Unable to execute logon vb script from 2008 netlogon share from an intersite DC

My AD was recently upgraded from 2003 to 2008 due to 2003 end of life. I have a issue where I have DC's in the same forest, in two different subnets at two different physical sites where a user cannot execute a logon script that's a vb script in the netlogon share. When I connect to the DC in the different subnet and try to copy the vbs script to my windows 7 desktop, I get a network error, as depicted here:

The rest of the files in the netlogon folder (all batch files and even a powershell scripts) copy over just fine. Just not vb scripts. Replication works according to the schedules that AD sets by default.

Here's the kicker, if a local user executes their logon script that's pointed to the local DC in the same subnet, the vb script executes, and you can copy it.

Before in my 2003 domain, this was not an issue. We have not yet set the operation mode of the AD to 2008, it's still mixed.

There are no firewall rules that prevent vb scripts from being copied. I can copy vb scripts from one location's share to another not in netlogon just fine. It's just vb scripts.

Any help anyone can provide would be appreciated!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lionel MMSmall Business IT ConsultantCommented:
check the permissions on that file if it is the only one giving you problems (permissions and access to the netlogon files, if the transition to the new DC isn't successfully competed can be an issue.
dyadminAuthor Commented:
I don't think it's a permission issue. I can log onto DC2 with DC1 administrator and the problem remains.  Like I say, it's only VBS scripts I cannot execute or copy from the remote DC netlogon share. Anything else it allows me to copy be it .bat .ps1 .cmd files and pretty much anything else.

Is there something or setting that is preventing vbs script being copying or executed from a remote netlogon in a different subnet? Does something like that exist?
Lionel MMSmall Business IT ConsultantCommented:
I am not talking about user right (permissions) I am talking about the NTFS permissions on the files and folders--did you check that?
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

dyadminAuthor Commented:
Yes, everything matches the same. I even did a DCdiag on the netlogon and both DC's pass.
Lionel MMSmall Business IT ConsultantCommented:
we seem to be mis-communicating. If you go to the file and folders on the drives in question, then right click on it, then click on properties and then go to the permissions tab -- this is NTFS permissions; which provide what files may be executed and by who.
dyadminAuthor Commented:
I apologize if I am not communicating clearly.

I checked all NTFS permissions and they are the same for each file in my net logon folder be it VBS or bat or cmd or ps1, there are no special permissions or explicit permissions for any of the VBS files in that folder.
Lionel MMSmall Business IT ConsultantCommented:
what are the permissions on the file that won'r run properly? use this command
icacls C:\Windows\SYSVOL\sysvol\domain\scripts\file-name.vbs and then also
icacls C:\Windows\SYSVOL\domain\scripts for the folder permissions and post those here please--thanks
dyadminAuthor Commented:
Okay here the results:

NT AUTHORITY\Authenticated Users:(I)(RX)
BUILTIN\Server Operators:(I)(RX)

Successfully processed 1 files; Failed processing 0 files
NT AUTHORITY\Authenticated Users:(I)(RX)
BUILTIN\Server Operators:(I)(RX)

Successfully processed 1 files; Failed processing 0 files

Lionel MMSmall Business IT ConsultantCommented:
look at the differences in your permissions and the ones from a functioning 2008 server; I suggest your upgrade to 2008 did not fully complete or did not do so without errors

icacls C:\Windows\SYSVOL\sysvol\domain.local\scripts
C:\Windows\SYSVOL\sysvol\secos.local\scripts NT AUTHORITY\Authenticated Users:(RX)
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR,GE)
BUILTIN\Server Operators:(RX)
BUILTIN\Server Operators:(OI)(CI)(IO)(GR,GE)
Successfully processed 1 files; Failed processing 0 files

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dyadminAuthor Commented:
I had no errors, just have vb login scripts that won't execute, everything else is fine or appears to be. There is still a 2003DC that is being retired within the month, so the domain function level is still 2008.

We have moved all roles and services to the 2008 controllers.

Follow up question, if my permissions are out of whack right now, which permissions were added during a 2008 upgrade then? Is there any way to reset them?
Lionel MMSmall Business IT ConsultantCommented:
Just because you ran icacls without any errors doesn't mean anything, not for our purposes here. The point I am trying to show you is to compare the user and permissions on your 'scripts" folder compared to one that does allow execution; just look how different they are--compare the permission on the same folder on your 2003 server and you will the difference--this usually points to a upgrade that was incomplete or had errors. If you have been able to transfer all the FSMO roles w/o any errors then you may have to add the missing permissions manually.
dyadminAuthor Commented:
You're right the permissions on the folders in the 2003 box are not the same on any 2008 DC's.

** Update ** I did some fixing, and now all folders and files report the same permissions everywhere. Thanks for bringing light to that. Unfortunately my problem still remains.

I cannot open, read or execute my vbs login scripts that exist in another subnet. Locally things work as expected, in another subnet, the scripts refuse to run or be read.
Lionel MMSmall Business IT ConsultantCommented:
What is your router setup to get from one subnet to the other? So a user in site 1 can copy and execute any script in site 2's netlogon as long as it is not a vbs script?
dyadminAuthor Commented:
I have a private site to site VPN. No firewalls exist between subnets.

Yes, that's it. A user in site 1 can copy and execute any script as long as it's not a vb script.
Lionel MMSmall Business IT ConsultantCommented:
ok so let's try this to see if there is some mask to block vbs somewhere
rename the file from .vbs to .bat and see if you can copy it
then create a vbs file with the lines below see if it can be copied and run

'Login Message
sLoginMessage = "Welcome to the You Domain." & vbCRLF
sLoginMessage = sLoginMessage & "----------------------------------------" & vbCRLF
sLoginMessage = sLoginMessage & "Click OK to continue to login to your computer." & vbCRLF
wscript.echo sLoginMessage
dyadminAuthor Commented:
Thanks for staying with this.

Okay I changed the name with one of our vbs to bat extensions. No go.

I copy your script into a VBS file and I can copy it, execute it, and do everything I can with a bat or any other file in my netlogon folder.

There must be something inside those files to prevent the system from allowing it to be copied.
Lionel MMSmall Business IT ConsultantCommented:
Yes that's right there is something in your code that is preventing it from running, being copied. My guess is it may be a firewall or virus software setting. Can you check your code--what exactly is it doing?
dyadminAuthor Commented:
I'll post it..


Dim WSHShell, WSHNetwork, objDomain, DomainString, UserString, UserObj, Path

Set WSHShell = CreateObject("WScript.Shell")
Set WSHNetwork = CreateObject("WScript.Network")

'Automatically find the domain name
Set objDomain = getObject("LDAP://rootDse")
DomainString = objDomain.Get("dnsHostName")
WinDir = WshShell.ExpandEnvironmentStrings("%WinDir%")

'Grab the user name
UserString = WSHNetwork.UserName

'Bind to the user object to get user name and check for group memberships later
Set UserObj = GetObject("WinNT://" & DomainString & "/" & UserString)

'Grab the computer name for use in add-on code later
strComputer = WSHNetwork.ComputerName

'Synchronizes the time with Server our NTP Server
WSHShell.Run "NET TIME \\DC12 /set /y"

'Add the default route for the Edmonton network

'Disconnect any drive mappings as needed.
WSHNetwork.RemoveNetworkDrive "H:", True, True
WSHNetwork.RemoveNetworkDrive "P:", True, True
'WSHNetwork.RemoveNetworkDrive "U:", True, True

'Give the PC time to do the disconnect, wait 300 milliseconds
wscript.sleep 300

'Map drives needed by all
'Note the command using the user name as a variable to map to a user share.
WSHNetwork.MapNetworkDrive "H:", "\\FS01\shared",True

If strComputer="TEST" then WSHNetwork.MapNetworkDrive "P:", "\\FS20\Files",True
      WSHNetwork.MapNetworkDrive "T:", "\\FS01\Files",True
'End If
WSHShell.Run tempCMD,0

WSHNetwork.MapNetworkDrive "U:", "\\FS01\users\" & UserString,True

wscript.sleep 300
'Install Printers
WSHNetwork.AddWindowsPrinterConnection "\\PS06\Reception-Konica-Duplex-Color-PCL"
WSHNetwork.AddWindowsPrinterConnection "\\PS06\Reception-Konica-Duplex-Black-PCL"
WSHNetwork.AddWindowsPrinterConnection "\\PS06\Reception-Konica-Onesided-Color-PCL"
WSHNetwork.AddWindowsPrinterConnection "\\PS06\Reception-Konica-Onesided-Black-PCL"

'Remove Printers
WSHNetwork.RemovePrinterConnection "\\PS06\Reception_Panasonic_Black"
WSHNetwork.RemovePrinterConnection "\\PS06\Reception_Panaosonic_Color_Duplex"
WSHNetwork.RemovePrinterConnection "\\PS06\Reception Copier Color - Single Side"
WSHNetwork.RemovePrinterConnection "\\PS10\Reception_copier_black"
WSHNetwork.RemovePrinterConnection "\\PS10\Reception_copier_color"
'******** create folder **********

'dim filesys, newfolder, newfolderpath

'newfolderpath = "c:\Program Files\Software\001"

'set filesys=CreateObject("Scripting.FileSystemObject")

'If Not filesys.FolderExists(newfolderpath) Then
'Set newfolder = filesys.CreateFolder(newfolderpath)
'Response.Write("A new folder has been created at: " newfolderpath)
'End If

'TempCMD = "Xcopy " & CHR(34) & "\\FS01\shared\it\software\001\*.*" & CHR (34) & " " & chr(34) & "C:\program files\software\001\*.*" & chr(34) & " /D /E /V /C /Y"
'WSHShell.Run tempCMD,0

If Not strComputer="TEST" then WSHShell.Run "reg import \\FS01\shared\logins\scripts\odbcreg.reg",0
'Add On Code goes below this line
' ===== Changed by SYSADMIN July 4 2012 =====
WSHShell.Run "reg import \\FS01\shared\logins\scripts\timeoutprocede.reg",0
WSHShell.Run "reg import \\FS01\shared\pdfcreator-disable-update.reg",0
WSHShell.Run "reg import \\FS01\shared\disable_gadgets.reg",0
'dim tempCMD

TempCMD = "Xcopy " & CHR(34) & "\\FS01\shared\it\logins\admin\Desktop\*.*" & CHR (34) & " " & chr(34) & "C:\Documents and Settings\%username%\Desktop\*.*" & chr(34) & " /D /E /V /C /Y"
WSHShell.Run tempCMD,0

' ===== Changed by SYSADMIN July 4 2012 =====
'TempCMD = chr(34) & "P:\Install Software\run me.bat" & chr(34)
'WSHShell.Run TempCMD,0


' Enable dcom
Set Myshell = WScript.CreateObject("WScript.Shell")
Myshell.RegWrite "HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM","Y","REG_SZ"
Myshell.RegWrite "HKLM\SOFTWARE\Microsoft\Ole\LegacyAuthenticationLevel",2,"REG_DWORD"

' Set dcom default permissions
Myshell.regdelete "HKLM\SOFTWARE\Microsoft\Ole\DefaultLaunchPermission"
Myshell.regdelete "HKLM\SOFTWARE\Microsoft\Ole\MachineAccessRestriction"
Myshell.regdelete "HKLM\SOFTWARE\Microsoft\Ole\MachineLaunchRestriction"

' Disable simple file sharing
Myshell.RegWrite "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ForceGuest","0","REG_DWORD"

'Add On Code goes above this line

'Clean Up Memory We Used
set UserObj = Nothing
set GroupObj = Nothing
set WSHNetwork = Nothing
set DomainString = Nothing
set WSHSHell = Nothing
Set WSHPrinters = Nothing

'Quit the Script


It's all pretty benign stuff.
Lionel MMSmall Business IT ConsultantCommented:
I agree; I am not at all a vbs expert but I don't see anything that can be a reason for concern. At this point I think you should ask for attention and ask for real vbs experts that can see why this code is been stopped. I will if I can put this code on a test 2008 server and see if I get the same issues as you or not (sometime later tonight or tomorrow).
dyadminAuthor Commented:
Unfortunately my problem went isolated thanks Lionel for the help!
dyadminAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for dyadmin's comment #a40953335

for the following reason:

Question was not solved.
Lionel MMSmall Business IT ConsultantCommented:
The problem was found--there was something in the script that would not allow it to be executed/run or copied. This question was not filed under the scripting section but the Windows section and we did find that the problem lies with the code, the script itself. Suggest this question be re-posted to now ask for help with the script itself-otherise we did isolate the problem--it is the script itself.
dyadminAuthor Commented:
Lionelmm is correct in that we have isolated the problem in the script, although we don't know what that problem is, so I was going to close this question and open up a new one as a result of our findings. Lionelmm deserves a ton of credit for assisting me whittle down the issue. I don't know how to reward him for his assistance.  I look forward to seeing more responses from more eyes.
Lionel MMSmall Business IT ConsultantCommented:
I strongly disagree with the suggestion to delete this question--I suggest you accept your last comment as the answer and reward my most helpful comment(s) with the points you deem appropriate.
dyadminAuthor Commented:
We isolated the problem inside the script but yet  did not find why the vb script was not running, that will be submitted as another question.

As an organization we have decided to convert our scripts to powershell and that seems to be working for us.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VB Script

From novice to tech pro — start learning today.