mxgong
asked on
Startup Scripit doesn't work with GPO
Hi Guys
I have wrote a very simply startup script for installing SCCM 2007 Client in GPO.
client.cmd
========================== ======
\\sccm01\sms_abc\client\cc msetup.exe /MP:sccm01 /logon SMSSITECODE=ABC
========================== ====
after GPO assign to the right OU (two client machines),
** run gpupdate /force in both DC and client mahines.
** reboot client mahchines
** login client machine
** no installed. It looks like the script wasn't executed during system startup.
I have try to run the client.cmd manually in the one of client machines, it works fine.
Why the GPO doesn't work?
THanks
Regards
I have wrote a very simply startup script for installing SCCM 2007 Client in GPO.
client.cmd
==========================
\\sccm01\sms_abc\client\cc
==========================
after GPO assign to the right OU (two client machines),
** run gpupdate /force in both DC and client mahines.
** reboot client mahchines
** login client machine
** no installed. It looks like the script wasn't executed during system startup.
I have try to run the client.cmd manually in the one of client machines, it works fine.
Why the GPO doesn't work?
THanks
Regards
Permissions problem? Do "Domain Computers" have access to \\sccm01\sms_abc?
ASKER
yes I try \\sccm01\sms_abc\client\cc msetup.exe in client machine, it can be accessed.
Thanks
Thanks
What exactly are the:
1) Share permissions for \\sccm01\sms_abc
2) Directory permissions for ?:\sms_abc
I'm guessing the share permissions are "Everyone" has read access, cuz that's the default, but it's worth checking. Other than Admins and Domain Users, who has permissions to the directory?
1) Share permissions for \\sccm01\sms_abc
2) Directory permissions for ?:\sms_abc
I'm guessing the share permissions are "Everyone" has read access, cuz that's the default, but it's worth checking. Other than Admins and Domain Users, who has permissions to the directory?
To see if the script runs or not, just add this to the script:
echo Startup script has successfully ran >> c:\startupscript.txt
And look for the file on the computer.
Other than that, I have noticed multiple times that the share/ntfs permissions for sccm change. I think it happened when I repaired the site, so I decided to host the SCCM installation files on another fileserver to avoid this issue.
Remember that a startup script runs with the computer account, and not the user account. Hence the share needs to grant access to the computer accounts, and not the user accounts.
That might be why it runs successfully when you manually test it, but not via the GPO.
echo Startup script has successfully ran >> c:\startupscript.txt
And look for the file on the computer.
Other than that, I have noticed multiple times that the share/ntfs permissions for sccm change. I think it happened when I repaired the site, so I decided to host the SCCM installation files on another fileserver to avoid this issue.
Remember that a startup script runs with the computer account, and not the user account. Hence the share needs to grant access to the computer accounts, and not the user accounts.
That might be why it runs successfully when you manually test it, but not via the GPO.
ASKER
Hi Guys
I am going to try your suggestion now, and get back to you ASAP.
Regards
I am going to try your suggestion now, and get back to you ASAP.
Regards
ASKER
Hi Guys
Just a quick question, if I run the script as logon, the GPO should be attached to OU which has users' accounts, because it requires users logon.
if I run the script as startup, then the GPO should be attached to OU which has computer accoutns.
is it right?
Regards
Just a quick question, if I run the script as logon, the GPO should be attached to OU which has users' accounts, because it requires users logon.
if I run the script as startup, then the GPO should be attached to OU which has computer accoutns.
is it right?
Regards
ASKER
I have attahced the GPO to the OU which has client's machines accounts.
I have assign domain computers to the SMS_SYD folder as read & right permission.
After applying gpupdate /force and reboot the client machine, no luck, it still didnt install the client.
Any other idea?
Thanks
I have assign domain computers to the SMS_SYD folder as read & right permission.
After applying gpupdate /force and reboot the client machine, no luck, it still didnt install the client.
Any other idea?
Thanks
Hi mxgong.
Yes, you are correct.
User policies applies to the OU where the user accounts reside
Computer policies applies to the OU where the computer accounts reside.
You can run the following command to generate a report of the current policies the computer gets:
GPRESULT /H GPReport.html
Also note that share permissions and NTFS permissions can collide. The most strict will always override.
If you don't grant permissions for both, then the computers won't be able to access the folder.
Also note that if you have multiple domain controllers, it might take a while for group policy changes to replicate to all domain controllers.
You can also verify that both user and computer settings are applied, and none are disabled
Do this in group policy management, find the policy, right click and select GPO Status -> Enabled
Yes, you are correct.
User policies applies to the OU where the user accounts reside
Computer policies applies to the OU where the computer accounts reside.
You can run the following command to generate a report of the current policies the computer gets:
GPRESULT /H GPReport.html
Also note that share permissions and NTFS permissions can collide. The most strict will always override.
If you don't grant permissions for both, then the computers won't be able to access the folder.
Also note that if you have multiple domain controllers, it might take a while for group policy changes to replicate to all domain controllers.
You can also verify that both user and computer settings are applied, and none are disabled
Do this in group policy management, find the policy, right click and select GPO Status -> Enabled
ASKER
Hi Thomas
"Also note that share permissions and NTFS permissions can collide. The most strict will always override.
If you don't grant permissions for both, then the computers won't be able to access the folder."
would you please give me more specs about this for computer account? I have assign share and security permission to domain computers, is it right?
Let me check other things you mentioned in the comments. I will get back to you after few mintues.
Thanks
"Also note that share permissions and NTFS permissions can collide. The most strict will always override.
If you don't grant permissions for both, then the computers won't be able to access the folder."
would you please give me more specs about this for computer account? I have assign share and security permission to domain computers, is it right?
Let me check other things you mentioned in the comments. I will get back to you after few mintues.
Thanks
ASKER
here is the report:
Name Parameters Last Run Script Order in GPO Winning GPO
sccm_client.cmd 12/12/2011 9:52:27 PM Not configured [SCCM-SYD] Client Installation
it looks like the script was executed, but why I cannot see the "configurre manager" in the control panel? OS is win 7 64 b
Name Parameters Last Run Script Order in GPO Winning GPO
sccm_client.cmd 12/12/2011 9:52:27 PM Not configured [SCCM-SYD] Client Installation
it looks like the script was executed, but why I cannot see the "configurre manager" in the control panel? OS is win 7 64 b
Also check this:
Open Group Policy Management, find the OU, check the Linked group policy objects tab, and the group policy inheritance tab and verify that your GPO is there.
You should also check if any policies contain the same setting, which would make one of the policies not apply its settings correctly. To get around this, you can either block inheritance on the OU, change the link order, or make one policy enforced.
Note: Blocking inheritance will NOT block enforced policies.
The policy with the lowest link order takes precedence over the others, so the policy with link order 1 will always win if multiple policies contain the same setting.
That way you can have two enforced policies, and setting the link order to determine which take precedence.
Open Group Policy Management, find the OU, check the Linked group policy objects tab, and the group policy inheritance tab and verify that your GPO is there.
You should also check if any policies contain the same setting, which would make one of the policies not apply its settings correctly. To get around this, you can either block inheritance on the OU, change the link order, or make one policy enforced.
Note: Blocking inheritance will NOT block enforced policies.
The policy with the lowest link order takes precedence over the others, so the policy with link order 1 will always win if multiple policies contain the same setting.
That way you can have two enforced policies, and setting the link order to determine which take precedence.
The SCCM client installation might take some time to finish up.
Does the SCCM client folder exist in c:\windows\syswow64\ccm ?
If it does, there should be log files there.
Does the SCCM client folder exist in c:\windows\syswow64\ccm ?
If it does, there should be log files there.
ASKER
now is nearly 11 PM, it needs 1.5 hours to install? And i didnt find c:\windows\syswow64\ccm folder.
Do I need to reboot the machine once to see it again?
Thanks for your help.
Regards
Do I need to reboot the machine once to see it again?
Thanks for your help.
Regards
ASKER
i have checked the OU and GPO, it is linked and enfoced, and it is only one GPO for this OU at tht moment.
Thanks
Thanks
Do you have another CCM folder in syswow64?
ASKER
I didnt see c:\windows\syswow64\ccm or CCM, or SCCM folder.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ASKER
ASKER
I have attached two screenshots for permission settings, is it right settings for computer accounts?
Thanks
Thanks
It's not possible to see which permissions you've granted for domain computers NTFS, as you've selected System in the screenshot.
It'd be better if you manually tested using psexec.
It'd be better if you manually tested using psexec.
ASKER
Sorry, the NFT permission for computer accounts which is Modify + Read + Writer.
ok I try psexec now.
Regards
ok I try psexec now.
Regards
ASKER
Here is the message after run dir \\xxxx
C:\Windows\system32>dir \\fileserver\SMS_SYD\Clien t\
Volume in drive \\fileserver\SMS_SYD has no label.
Volume Serial Number is 6085-7F66
Directory of \\fileserver\SMS_SYD\Clien t
File Not Found
C:\Windows\system32>
C:\Windows\system32>dir \\fileserver\SMS_SYD\Clien
Volume in drive \\fileserver\SMS_SYD has no label.
Volume Serial Number is 6085-7F66
Directory of \\fileserver\SMS_SYD\Clien
File Not Found
C:\Windows\system32>
Could you try to grant access to "everyone" on both share and ntfs, and see if you find the files with psexec then?
ASKER
I have decided to use client push installation which is more easy process.
Thanks for your help.
Cheers
Thanks for your help.
Cheers
ASKER
Thanks
You could also chose logon script, instead of startup script. That's how I chose to do it, and it'll probably fix the permission errors you're getting.