Solved

Logon script not working on VMware View desktop

Posted on 2014-07-21
7
1,234 Views
Last Modified: 2014-07-23
I have a VMware View Windows 7 linked clone desktop environment.  For one of my users, I am working on a logon script that will make his domain account a local admin on his desktop.  As these desktops are linked clones, I cannot add him as local admin on the golden image, because he would then be local admin on all desktops.  I created a new GPO on my Windows Server 2008 R2 domain controller linked in the Linked Clones OU.  I added the VMware View Agent Configuration template to this GPO.  I then set the following:

Computer Configuration\Policies\Administrative Templates\Classic Administrative Templates (ADM)\VMware View Agent Configuration\Agent Configuration\CommandsToRunOnConnect --> set to Enabled and command configured "CMD /C c:\scripts\logonlocaladmin.bat"

This .bat script looks like:

NET LOCALGROUP Administrators HCNET\%USERNAME% /ADD

I logged into this desktop through View and ran a gpupdate /force using admin credentials.  I then ran gpresult /r and verified that this gpo is applied to the desktop.  I then restarted this desktop, logged back into the machine using View as the user that owns the desktop, and took a look at the Local Users and Groups.  This user does not show in the Administrators group.  What am I doing wrong here?  I have taken a look at multiple forum posts and this script command should work.  Is there something I am missing?
0
Comment
Question by:Dustin23
  • 4
  • 3
7 Comments
 
LVL 28

Expert Comment

by:Michael Pfister
ID: 40211233
Hard to guess, could be a permissions problem or the environment variable isn't available at that time.
I'd add some logging, like
SET LOGFILE=C:\WINDOWS\LOGS\logonlocaladmin.log
echo Script start on computer: [%COMPUTERNAME%]>>%LOGFILE%
echo Executing user: [%USERNAME%]
NET LOCALGROUP Administrators HCNET\%USERNAME% /ADD>>%LOGFILE% 2>&1

Open in new window


The  2>&1 redirects error messages to the same log file
0
 

Author Comment

by:Dustin23
ID: 40212362
Ok cool, I will make this change and check for any error messages that may populate this log file.  Thanks.
0
 

Author Comment

by:Dustin23
ID: 40212930
Ok, I tried this and no log file was created on the client or domain controller in that location.  Can you think of a reason why?
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 28

Expert Comment

by:Michael Pfister
ID: 40213443
2 reasons I can think of:

1. Script can't be executed
2. No permissions to write log

To rule out reason 2, make sure, the local group "Users" has NTFS "change" permisson to files and folder C:\scripts
Modify the log location:
SET LOGFILE=C:\Scripts\logonlocaladmin.log

Open in new window

0
 
LVL 28

Accepted Solution

by:
Michael Pfister earned 500 total points
ID: 40213456
After digging around a bit I'm afraid the script won't work because is executed as the user logging on.

The user has a single comuter and ist always the same system? I'd try adding his account to the local administrator group via Group Policy Preferences and set a filter the policy so it will apply to his computer only.

http://community.spiceworks.com/how_to/show/907-gpo-to-push-out-local-administrators-across-a-domain
Add a security filter to the GPO to apply only to his computer name.
0
 

Author Comment

by:Dustin23
ID: 40214874
Ok I am attempting this new GPO now.  Thanks.
0
 

Author Comment

by:Dustin23
ID: 40214953
This worked like a charm.  Thanks mpfister!!
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

HOW TO: Connect to the VMware vSphere Hypervisor 6.5 (ESXi 6.5) using the vSphere (HTML5 Web) Host Client 6.5, and perform a simple configuration task of adding a new VMFS 6 datastore.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. Theā€¦
The viewer will learn how to count occurrences of each item in an array.

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question