Group Policy Logon Script Fails

[levelnet]

In a lab, I have a Windows 2000 server and multiple WinXP Professional clients. Simply put, the Logon Script doesn't run during client logon ("test.bat" file). After logon however, the client can browse to the Win2000 server and navigate to the subdirectory where the script resides and manually run the script with no problems. Also, if the script name is placed in the Profile tab of the user account, it runs during logon. I'm using that as a temporary solution but for multiple users, it'd be a real headache. So I'd rather use the group policy logon script feature (in the user configuration section of the Group Policy). I've grabbed te data using a Sniffer, but can't pinpoint any specific cause of the failure...

Other components of the group policy ARE working; such as folder redirection and password complexity enforcement. I've read the support tips from Microsoft and even followed some examples step-by-step regarding Group Policy logon scripts, still no success though. The Win2000 DC is in 'native' mode and it is the only Domain Controller (its also the DNS server). I've checked DNS records and they look intact; stopped/restarted te NETLOGON service to refresh the DNS and still no results. I've check policy blocking and inheritence, still no luck. Both the Win2000 and WinXP systems are up-to-date with service packs and that sorta thing.

Any suggestions would be appreciated.

 

[ReddLefty]

Run a DCDIAG.EXE on your server to make sure all the basic AD service are operational.

You can get the tool at (along with many other tools that may help):

http://www.microsoft.com/windows2000/techinfo/reskit/tools/default.asp

"In space, nobody can hear you click..."

 

[IanGlinka]

Hey, whitezin, did you ever resolve this problem?

I'm having the EXACT same issue...

Let me know!

Thanks!
Ian

 

[levelnet]

Yes - I manged to resolve it. As it turned out, the logon script was part of the group policy which was associated with the OU. That part was Ok... However, inside the OU's to which the Group Policy was associated, there were only 'domain groups' (no individual users). The individual users accounts were in a common OU ('users'). When the individual users were moved from the 'users' OU and placed in the OU to which the Group Policy was applied, the logon/logoff scripts executed accordingly. Apparently the logon/logoff scripts can only be applied to individual users, not the 'group' to which the user is a member of.

Reading over much of the Microsoft website implies that logon scripts can be applied to both 'groups' and 'users within the group'. However, we found that if a script is desinated as a logon/logoff script, it won't active when a member of the group logs on/off unless that users individual account is in the same OU to which the Group Policy is associated. It makes sense when you consider that the group policy settings are applied to the network environment; only the individual users is what is logged on/off the network. Group Policies were most powerful when used to 'control' the network environment rather than for log on/off processes.

Until this issue was identified and resolved, we used KIXtart batch files. KIXtart has many nifty options that are abscent in Group Policy. Depending on your goals, a mix of Group Policy and something like KIX may be a good option.

Goodluck!