Solved

Logon script not working on VMware View desktop

Posted on 2014-07-21
7
1,309 Views
Last Modified: 2014-07-23
I have a VMware View Windows 7 linked clone desktop environment.  For one of my users, I am working on a logon script that will make his domain account a local admin on his desktop.  As these desktops are linked clones, I cannot add him as local admin on the golden image, because he would then be local admin on all desktops.  I created a new GPO on my Windows Server 2008 R2 domain controller linked in the Linked Clones OU.  I added the VMware View Agent Configuration template to this GPO.  I then set the following:

Computer Configuration\Policies\Administrative Templates\Classic Administrative Templates (ADM)\VMware View Agent Configuration\Agent Configuration\CommandsToRunOnConnect --> set to Enabled and command configured "CMD /C c:\scripts\logonlocaladmin.bat"

This .bat script looks like:

NET LOCALGROUP Administrators HCNET\%USERNAME% /ADD

I logged into this desktop through View and ran a gpupdate /force using admin credentials.  I then ran gpresult /r and verified that this gpo is applied to the desktop.  I then restarted this desktop, logged back into the machine using View as the user that owns the desktop, and took a look at the Local Users and Groups.  This user does not show in the Administrators group.  What am I doing wrong here?  I have taken a look at multiple forum posts and this script command should work.  Is there something I am missing?
0
Comment
Question by:Dustin23
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 28

Expert Comment

by:Michael Pfister
ID: 40211233
Hard to guess, could be a permissions problem or the environment variable isn't available at that time.
I'd add some logging, like
SET LOGFILE=C:\WINDOWS\LOGS\logonlocaladmin.log
echo Script start on computer: [%COMPUTERNAME%]>>%LOGFILE%
echo Executing user: [%USERNAME%]
NET LOCALGROUP Administrators HCNET\%USERNAME% /ADD>>%LOGFILE% 2>&1

Open in new window


The  2>&1 redirects error messages to the same log file
0
 

Author Comment

by:Dustin23
ID: 40212362
Ok cool, I will make this change and check for any error messages that may populate this log file.  Thanks.
0
 

Author Comment

by:Dustin23
ID: 40212930
Ok, I tried this and no log file was created on the client or domain controller in that location.  Can you think of a reason why?
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 28

Expert Comment

by:Michael Pfister
ID: 40213443
2 reasons I can think of:

1. Script can't be executed
2. No permissions to write log

To rule out reason 2, make sure, the local group "Users" has NTFS "change" permisson to files and folder C:\scripts
Modify the log location:
SET LOGFILE=C:\Scripts\logonlocaladmin.log

Open in new window

0
 
LVL 28

Accepted Solution

by:
Michael Pfister earned 500 total points
ID: 40213456
After digging around a bit I'm afraid the script won't work because is executed as the user logging on.

The user has a single comuter and ist always the same system? I'd try adding his account to the local administrator group via Group Policy Preferences and set a filter the policy so it will apply to his computer only.

http://community.spiceworks.com/how_to/show/907-gpo-to-push-out-local-administrators-across-a-domain
Add a security filter to the GPO to apply only to his computer name.
0
 

Author Comment

by:Dustin23
ID: 40214874
Ok I am attempting this new GPO now.  Thanks.
0
 

Author Comment

by:Dustin23
ID: 40214953
This worked like a charm.  Thanks mpfister!!
0

Featured Post

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
This article outlines why you need to choose a backup solution that protects your entire environment – including your VMware ESXi and Microsoft Hyper-V virtualization hosts – not just your virtual machines.
The viewer will learn how to count occurrences of each item in an array.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question