[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3750
  • Last Modified:

Windows 2008 R2 RDS Logon Scripts will not run at Logon

Hi,

We are currently testing new terminal servers in our environment using Windows 2008 R2 SP1 and use logon scripts during the logon process for our users. We have Windows 2003 Domain Controllers. All of our scripts run fine when running on our existing 2003 Terminal servers.

None of our logon scripts are running at logon, this does not appear to relate to the content of the scripts. No scripts run when assigned via group policy however they run fine when executed from the desktop. none of the users running the scripts have administrative rights.

I have performed the following: -

1. disabled UAC
2. enabled linked connections
3. configured the sysvol path in ESC domains (to prevent security dialog boxes blocking running the scripts)
4.I have created a vbscript containing a single wscript.echo statement and a batch file containing a single "pause" command, these simple scripts still do not run via GPO but run fine when executed manually.
5. run a RSOP and checked the last run time of the scripts, none of the scripts have a time (suggesting that they have never run).

Any further pointers would be much appreciated.
0
Tolomay
Asked:
Tolomay
  • 6
  • 3
1 Solution
 
TolomayAuthor Commented:
just to add to this,

I have tried the logon scripts using the local GPO on the server and they still do not run.
0
 
BrewersFanRickIT DepartmentCommented:
I was really hoping someone had a solution for this too.   I've come across the same thing.
0
 
TolomayAuthor Commented:
yeah, I'm hoping it's just a simple setting somewhere, but there doesn't seem to be any information about this.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
McKnifeCommented:
Hi.

It would help us if you would supply one of the failing scripts.
0
 
TolomayAuthor Commented:
Thanks for your reply,

I'm certain this has nothing to do with the scripts themselves as I have linked extremely simple scripts which still do not run. A sample vbscript is shown below: -

wscript.echo "test"

or a sample batch file: -

echo test
pause

The RSOP shows no run time against any of the scripts, suggesting that they have not run.

The actual scripts run fine when run from the desktop direct from the sysvol share and none of the scripts require admin permissions, which to me suggests this is not related to UAC
0
 
McKnifeCommented:
Please take a batch file (.bat) that creates a folder below %Temp% and see if it gets created.
md %temp%\%date%

"echo test" is no test at all as logon scripts run invisible.
0
 
TolomayAuthor Commented:
They do by default yes, however is possible to change that behaviour. I've enabled "run logon scripts visible" in group policy. This works well in 2003 Server, Unless Microsoft has dropped support for this in 2008 R2 (which would suck). I've also set the timeout on the welcome screen so I can see what's going on behind it.

I've also tried various other non-interactive scripts and none of these work either.

md %temp%\%date% returns a syntax error on my machine (I think it's to do with the %date% variable).

md %temp%\test works fine when run from the desktop, however after deleting the folder and logging back on this doesn't run as a logon script.

even scripts from the local group policy won't run, which suggests to me it could be  problem with the local machine setup, so I'm currently checking the security settings using SCM, I think I've ruled out Mcafee and IE security.
0
 
McKnifeCommented:
Ok... did you use a batch or vbs for md %temp%...? Take a batch. There have been problems with .vbs files in logon scripts (although I must confess that those were UAC related).
0
 
TolomayAuthor Commented:
Ok, I've finally found the solution to this problem, after checking the GPO event logs in detail  and reviewing Process Monitor logs in detail.

GPOScript.exe was being launched as expected at logon with the /logon switch, however wscript.exe or cmd.exe where not running. The GPO logs showed that the scripts where only running for several milliseconds, which to me suggested that they where not running at all.

After building a new server from scratch (which worked fine), I determined that the PATH environment variable had somehow been deleted from our server build. This prevented windows from finding wscript.exe, cmd.exe etc. After recreating it, the problem was resolved.

That concluded a frustrating few days! No one has owned up to this yet :)

But I thought I'd mention it unless anyone comes accross a similar issue.
0
 
TolomayAuthor Commented:
PATH Variable is critical in order for logon/logoff scripts to function. This may not be obvious, so it is useful information for anyone else with this problem.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now