Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1423
  • Last Modified:

Logon script not working on VMware View desktop

I have a VMware View Windows 7 linked clone desktop environment.  For one of my users, I am working on a logon script that will make his domain account a local admin on his desktop.  As these desktops are linked clones, I cannot add him as local admin on the golden image, because he would then be local admin on all desktops.  I created a new GPO on my Windows Server 2008 R2 domain controller linked in the Linked Clones OU.  I added the VMware View Agent Configuration template to this GPO.  I then set the following:

Computer Configuration\Policies\Administrative Templates\Classic Administrative Templates (ADM)\VMware View Agent Configuration\Agent Configuration\CommandsToRunOnConnect --> set to Enabled and command configured "CMD /C c:\scripts\logonlocaladmin.bat"

This .bat script looks like:

NET LOCALGROUP Administrators HCNET\%USERNAME% /ADD

I logged into this desktop through View and ran a gpupdate /force using admin credentials.  I then ran gpresult /r and verified that this gpo is applied to the desktop.  I then restarted this desktop, logged back into the machine using View as the user that owns the desktop, and took a look at the Local Users and Groups.  This user does not show in the Administrators group.  What am I doing wrong here?  I have taken a look at multiple forum posts and this script command should work.  Is there something I am missing?
0
Dustin23
Asked:
Dustin23
  • 4
  • 3
1 Solution
 
Michael PfisterCommented:
Hard to guess, could be a permissions problem or the environment variable isn't available at that time.
I'd add some logging, like
SET LOGFILE=C:\WINDOWS\LOGS\logonlocaladmin.log
echo Script start on computer: [%COMPUTERNAME%]>>%LOGFILE%
echo Executing user: [%USERNAME%]
NET LOCALGROUP Administrators HCNET\%USERNAME% /ADD>>%LOGFILE% 2>&1

Open in new window


The  2>&1 redirects error messages to the same log file
0
 
Dustin23Author Commented:
Ok cool, I will make this change and check for any error messages that may populate this log file.  Thanks.
0
 
Dustin23Author Commented:
Ok, I tried this and no log file was created on the client or domain controller in that location.  Can you think of a reason why?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Michael PfisterCommented:
2 reasons I can think of:

1. Script can't be executed
2. No permissions to write log

To rule out reason 2, make sure, the local group "Users" has NTFS "change" permisson to files and folder C:\scripts
Modify the log location:
SET LOGFILE=C:\Scripts\logonlocaladmin.log

Open in new window

0
 
Michael PfisterCommented:
After digging around a bit I'm afraid the script won't work because is executed as the user logging on.

The user has a single comuter and ist always the same system? I'd try adding his account to the local administrator group via Group Policy Preferences and set a filter the policy so it will apply to his computer only.

http://community.spiceworks.com/how_to/show/907-gpo-to-push-out-local-administrators-across-a-domain
Add a security filter to the GPO to apply only to his computer name.
0
 
Dustin23Author Commented:
Ok I am attempting this new GPO now.  Thanks.
0
 
Dustin23Author Commented:
This worked like a charm.  Thanks mpfister!!
0

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now