Windows 2003 Server Login Script

[stryker333]

Hi,

I've setup a few Windows 2003 Server before, but this is a new one.
I have a Windows 2003 Server with Exchange Server 2003 with Windows 2000/XP clients. The Login Script is in the NETLOGON share.

Here's the problem.

When any of the clients logon, the batch file does not run.
But when I give them Domain Admin rights, the login script runs with no problem.

To prove this, I take off the Domain Admin rights, and the profile does not run again.

Any help will be appreciated.

 

[Jpoandl]

What does your bat logon script do exactly?

Can you change it to just display something like "HELLO" to the user logging in.

This would be a good test, it might be that your logon script is tyring to run, but can not perform some of the tasks....like mapping drives (due to NTFS permissions problems)



Joseph L. Poandl
MCSE 2003

If your company is in need of experts to examine technical problems/solutions, please check out

http://www.NJCOMPUTERNETWORKS.com

(Sales@njcomputernetworks.com)

 

[stryker333]

Yes, I've tried that to no avail.
The little DOS dialogue doesn't even pop up.

All the users have "Local Admin rights".
For strange reasons, they need to be a member of the Domain Admin group to get the Login Script to run with no problem.

 

[Jpoandl]

Can you display your logon script?

Joseph L. Poandl
MCSE 2003

If your company is in need of experts to examine technical problems/solutions, please check out

http://www.NJCOMPUTERNETWORKS.com

(Sales@njcomputernetworks.com)

 

[Jpoandl]

To your logon script through using a mapped drive to the netlogon directory:


login as the client user (without admin rights), and map a drive to the netlogon directory. Goto a dos prompt and change the drive letter to the mapped drive. run the bat file....and see if errors are displayed.

Joseph L. Poandl
MCSE 2003

If your company is in need of experts to examine technical problems/solutions, please check out

http://www.NJCOMPUTERNETWORKS.com

(Sales@njcomputernetworks.com)

 

[stryker333]

Script File:

net time \\win2003 /set /y

net use g: /delete /y

net use: \\win2003\doc

exit

---------------------

FYI, though by default EVERYONE has the READ access for the Netlogon folder, I double checked it, and it is.

 

[stryker333]

Oops, mistake with my typing above:

Script File:

net time \\win2003 /set /y

net use g: /delete /y

net use g: \\win2003\doc

exit

 

[Jpoandl]

AS a normal user...without domain admin rights... can you perform this : net use g: \\win2003\doc

what are the rights on the DOC share? Are you sure your normal users have access to this?

Joseph L. Poandl
MCSE 2003

If your company is in need of experts to examine technical problems/solutions, please check out

http://www.NJCOMPUTERNETWORKS.com

(Sales@njcomputernetworks.com)

 

[stryker333]

hmm, good question.

I believe the DOC already gives normal users the right privileges, but I will double check.

Even though the privileges for the DOC folder is not correct, wouldn't the DOS box at least give me an error?

I shall get back to you.

Thanks again for your help.

 

[stryker333]

Jpoandl, in response to your test above to manually map the G: Drive, yes it works.

The user has regular Domain User rights (No Server Admin rights). User is able to manually map, edit and delete files within the directory.

 

[Jpoandl]

No...you may not be able to see the error...that why, I asked you to perform this test(This test will show you errors):



Test your logon script manually through using a mapped drive to the netlogon directory:


1)login as the client user (without admin rights)
2)map a drive to the netlogon directory.
3)Goto a dos prompt and change the drive letter to the mapped drive.
4)run the bat file....and see if errors are displayed. (You can run the bat file, simply by typing the name of the bat file in the DOS prompt



Joseph L. Poandl
MCSE 2003

If your company is in need of experts to examine technical problems/solutions, please check out

http://www.NJCOMPUTERNETWORKS.com

(Sales@njcomputernetworks.com)

 

[tomomark]

Just one point...

In windows 2003 the permissions allocated to a folder are not the default share privelidges when accessing via a network...might be worth checking, i belive by default its domain admins (full) everyone (read)

 

[Jpoandl]

I would try this to see the exact error (if any) with the bat file.

If there is no error, then we know that the script is a-OK.

Then I would start to check elsewhere...

Joseph L. Poandl
MCSE 2003

If your company is in need of experts to examine technical problems/solutions, please check out

http://www.NJCOMPUTERNETWORKS.com

(Sales@njcomputernetworks.com)

 

[stryker333]

Hi Tomomark, your point is correct. I verified and those permissions are indeed there. I cross reference with another client of mines that have the same configuration and there login script works with no problem. The settings at this server also is the same as you noted.

Joseph, I will try your suggestion when one of the PC there is available for me to use. And provide the error, if applicable. (I'm doing most of this remotely).

Shall update you all with my findings.

 

[stryker333]

Joseph,

I did as you asked.
At stage #4 (per your numbers), while running the batch file from the DOS Netlogon Directory, I got a ACCESS IS DENIED.

-Randy

 

[Jpoandl]

OK...it is now obvious that we have just a simple script problem.


Are your clients Windows 2000 OS or above?

If so, this is not needed: net time \\win2003 /set /y

Windows 2000 and Windows 2003 domains use w32Time service to automatically synch the time of the domain. W32time service is installed by default on Windows 2000 professional and Windows XP. No configuration on the clients is needed as long as the domain is setup properly. So, I would get rid of this synch statement. This may be causing the problem.

Try to run this command on the client machine: net time \\win2003 /set /y (Not sure but you may need to be a local admin to run this command....)


If getting rid of the synch did not fix the problem, check the permission on the share again.
net use g: /delete /y

net use g: \\win2003\doc

Joseph L. Poandl
MCSE 2003

If your company is in need of experts to examine technical problems/solutions, please check out

http://www.NJCOMPUTERNETWORKS.com

(Sales@njcomputernetworks.com)

 

[stryker333]

Yes, all systems are Windows 2000/XP w/ latest service packs.

Running the NET TIME command manually from DOS works with no problem from the client side.

Got rid of the NET TIME command line, ran batch file and received same error: ACCESS IS DENIED

At DOS prompt, I entered NET USE G: \\WIN2003\DOC
Result: Command entered successfully. (or something like that.)

I checked the newly mapped drive via Windows Explorer and I have no problem with editing files.

Keep in mind again that the BATCH FILE works if the client has been given Server Admin Rights.

I crossed reference the security settings on the NETLOGON share and it is the same as other Servers that I managed with working Login Script.

Let me know what you think.

-Randy

 

[tomomark]

Hello...

Just one thought, im not sure if it is relevant or not, because i have never actaully tested it ... In group policy, there are a couple of options regarding disabling the command prompt!

I have never tried to execute a batch file under these GPO settings, but it sounds possible...

...board and at work

Mark

 

[stryker333]

Hey Mark,

Thanks for posting.
GP or GPO is something pretty new to me as well.
If you can direct me step by step as to which one to check, I can go look it out.

Thanks,

Randy

 

[tomomark]

Hello...

Im at work at the moment, i will post again when i get home

Mark