Windows 2003 Server Login Script

[stryker333]

Hi,

I've setup a few Windows 2003 Server before, but this is a new one.
I have a Windows 2003 Server with Exchange Server 2003 with Windows 2000/XP clients. The Login Script is in the NETLOGON share.

Here's the problem.

When any of the clients logon, the batch file does not run.
But when I give them Domain Admin rights, the login script runs with no problem.

To prove this, I take off the Domain Admin rights, and the profile does not run again.

Any help will be appreciated.

 

[Jpoandl]

For the bat logon problem, you may want to try adding the DOMAIN USER ACCOUNT to the local administrators account of the XP machine. This way the users don't have domain admins, rather they just have local administrator for thier machine.

As an alternative, you can try to use a VB script instead of the old bat file script.

Here is an example:

Option Explicit
On error Resume Next

dim oNetwork, oDrives, oFSO, Drive
Dim sFinalDrive, iChar, sNewDrive

Set oNetwork = CreateObject("wScript.Network")
oNetwork.MapNetworkDrive "H:", "//London/LabShare"

Set oFSO =CreateObject("scripting.FileSystemObject")
For each drive in oFSO.Drives
sFinalDrive = Left(Drive, 1)
Next
iChar=Asc(sFinalDrive)
sNewDrive=Chr(iChar + 1)

oNetwork.MapNetworkDrive sNewDrive & ":", "\\London\labshare"

oNetwork.AddWindowsPrinterConnection "\\London\Classprn"

oNetwork.SetDefaultPrinter "\\London\Classprn"



Joseph L. Poandl
MCSE 2003

If your company is in need of experts to examine technical problems/solutions, please check out

http://www.NJCOMPUTERNETWORKS.com

(Sales@njcomputernetworks.com)

 

[stryker333]

Joseph,

Firstly, thank you for your ongoing support.
I must say I am dumbfounded when talking about VB.
So I won't be going this route.

My problem is not critical in the sense that I can manually map the folders I want from the client side (just 11 PCs).

I want a resolution to the problem at hand because it bugs me to have such a problem when I supposedly set everything like I had always with other Win2003 Server.

In any event, if you or anyone else comes across something like this, please share the knowledge.

-Randy

 

[Jpoandl]

Forget about VB...

Do this: For the bat logon problem, you may want to try adding the DOMAIN USER ACCOUNT to the local administrators account of the XP machine. This way the users don't have domain admins, rather they just have local administrator for thier machine.



Joseph L. Poandl
MCSE 2003

If your company is in need of experts to examine technical problems/solutions, please check out

http://www.NJCOMPUTERNETWORKS.com

(Sales@njcomputernetworks.com)

 

[wdoellefeld]

For strange reasons, they need to be a member of the Domain Admin group to get the Login Script to run with no problem.

This tells you it's a permissions problem of some sort. Remember there are still two areas of permission on a share, share and folder. Is anyone explicitly denied? Check the security tab.

 

[markdmac]

Sorry I have been away and not manning my post.

Stryker333, a few things. First off, the last bit of advice you were given is the best place to start. You clearly have a permissions issue and it is most likely NTFS based.

My suggestion if you insist on using a BAT file is to rem out all lines. Then add one line at a time back into the script and see where it is failing.

Verify that your users have Read and Execute rights to the Netlogon folder and share.

Next, some tough love. DON'T FORGET VBSCRIPT!It is time to upgrade your skills. You should really consider switching this over to VBScript. Here is a sample script that is documented so you can follow what it is doing. Running scripts via a GPO is a much better solution. You can set your scripts to run at Startup, shutdown, login and logout. plus many more options that using BAT files. In addition, VBScript files don't need to open up a seperate VM, so I have found the performance is better.

Note that if you don't have basic scripting skills in the next 5 years you will probably be unemployable (at least according to Bill Gates). A careful look at how MS is leveraging WMI backs up his statements.

'==========================================================================
'
' NAME: LogonScript.vbs
'
' AUTHOR:  Mark D. MacLachlan, The Spider's Parlor
' URL   : [URL unfurl="true"]http://www.thespidersparlor.com[/URL]
' DATE  : 4/10/2003
'
' COMMENT: Enumerates current users' group memberships in given domain.
'
'==========================================================================


ON ERROR RESUME NEXT

Set WSHShell = CreateObject("WScript.Shell")
Set WSHNetwork = CreateObject("WScript.Network")

'Edit the next line with your domain name
DomainString = "DomainName"
UserString = WSHNetwork.UserName
'Bind to the user object to get user name and check for group memberships later
Set UserObj = GetObject("WinNT://" & DomainString & "/" & UserString)

'Synchronizes the time with Server our NTP Server
WSHShell.Run "NET TIME \\Server /set /y"

'Disconnect any drive mappings as needed.
WSHNetwork.RemoveNetworkDrive "F:"

'Give the PC time to do the disconnect, wait 300 milliseconds
wscript.sleep 300

'Map drives needed by all
WSHNetwork.MapNetworkDrive "U:", "\\server\users",True
WSHNetwork.MapNetworkDrive "X:", "\\server\executables",True

'Now check for group memberships and map appropriate drives
For Each GroupObj In UserObj.Groups
	Select Case GroupObj.Name
	'Check for group memberships and take needed action
	'In this example below, ADMIN and WORKERB are groups.
		Case "Admin"
			WSHNetwork.MapNetworkDrive "w:", "\\Server\Admin Stuff",True
		Case "WorkerB"
			WSHNetwork.MapNetworkDrive "w:", "\\Server\Shared Documents",True
	End Select
Next


'Install Printers

WSHNetwork.AddWindowsPrinterConnection "\\Server\HP5si"

'Clean Up Memory We Used
set UserObj = Nothing
set GroupObj = Nothing
set WSHNetwork = Nothing
set DomainString = Nothing
set WSHSHell = Nothing

'Quit the Script
wscript.quit

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[stryker333]

Thank you all for the posting.
And again, I don't want anyone to waste there time if they are busy for this particular problem as it is more of an annoyance nature than critical.

Small recap:
1. Login Script runs perfectly when users are a member of Network Administrator group.
Batch file created fine as proven by this.
2. All users have Local Admin rights.
3. Login Script DOES NOT run when users are in a regular "member of DOMAIN USERS" group.

Permissions on the NETLOGON share:

SHARING > PERMISSIONS:
Administrators: full permissions
Everyone: read

SECURITY TAB:
Administrators: full permission except special permissions
Authenticated Users: read & execute, list folder contents, read
Creator Owner: special permissions
Sever Operators: read & execute, list folder contents, read
System: full permissions except special permissions


Thanks for the note on the VB. Definitely something worth investing my time into.

-Randy

 

[stryker333]

Problem solved!

Thanks to those of you insisting on the permissions.
Looks like everything was setup ok.

Only problem: The batch file itself has a SECURITY TAB.
For some reason, the AUTHENTICATED USERS are not in there. I added it with the READ & WRITE Permissions and now users are able to run the script without needing Administrative Privileges.

Thank you all again for the assistance.

Time to play with VB Scripts.

-Randy

 

[Jpoandl]

You da man...glad you got this worked out!

Joseph L. Poandl
MCSE 2003

If your company is in need of experts to examine technical problems/solutions, please check out

http://www.NJCOMPUTERNETWORKS.com

(Sales@njcomputernetworks.com)