Logon Script Amateur 1

[ricolame]

Hi guys,

I just started putitng my hands on using Logon Script in my domain.

Would need assistance - I have created a script.bat file.

How I went into inserting my script:

In my AD, my default domain(top of the directory). Right click->properties-> i got into my default domain policy edit mode.

After which, i went under User Configuration ->Windows Settings-> Script->Logon-> And insert in my file script.bat

I read from the Net that i would also need to place the similar file in Netlogon shared folder. I placed the similar file in the following directory too

%SystemRoot%\sysvol\sysvol\<domain DNS name>\scripts

Since i have applied the script to default domain policy, it should work on all terminals in my domain right? However, my testing on a terminal didnt work at all. The script was not running.

Could someone enlighten me ? I've been doing this for the day and itz really nerve wrecking... Any help is greatly appreciated. Thanks in advanced!

 

[porkchopexpress]

Take a look at this FAQ it's very good will help you get started.

faq329-5798

 

[porkchopexpress]

Also i wouldn't recommend using scripts so high up in the AD structure you should organise your users into Organisational Units (OU) and apply them at this level. Also remember that user logon scripts must be applied to an OU containing users not computers.

http://www.computerperformance.co.uk/Logon/logon_scripts.htm

http://www.computerperformance.co.uk/w2k3/W2K3_OU_Delegate.htm

 

[ricolame]

hi,

i will read the faqs. Thanks! apparently i did create a testing OU with just few users in it. Even simple restriction in the administrative templates where i disabled some features in Add/Remove component didnt work at all for that OU.

Is there any feature / service that I should activate to enable group policy or login script to run ?

 

[ricolame]

my script is in typical dos oommands. hm, will it differ?

 

[porkchopexpress]

Yes you can use commands in a .BAT file.

As for group policy it is enabled by default but a number of issues can cause them not to apply.

Check that your DNS is setup correctly, your client PC's should point to your windows DNS server for name resolution.

You must be using Windows 2000 Pro or above for Group Policy to work.

The policy should be applied to an OU containing users.

 

[ricolame]

i couldnt get it work either on the default policy

Could you be able to elaborate what what should be a proper WIN DNS set up suppose to be ?

As to client pointing to windows DNS Server... my clients are pointing to my router(or 192.168.0.1 ) if i didnt remember wrongly.

Sorry, i'm not a system administrator, but trying to get Group policy to work for my system administrator, and at the same time getting some of my projects to work through scriptings. Pardon me for asking these questions as i'm really a beginner

Tks for the replies so far.

 

[porkchopexpress]

That will be the problem. If you have an active directory then you should have a DNS server on one of the windows servers, probably the first domain controller that you installed your clients should use this.

Take a look here

http://www.microsoft.com/resources/...00/server/reskit/en-us/cnet/cncf_imp_ZZUI.asp

 

[porkchopexpress]

Once you have that sorted you will need to configure the Windows DNS server to forward web requests to your ISP. Look at the 'To Configure Forwarders' section in the following link.

http://support.microsoft.com/default.aspx?scid=kb;en-us;300202&sd=tech#XSLTH4151121122120121120120

Post back if you have any problems.

 

[ricolame]

oh man, this gonna cause a big change in the network configuration for the computers here....

 

[ricolame]

i read that
'You cannot install Active Directory without having DNS on your network,'

Since I am on AD, i should have DNS already if i understand correctly.

 

[petrosky]

Hi ricolame,

If you drop to a command prompt & type NSLOOKUP what are the results?

Also..if you know the IP address of the domain controller you can do a PING -A [Server's IP address]

Should resolve the name of the machine.

Peter

Remember- It's nice to be important,
but it's important to be nice

 

[ricolame]

hm, the dns is pointing to my isp dns.

Both on my client and my domain server

Does that infer that I did not have DNS when AD was created previously?

 

[porkchopexpress]

Are you running 2000 server? If so then you must have a DNS server as you can't install active directory without one, you can have a compatible third party DNS server but it's rare. Check your servers - look in the start menu - programs - administrative tools, you should find a DNS icon on one of them this will be your DNS server.

 

[markdmac]

Several point of interest here to comment on.

As has been mentioned, you need to have Internal DNS running for your AD. Otherwise name resolution internally will not work.

Make that your top priority. The proper configuration is to have DNS running on one or more of your domain controllers. Your servers TCP/IP settings on the NIC cards should ONLY list your internal DNS servers. Likewise your DHCP server should ONLY push out the IP for your internal DNS. Within the DNS snap-in, you should specify your ISP DNS on the FORWARDERS tab.

Next point to make is that you should NOT be implementing a logon script within your Default Domain Policy. The only settings that you should make to that policy are related to security of passwords. Other than that, leave that policy alone and create your own policy.

I must respectfully disagree withthe advice of not applying the policy at the top domain level. If you are creating a policy specifically for the login script then I would advise that this is the proper place for it. A well written script can differentiate between users roles and groups etc and a single script and GPO can handle all the OUs of the domain. It is certainly true that you can link a GPO at any OU, but I've worked at locations with hundreds of OUs and this is needlessly tedious and complex.

If you decide you do wish to implement at the OU level, you need to be aware that the user objects would then need to be located in that OU for the script to be processed.

My last word of advice would be to abandon the BAT file concept. Go with VBSCRIPT, the FAQ mentioned above is mine and I offer a comprehensive script that you can use in it.

I hope you find this post helpful.

Regards,

Mark

 

[porkchopexpress]

Agreed Mark does make a very good point there if you are designing a large structure then you will want to reduce your management overhead by having your scripts further up the hierarchy.

 

[ricolame]

hi guys thanks so much for the expert advices. Really appreciated.

Porkchopexpress, yes i am on Win2k server definitely, and using that as a domain controller.

Ok i had a problem as my system administrator is pretty adamant in not configurating the DNS snap in due to few reasons-

1.Would the change in DNS snap-in settings in Win2k server affect how my client computers are accessing to the mail and net service ?

We are having over hundred of terminals under this domain controller

My client terminals , under network connection->DNS settings is pointing to my router currently,which is 192.168.0.1

2.Next,my router is using DHCP to assigned roving laptops with dynamic IPs but other than that, most of my client desktops are configured with fixed IP. How does this DHCP server comes in picture? And again, would it affect how my other clients are running judging by the current configurations on the individual clients?

3.Am running a ERP database engine together on this domain controller, and would this switch in configurations affect the load it has on this server?

Can this configuration be taken in phases ? Apparently i noticed this would mean that the domain controller has been under utilised. Group policy has not be activated and i believe alot of other useful controls would come in superhandy.

However it not up to us to say change and just change esp when we have not used such service before. We have to take into consideration what might happen to the over hundred of clients when we do the change, and if it can be taken in phases over a period of time...

thanks so much for the advises.

 

[markdmac]

1.Would the change in DNS snap-in settings in Win2k server affect how my client computers are accessing to the mail and net service ?
[red]Don't know enough about your environment. Do you host your own email or access via POP? Short answer is that it should not affect anything on the client side other than give better performance. The local DNS can cache information and pass on to the clients faster than the ISP DNS can. When your server does not know an outside DNS address it will simply ask the ISP DNS, cache that info and pass it on to the client.[/red]

We are having over hundred of terminals under this domain controller

My client terminals , under network connection->DNS settings is pointing to my router currently,which is 192.168.0.1
[red]As advised above, have them point to your DNS server for DNS.[/red]

2.Next,my router is using DHCP to assigned roving laptops with dynamic IPs but other than that, most of my client desktops are configured with fixed IP. How does this DHCP server comes in picture? And again, would it affect how my other clients are running judging by the current configurations on the individual clients?
[red]You would want to turn off DHCP on the router and use DHCP from the server which then integrates with Dynamic DNS (DDNS)
How many clients do you have with static IPs and why? If you require predictable IPs then the preferred method is to use DHCP with IP Reservations. This gives you the ability to easily change the default gateway, DNS IPs and any other IP Scope Options supported by DHCP. As you are configured right now, when your ISP changes their IP subnet (and they do this fairly frequently) you will need to visit every static workstation to change the DNS servers instead of being able to change it just on your DHCP server. This is poor use of an admin or desktop support person's time. Use the technology you paid for.
[/red]

3.Am running a ERP database engine together on this domain controller, and would this switch in configurations affect the load it has on this server?
[red]Yikes! Major security issues exist with running SQl on a DC. Make sure your SA ID has a strong password.[/red]

Can this configuration be taken in phases ? Apparently i noticed this would mean that the domain controller has been under utilised. Group policy has not be activated and i believe a lot of other useful controls would come in superhandy.
[red]yes, sort of. You first need to tackle your DNS internally. Get that up and running properly so your AD knows what the heck is going on internally. Next configure your DHCP on the server and set up all the scope options. Turn off DHCP on the router when you do this. From there you can slowly migrate the static machines to it. Again I would recommend you simply switch them to DHCP unless you have some application that requires them to have a predefined IP. If that is the case set up IP reservations in DHCP.[/red]

I hope you find this post helpful.

Regards,

Mark

 

[ricolame]

hi,

thanks for the post! Points all noted.

On why IPs were fixed, internet access restriction was done on the IPs. Say for certain range of IP, port 80 is allowed, and the rest are all blocked for 80

Thus this rule was set in the router. Likewise we also notice users changing their IPs, thus from what I known so far, the IPs are now tied to the MAC adddresses for each client desktop. Those who change IP will means total failure for example.

We wanted to disable the features to change IP address but couldnt get group policy to work (of course to the abv mentioned problems that you guys have assisted)

Thanks!

 

[ricolame]

Sorry as to whether i have an in house mail server, nope. We access mail all by POP3. But am looking into an mail server soon say nxt year feb. Hm, any implications here?

Yes, i am seriously aware of the under utilization of the technology we paid for ..and it has been running for few years till I decided to take a look on using the feature of domain controller for some projects that i noticed these.