanks

What exactly are the:

1) Share permissions for \\sccm01\sms_abc
2) Directory permissions for ?:\sms_abc

I'm guessing the share permissions are "Everyone" has read access, cuz that's the default, but it's worth checking.  Other than Admins and Domain Users, who has permissions to the directory?

To see if the script runs or not, just add this to the script:

echo Startup script has successfully ran >> c:\startupscript.txt

And look for the file on the computer.

Other than that, I have noticed multiple times that the share/ntfs permissions for sccm change. I think it happened when I repaired the site, so I decided to host the SCCM installation files on another fileserver to avoid this issue.

Remember that a startup script runs with the computer account, and not the user account. Hence the share needs to grant access to the computer accounts, and not the user accounts.
That might be why it runs successfully when you manually test it, but not via the GPO.

Hi Guys

I am going to try your suggestion now, and get back to you ASAP.

Regards

Hi Guys

Just a quick question, if I run the script as logon, the GPO should be attached to OU which has users' accounts, because it requires users logon.

if I run the script as startup, then the GPO should be attached to OU which has computer accoutns.

is it right?

Regards

I have attahced the GPO to the OU which has client's machines accounts.

I have assign domain computers to the SMS_SYD folder as read & right permission.

After applying gpupdate /force and reboot the client machine, no luck, it still didnt install the client.

Any other idea?

Thanks

Hi mxgong.

Yes, you are correct.
User policies applies to the OU where the user accounts reside
Computer policies applies to the OU where the computer accounts reside.

You can run the following command to generate a report of the current policies the computer gets:
GPRESULT /H GPReport.html

Also note that share permissions and NTFS permissions can collide. The most strict will always override.
If you don't grant permissions for both, then the computers won't be able to access the folder.

Also note that if you have multiple domain controllers, it might take a while for group policy changes to replicate to all domain controllers.

You can also verify that both user and computer settings are applied, and none are disabled
Do this in group policy management, find the policy, right click and select GPO Status -> Enabled

Hi Thomas

"Also note that share permissions and NTFS permissions can collide. The most strict will always override.
If you don't grant permissions for both, then the computers won't be able to access the folder."

would you please give me more specs about this for computer account? I have assign share and security permission to domain computers, is it right?

Let me check other things you mentioned in the comments. I will get back to you after few mintues.

Thanks

here is the report:

Name                    Parameters     Last Run                     Script Order in GPO                           Winning GPO
sccm_client.cmd                       12/12/2011 9:52:27 PM    Not configured                         [SCCM-SYD] Client Installation


it looks like the script was executed, but why I cannot see the "configurre manager" in the control panel? OS is win 7 64 b

Also check this:
Open Group Policy Management, find the OU, check the Linked group policy objects tab, and the group policy inheritance tab and verify that your GPO is  there.

You should also check if any policies contain the same setting, which would make one of the policies not apply its settings correctly. To get around this, you can either block inheritance on the OU, change the link order, or make one policy enforced.
Note: Blocking inheritance will NOT block enforced policies.

The policy with the lowest link order takes precedence over the others, so the policy with link order 1 will always win if multiple policies contain the same setting.

That way you can have two enforced policies, and setting the link order to determine which take precedence.

The SCCM client installation might take some time to finish up.
Does the SCCM client folder exist in c:\windows\syswow64\ccm ?
If it does, there should be log files there.

now is nearly 11 PM, it needs 1.5 hours to install? And i didnt find c:\windows\syswow64\ccm folder.

Do I need to reboot the machine once to see it again?

Thanks for your help.

Regards

i have checked the OU and GPO, it is linked and enfoced, and it is only one GPO for this OU at tht moment.

Thanks

Do you have another CCM folder in syswow64?

I didnt see c:\windows\syswow64\ccm  or CCM, or SCCM folder.

share.png

NTFSpermission.png

I have attached two screenshots for permission settings, is it right settings for computer accounts?

Thanks

It's not possible to see which permissions you've granted for domain computers NTFS, as you've selected System in the screenshot.

It'd be better if you manually tested using psexec.

Sorry, the NFT permission for computer accounts which is Modify + Read + Writer.

ok I try psexec now.

Regards

Here is the message after run dir \\xxxx

C:\Windows\system32>dir \\fileserver\SMS_SYD\Client\
 Volume in drive \\fileserver\SMS_SYD has no label.
 Volume Serial Number is 6085-7F66

 Directory of \\fileserver\SMS_SYD\Client

File Not Found

C:\Windows\system32>

Could you try to grant access to "everyone" on both share and ntfs, and see if you find the files with psexec then?

I have decided to use client push installation which is more easy process.

Thanks for your help.

Cheers

Thanks

You could also chose logon script, instead of startup script. That's how I chose to do it, and it'll probably fix the permission errors you're getting.