| Dan_H |
| (Fresh Scripter) |
| 2005-11-18 08:08 PM |
If ingroup error
|
I'm experiencing a strange problem with an if ingroup command. I'm not sure if this is AD, Kixtart, or both. Here's the script...
Code:
IF INGROUP ("Agent") = 1
? "Checking for Agent Install..."
DIM $InstalledC, $InstalledD
$InstalledC = EXIST("c:\program files\patch\agent.exe")
$InstalledD = EXIST("d:\program files\patch\agent.exe")
IF $InstalledC = 0 AND $InstalledD = 0
? "Agent Not Found... Installing Agent now.... please wait"
SHELL '%comspec% /c "\\server\share\setup.exe -s"'
Else ? "Agent Found"
ENDIF
ENDIF
This script won't run if you are a member of this AD group. I checked everything that I can think of (syntax, extra spaces, etc...). So then I thought let me enumerate the group via Kixtart. Here's the script...
Code:
? "Agent"
?
ENUMGROUP("Agent")
Here are the results...
Agent
DOMAIN\cc_users
Now...the cc_users group is a valid group in our domain and there are several users in that group. I don't understand why it shows cc_users as the only member of that group. Does this look like an AD problem or is there something in Kixtart I'm missing? We have 20 if ingroup commands in our production login script.
Thanks for any advice.
Lonkero
|
| (KiX Master Guru) |
| 2005-11-18 08:15 PM |
Re: If ingroup error
|
well, your enumgroup syntax is wrong, to start with.
EnumGroup( )
| Action: | Enumerates
all groups of which the current user is a member. |
| Syntax: | ENUMGROUP
(Index) |
| Parameters: |
Index
A numeric value representing the group whose name you want to discover (where 0 is the first subkey). |
| Dan_H |
| (Fresh Scripter) |
| 2005-11-18 08:35 PM |
|
Re: If ingroup error
|
Ok. What are some things I can try to determine why the script won't run if you're part of the domain group?
Thanks
| Les |
| (KiX Master) |
| 2005-11-18 11:02 PM |
Re: If ingroup error
|
Have you tried flushing the cache?
| StarwarsKid |
| (Seasoned Scripter) |
| 2005-11-19 12:02 AM |
|
|
Re: If ingroup error
|
I don't think you'll need the "= 1" after your IF INGROUP statement. The IF INGROUP command will just step you to the next level of the IF statement if you are a member.
You can flush the cache by adding a "/f" at the end of your kix32.exe string. (minus the double quotes)
The INGROUP command can enumerate nested groups so if your users are in the CC_Users group they should be running the code. What version of KiX are you running?
Also, try double quotes around your SHELL command syntax instead of the single quote (does the SHELLed DOS command recognize UNC paths?) You may need to run the setup file from a mapped drive.
You can also DIM your variables above the first IF statement (may clean up your code...)
| Les |
| (KiX Master) |
| 2005-11-19 12:33 AM |
|
Re: If ingroup error
|
The quotes on the SHELL line are just fine. I doubt however that the command interpeter would be required.
| StarwarsKid |
| (Seasoned Scripter) |
| 2005-11-19 01:29 AM |
|
|
|
Re: If ingroup error
|
*BING!!!*
| Dan_H |
| (Fresh Scripter) |
| 2005-11-21 05:41 PM |
|
Re: If ingroup error
|
First off, thanks for the quick responses!
Quote:
I don't think you'll need the "= 1" after your IF INGROUP statement. The IF INGROUP command will just step you to the next level of the IF statement if you are a member.
I've tried this both ways. With and without "= 1"
Quote:
You can flush the cache by adding a "/f" at the end of your kix32.exe string. (minus the double quotes)
I've tried this too.
Quote:
The INGROUP command can enumerate nested groups so if your users are in the CC_Users group they should be running the code. What version of KiX are you running?
I'm starting to suspect AD at this point. If I modify the script to use an existing group, it works fine. I've added 3 different groups in AD trying to get this project working and none have worked. I even simplified the script. For example...
Code:
IF INGROUP ("PMAgent")
? "You are in the PMAgent group..."
ENDIF
Then I ran it with the following command
c:\kix32.exe -d PMAgent.kix /f
It just exits back out to the DOS prompt. Nothing was echoed to the DOS window.
Any thoughts?
Thanks
|
Shawn
|
| (KiX Supporter) |
| 2005-11-21 05:47 PM |
|
|
Re: If ingroup error
|
Sorry have to ask this - are you testing this script against your own account, that you just added to this group - and did you logoff and log back in before testing ?
-Shawn
| Dan_H |
| (Fresh Scripter) |
| 2005-11-21 07:09 PM |
|
Re: If ingroup error
|
Quote:
Sorry have to ask this - are you testing this script against your own account, that you just added to this group - and did you logoff and log back in before testing ?
-Shawn
Yes. I've logged off, logged on, and forced replication in AD trying to figure this behavior out. I have also tried it with another user in that group on a different machine.
One more test that was done. VBScript was used to query the domain group and it listed the members correctly.
Oh...the version we have is 4.12
Thanks
| Les |
| (KiX Master) |
| 2005-11-21 07:15 PM |
|
Re: If ingroup error
|
Is your GC healthy?
Try to include the domain name with the groupname.
|
Shawn
|
| (KiX Supporter) |
| 2005-11-21 07:16 PM |
|
|
|
Re: If ingroup error
|
Any events in your application event log ?
| Les |
| (KiX Master) |
| 2005-11-21 07:20 PM |
|
Re: If ingroup error
|
Try deleting the HKEY_CURRENT_USER\Software\KiXtart\TokenCache reg key.
| StarwarsKid |
| (Seasoned Scripter) |
| 2005-11-21 07:31 PM |
|
|
|
Re: If ingroup error
|
It couldn't hurt to upgrade to the latest KiX version too. I would, however, verify with the "pros" about any compatibility caveats that might arise from the upgrade.
The physical steps to upgrading, however, couldn't be simpler (if you're on a winNT - 200x network (no 9x))
Just download the newer version and call the newer version's .EXE from your batch file or your user's logon script field (which ever you're using)
| Dan_H |
| (Fresh Scripter) |
| 2005-11-21 07:46 PM |
|
Re: If ingroup error
|
Again everyone, thanks for all the tips. Here's the latest...
Quote:
Is your GC healthy?
I've looked at the event logs on all GC servers, nothing out of the ordinary. Is there another method you had in mind to test that?
Quote:
Try to include the domain name with the groupname.
Didn't work
Quote:
Try deleting the HKEY_CURRENT_USER\Software\KiXtart\TokenCache reg key.
Didn't help. It repopulated the key as soon as I ran the script. The information was the same as before.
Quote:
It couldn't hurt to upgrade to the latest KiX version too. I would, however, verify with the "pros" about any compatibility caveats that might arise from the upgrade.
I did this by downloading and copying the newest kix32.exe to my PC and the other test PC I'm using. Didn't work.
Now I'm really starting to question AD, yet I get positive results with VBScript querying the group.
Thanks
| Howard Bullock |
| (KiX Supporter) |
| 2005-11-21 07:54 PM |
|
|
Re: If ingroup error
|
KiXtart get global group references from the user authentication token. The group sids are bound to the token at logon by the global catalog server. So if you do not have a global catalog server that the user can contact you may see these types of issues.
|
Shawn
|
| (KiX Supporter) |
| 2005-11-21 08:01 PM |
|
|
|
Re: If ingroup error
|
Kixtart will spit-out errors to the local (workstation) appl. event log.
| Howard Bullock |
| (KiX Supporter) |
| 2005-11-21 08:03 PM |
|
|
|
Re: If ingroup error
|
Oh, and you didn't tell us what was listed in the Token cache. Was the group in question listed there? Was the group in question renamed? Do other groups work or do all global groups fail? Is the group name long?
| Les |
| (KiX Master) |
| 2005-11-21 08:08 PM |
|
Re: If ingroup error
|
Is it a security group?
| Dan_H |
| (Fresh Scripter) |
| 2005-11-22 03:42 PM |
|
Re: If ingroup error
|
Again...my sincere thanks to everyone who responded to this post.
Quote:
Oh, and you didn't tell us what was listed in the Token cache. Was the group in question listed there? Was the group in question renamed? Do other groups work or do all global groups fail? Is the group name long?
These were wrong. They were showing some, but not all of the correct groups (no new ones).
Quote:
Is your GC healthy?
Try to include the domain name with the groupname.
Nope. I took a look at the GC settings on my domain controllers and noticed that the GC checkbox was unchecked on the domain controller with the FSMO roles.
I checked the box and ran my production logon script. The TokenCache registry entry immediately filled up with the appropriate groups. And the original script ran just fine.
Not sure how that happened. We haven't had any major changes to our domain lately aside from some new employees. It only really showed up when we started this project to roll out a piece of software based on group membership.
Thanks so much everybody!
| Les |
| (KiX Master) |
| 2005-11-26 09:18 PM |
|
Re: If ingroup error
|
You need to be careful. If memory serves, there can be a conflict with GC and the IM FSMO role.
| Les |
| (KiX Master) |
| 2005-11-26 09:23 PM |
|
Re: If ingroup error
|
Further reading:
http://support.microsoft.com/default.aspx?scid=kb;en-us;197132
Quote:
Infrastructure FSMO Role
When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference.
NOTE: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server(GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log.
|
NTDOC
|
| (KiX Master) |
| 2005-11-26 10:17 PM |
|
|
Re: If ingroup error
|
That is for a multi domain setup. Logging in security events would show who changed any settings, but unless you're saving your logs it would still be quite a pain to locate who changed it and when unless it was recently done.
How many Admins at your site have rights to modify core AD settings?
| Les |
| (KiX Master) |
| 2005-11-26 11:40 PM |
|
Re: If ingroup error
|
I did say "can" and not "most definately will" since there is no mention of the AD design. We run an empty root domain model where the resource domain hold all the domain admins, protecting our root.
| AllOne |
| (Lurker) |
| 2007-07-13 09:33 PM |
|
Re: If ingroup error
|
I found the fix to have to add "= 0" to your if statement. Read the following site http://www.scriptlogic.com/kixtart/htmlhelp/functions/ingroup.htm
and note:
0 InGroup checks for membership of ONE of the groups in the list (default)
|
Lonkero
|
| (KiX Master Guru) |
| 2007-07-13 09:36 PM |
|
Re: If ingroup error
|
you are joking, right?
| Les |
| (KiX Master) |
| 2007-07-13 09:50 PM |
|
Re: If ingroup error
|
LOL
I think he's serious. :\