| kaffee |
| (Fresh Scripter) |
| 2009-10-27 06:28 PM |
Kix 4.61+ INGROUP + Windows 7
|
HI,
I am migrating to Kix 4.61 and some WK7.
I am starting to have a headache with Windows 7 + Kix 4.61 and the INGROUP command.
Just it is not working *- i have serach a lot in the net and forums and nothing a part the post #196185
Anyone can tell if INGROUP (4.61) on windows 7 (32 and 64 bits) works if yes how ?
Ps. INGROUP (4.61) works fine on XP, Windows Server 2008 Enterprise Edition 64 bits
Code:
IF INGROUP("ADMINS") = 1
AT (17,9) "Connexion \\SVRXSL02\CONSOLES "
USE W: /D /PERSISTENT
USE W: \\SVRXSL02\CONSOLES
sleep 1
ENDIF
Thanks
Kaffee
Allen
|
| (KiX Supporter) |
| 2009-10-27 09:50 PM |
Re: Kix 4.61+ INGROUP + Windows 7
|
Try this and post back your results.
Code:
? "kix:" + @kix
IF INGROUP("ADMINS")
? "In the group"
USE W: /D /PERSISTENT
? @result
? @serror
USE W: "\\SVRXSL02\CONSOLES"
? @result
? @serror
else
? "Not in Group"
ENDIF
Also, check the Eventlog for any errors that might be of use. Make sure your group name is spelled correctly.
| kaffee |
| (Fresh Scripter) |
| 2009-10-28 11:39 AM |
|
Re: Kix 4.61+ INGROUP + Windows 7
|
Hi,
Result of the script
Kix : 4.61
Not in Group
There is an event error log see below (in french) but event ID is 1789
the error is on W7 32 bits and 64 bits
The speeling name is correct as it works on XP, Windows 2008 Server
and for information our Active Directory is Windows 2000 DC's
I think that someting is missing to get a trust membership between the Server and Station
Thanks for any suggestion
Rgds,
Kaffee
Nom du journal :Application
Source : KIXTART
Date : 28/10/2009 11:20:51
ID de l’événement :1789
Catégorie de la tâche :Aucun
Niveau : Erreur
Mots clés : Classique
Utilisateur : N/A
Ordinateur : AdminSel-Win7.Xsl.Schneider-Electric.com
Description :
La description de l’ID d’événement 1789 dans la source KIXTART est introuvable. Le composant qui a déclenché cet événement n’est pas installé sur l’ordinateur local ou l’installation est endommagée. Vous pouvez installer ou réparer le composant sur l’ordinateur local.
Si l’événement provient d’un autre ordinateur, les informations d’affichage doivent être enregistrées avec l’événement.
Les informations suivantes étaient incluses avec l’événement :
GetPrimaryGroup failed Error : La relation d’approbation entre cette station de travail et le domaine principal a échoué. (0x6fd/1789)
| Mart |
| (KiX Supporter) |
| 2009-10-28 11:59 AM |
|
|
Re: Kix 4.61+ INGROUP + Windows 7
|
This came up in the past but no fix was mentioned. This does not seem to be a kix issue.
http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Number=193933#Post193933
|
Allen
|
| (KiX Supporter) |
| 2009-10-28 01:32 PM |
|
Re: Kix 4.61+ INGROUP + Windows 7
|
If you find a solution, please post back. Looks like you are the 2nd or 3rd person with this problem.
| Mart |
| (KiX Supporter) |
| 2009-10-28 02:45 PM |
|
|
|
Re: Kix 4.61+ INGROUP + Windows 7
|
The OP of the link I posted was also on a Win2K AD so it might be some kind of compatibility issue between Win7 and Win2K AD. As Win2K AD was a baby, Win2K3 went to kindergarten and Win2K8 AD is a teenager I can imagine that some backwards compatibility between Win7 and Win2K AD is lost. Should not be but everything is possible.
| kaffee |
| (Fresh Scripter) |
| 2009-10-29 09:42 AM |
|
Re: Kix 4.61+ INGROUP + Windows 7
|
Hi,
Sorry for taking some time for reply du to tests and work.
So, In my case
Kix version : 4.61
W2K DC + Windows 2000 AD -
Clients : Windows XP, Windows Vista, Windows 7, Windows 2008 Srv : all 32 and 64 bits
My simple script is to check if some users are in a goup :
Code:
? "kix:" + @kix
IF INGROUP("ADMINS")
? "In the group"
USE W: /D /PERSISTENT
? @result
? @serror
USE W: "\\SVRXSL02\CONSOLES"
? @result
? @serror
else
? "Not in Group"
ENDIF
It work for all clients except for : Windows 7 32 and 64 bits
The Microsfot KB 262958 doesnot resolve the issue
http://support.microsoft.com/default.aspx?scid=kb;en-us;262958
But i have found something intersting:
If I do use the BuiltIN Groups : (Domain Local Groups) - IT WORKS
But NOT for Global Groups
BuitIn group List (In French)
Accès compatible Pre-Windows 2000
Administrateurs
Duplicateurs
Invités
Opérateurs de compte
Opérateurs de sauvegarde
Opérateurs de serveur
Opérateurs d'impression
Utilisateurs
Well, It is not working but i did progress a bit.
I will continue in investigating if someone has a clue i take it.
Rgds
Kaffee
| kaffee |
| (Fresh Scripter) |
| 2009-10-29 10:25 AM |
|
Re: Kix 4.61+ INGROUP + Windows 7
|
Hi again,
I have created a new DOMAIN GROUP , insert users in it and test : IT WORKS
In my case, I cannot test the Universal Groups
In conclusion for my part for Windows 7 : INGROUP doesnot work for Global Groups
If anyone has a solution for Global Groups.
Rgds,
Kaffee
| Arend_ |
| (MM club member) |
| 2009-11-01 12:48 PM |
|
|
Re: Kix 4.61+ INGROUP + Windows 7
|
Just a few notes:
1. Make sure if you added the user you are testing the INGROUP with, that that user has logged of and logged on again so his token is updated.
2. run kix32 -f (Flush tokencache) to make sure there are no errors there.
I'm also on Windows 7 and with a 2000 AD and I have no problems so far. But I'll check monday and test a few things.
|
Allen
|
| (KiX Supporter) |
| 2009-11-01 04:00 PM |
|
Re: Kix 4.61+ INGROUP + Windows 7
|
I've been doing some googling on this myself. From what I can tell this 1789 Error has been around for a long while showing itself in different places (XP, Vista) and it appears that no one knows exactly what causes the error. Rejoining the domain seemed to be the most common answer given, but did not fix the problem most times. I did find an article or two that suggested that improperly configured DNS could play a role. One solution was given that they had used their firewall as the DNS Server and changing it to the AD DNS Server fixed the problem. Someone else suggested running ADPrep.exe (located on Server 2008 CD) to add the new properties to your 2000 AD.
@Arend, please do post back on this. Glad to find someone here who has this environment.
| Arend_ |
| (MM club member) |
| 2009-11-02 09:53 AM |
|
|
|
Re: Kix 4.61+ INGROUP + Windows 7
|
Rejoining the Domain doesn't provide the answer.
The trust relationship is good. I suspect KiX handling this in a different way but I'm gonna see what I can come up with.
So far this is the Case:
Domain Local groups succeed.
Universal groups fail.
Global groups fail.
Different 1789 messages though:
Failed to resolve SID(s) Error : The trust relationship between this workstation and the primary domain failed. (0x6fd/1789)
GetPG: LookupAccountSid failed Error : The trust relationship between this workstation and the primary domain failed. (0x6fd/1789)
GetPrimaryGroup failed Error : The trust relationship between this workstation and the primary domain failed. (0x6fd/1789)
I'll play around some more.
| Arend_ |
| (MM club member) |
| 2009-11-02 10:19 AM |
|
|
|
Re: Kix 4.61+ INGROUP + Windows 7
|
Alright, update.
It's definately the way KiX looks it up.
If you try it using LDAP it works fine. for instance:
Code:
Dim $objSysInfo, $objUser, $objGroup
$objSysInfo = CreateObject("ADSystemInfo")
$objUser = GetObject("LDAP://"+$objSysInfo.userName)
$objGroup = GetObject("LDAP://CN=Domain Admins,CN=users,DC=mydomain,DC=local")
If $objGroup.IsMember($objUser.AdsPath)
? "Global Test Succeeded"
Else
? "Global Test Failed"
EndIf
| Arend_ |
| (MM club member) |
| 2009-11-02 12:28 PM |
|
|
|
Re: Kix 4.61+ INGROUP + Windows 7
|
ok as my post in the Beta group reflects, PStools's PSGetSID generates the same errors as kixtart.
This concludes that it is not KiXtart that is generating this problem.
It is the way Windows 7 talks to the AD apparantly.
As my XP clients don't have this problem.
Also, Vista and 2008 (NOT R2) don't have this problem.
I do assume that a Windows 2008 R2 server will have the same problems because it has the same core as Windows 7.
| Arend_ |
| (MM club member) |
| 2009-11-03 09:09 AM |
|
|
|
Re: Kix 4.61+ INGROUP + Windows 7
|
ok WinNT test passes as well:
Code:
Dim $objGroup
$objGroup = GetObject("WinNT://"+@LDOMAIN+"/Domain Admins")
$objGroup.GetInfo
If $objGroup.IsMember("WinNT://"+@LDOMAIN+"/"+@USERID) = -1
? "Global Test Succeeded"
Else
? "Global Test Failed"
EndIf
| Arend_ |
| (MM club member) |
| 2009-11-03 09:14 AM |
|
|
|
Re: Kix 4.61+ INGROUP + Windows 7
|
Since the GetSID fails in the psTools I figured I'll test my own Name2SID udf (as can be found in the UDF section). And all those tests pass, which means WMI works fine too.
Code:
? Name2SID(@USERID)
? Name2SID("Domain Admins")
Function Name2SID(Optional $userid,Optional $domain)
If $userid = "" $userid = @USERID EndIf
If $domain = "" $domain = @LDOMAIN EndIf
Dim $objWMIService
$objWMIService = GetObject("winmgmts:\\.\root\cimv2")
$Name2SID = $objWMIService.Get("Win32_Account.Name='"+$userid+"',Domain='"+$domain+"'").SID
If @ERROR EXIT @ERROR EndIf
EndFunction
So I can conclude the following:
When talking to the AD;
LDAP works fine.
WinNT works fine.
WMI works fine.
So I can't seem to figure out how kixtart is talking to the AD.
| Arend_ |
| (MM club member) |
| 2009-11-04 10:47 PM |
|
|
|
Re: Kix 4.61+ INGROUP + Windows 7
|
Does someone besides Ruud have any insights on how KiX actually does the Ingroup checking ?
|
Allen
|
| (KiX Supporter) |
| 2009-11-04 11:20 PM |
|
Re: Kix 4.61+ INGROUP + Windows 7
|
Has anyone else tested kix on Win 7 verses 2003 and 2008 AD? (I will be doing this in a few weeks) This information might be useful/relevant to Ruud. I sent him an email regarding this thread, so lets hope maybe he can come by and take a look.
|
Glenn Barnas
|
| (KiX Supporter) |
| 2009-11-05 04:00 AM |
|
|
Re: Kix 4.61+ INGROUP + Windows 7
|
Well, I just upgraded a bunch of our workstations to Windows 7 during this week. These are fresh installs, not "upgrades". So far, I have a pretty even mix of 32b Pro, 32b Ultimate, and 64b Ultimate. We have a Windows 2008 Native mode domain. At this point, I've not experienced any InGroup issues.
Glenn
|
NTDOC
|
| (KiX Master) |
| 2009-11-05 10:03 PM |
|
|
Re: Kix 4.61+ INGROUP + Windows 7
|
I'm wondering though if it has anything to do with some of the offered (not critical) updates that Microsoft has offered for policy stuff.
I would not expect a Native 2008 AD to have any issues, but what others appear to be seeing is due to AD 2000, 2003 which is very old even for Vista let alone Windows 7
Maybe Microsoft just missed the boat on this and it slipped by in testing.
| Ruud van Velsen |
| (Hey THIS is FUN) |
| 2009-11-09 10:50 AM |
|
Re: Kix 4.61+ INGROUP + Windows 7
|
Hi everyone,
just to let you know that I am looking into this issue. It is definitely a generic Windows 7 <--> Windows 2000 issue (as is apparent from the PsGetSid tests). KiXtart uses the LookupAccountSid API's, just like PsGetSid.
I'll let you know if/when I find a workaround.
Ruud
|
Allen
|
| (KiX Supporter) |
| 2009-11-09 02:56 PM |
|
Re: Kix 4.61+ INGROUP + Windows 7
|
Here is a really old (2002) thread that might still have some value. http://www.adminscripteditor.com/forum/printable.asp?m=687
and
the MS KB DOC
http://support.microsoft.com/kb/262958
| Tunster |
| (Just in Town) |
| 2009-11-10 12:03 PM |
|
Re: Kix 4.61+ INGROUP + Windows 7
|
We're experiencing this issue as well with our network. However, we have a mixed W2003 and W2K server AD environment.
Both of other W2K servers are pretty much defunct now. Hopefully sometime tonight or tomorrow, we're going to demote them both to test this W2K theory out. Ideally, we want to introduce our Windows 2008 servers into the AD domain, but can't do so until we raise the forest level.
| Ruud van Velsen |
| (Hey THIS is FUN) |
| 2009-11-12 03:53 PM |
|
Re: Kix 4.61+ INGROUP + Windows 7
|
Just a short update: I can now confirm this is an issue in Windows 7. It is apparently caused by the new (stricter) SMB signing settings of Windows 7.
It may be possible to work around the issue by tweaking the SMB settings, but this is clearly not for the faint-of-heart and should be carefully considered and aligned with the security guidelines you have in place.
I will update this post if and when a fix for Windows 7 is made available.
Ruud
|
Allen
|
| (KiX Supporter) |
| 2009-11-12 04:11 PM |
|
Re: Kix 4.61+ INGROUP + Windows 7
|
Thanks for the update Ruud.
| Ruud van Velsen |
| (Hey THIS is FUN) |
| 2009-11-13 09:32 AM |
|
Re: Kix 4.61+ INGROUP + Windows 7
|
And one more update: a fix for the issue is available and a Knowledgebase article on it should be published in the coming weeks. The fix will be included in an upcoming service pack for Windows 7. Until then, you can get the fix by contacting Microsoft Support and referring to 976494.
Note that there is no workaround or fix I can create in KiXtart.
Kind regards,
Ruud
|
Richard H.
|
| (KiX Supporter) |
| 2009-11-13 10:28 AM |
|
Re: Kix 4.61+ INGROUP + Windows 7
|
Good result, thanks for following up.
|
Allen
|
| (KiX Supporter) |
| 2009-11-13 03:37 PM |
|
Re: Kix 4.61+ INGROUP + Windows 7
|
So I guess there will be two versions of the patch (32, and 64bit)... anyone have support with MS and willing to contribute...
Arend?
|
NTDOC
|
| (KiX Master) |
| 2009-11-13 09:20 PM |
|
|
|
Re: Kix 4.61+ INGROUP + Windows 7
|
That type of fix should be Free from Microsoft Allen.
| Arend_ |
| (MM club member) |
| 2009-11-17 12:01 PM |
|
|
|
Re: Kix 4.61+ INGROUP + Windows 7
|
Sounds like it, I'm gonna run the test on a 32-bit machine in a minute.
I've had similar problems using WDS.
Actually pretty much the same error.
When deploying Windows 7 from a 2003 WDS server (still W2K domain)
The logon account fails.
When deploying Windows 7 from a 2008 WDS server (still W2K domain)
The logon account succeeds.
Deploy Vista or 2008 (R1) from either servers and you don't get the problem.
The error code you get in WDS is simply 0x80070056.
Which relates to exactly the same problem as KiXtart, authentication fails/invalid credentials/password/username.
Unfortunately I am sort of a Maverick in my Company, loose cannon, I'm not even yet supposed to test Windows 7, let alone ask headquarters to makea ticket for it...
| Arend_ |
| (MM club member) |
| 2009-11-17 03:35 PM |
|
|
|
Re: Kix 4.61+ INGROUP + Windows 7
|
Update: x86 Machine has the same problems.
So yeah most likely 2 different patches.
|
Allen
|
| (KiX Supporter) |
| 2009-12-01 11:24 PM |
|
Re: Kix 4.61+ INGROUP + Windows 7
|
Well... looks like the patch count is up to 4 now. Add 2008 Server 32 and 64bit to the list.
http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Number=196923#Post196923
I wonder if this information has been passed on to MS?
|
Allen
|
| (KiX Supporter) |
| 2009-12-04 08:03 PM |
|
Re: Kix 4.61+ INGROUP + Windows 7
|
Hot off the presses...
Error 1789 when you use the LookupAccountName function on a computer that is running Windows 7 or Windows Server 2008 R2
http://support.microsoft.com/kb/976494/en-us
And you can request the hotfix online (no phone call)
http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=976494&kbln=en-us
| Arend_ |
| (MM club member) |
| 2009-12-14 03:19 PM |
|
|
|
Re: Kix 4.61+ INGROUP + Windows 7
|
I can Confirm the fix really does fix the problem. Thanks Allen :-)
| Galeocerdo |
| (Fresh Scripter) |
| 2010-02-21 06:46 PM |
|
Re: Kix 4.61+ INGROUP + Windows 7
|
Thanks, this is going to save me a lot of grief.
| synwave7 |
| (Fresh Scripter) |
| 2010-03-31 03:40 PM |
|
|
Re: Kix 4.61+ INGROUP + Windows 7
|
Sorry I cannot lend a hand but I am trying to give back in small measure as everyone on this site is so great in thier help to me. I do agree this sounds like something to do with the AD (schema) and it's interaction with Kix. When we updated our AD to 2008 here where I work, we did have to bring microsoft in to build a special hotfix for some various issues that arose out of updating our AD to 2008. Hope this helps some.
Syn
| Dynamite Dan |
| (Fresh Scripter) |
| 2010-08-06 03:12 PM |
|
Re: Kix 4.61+ INGROUP + Windows 7
|
This should fix the ingroup function not working on Win7 of Win2k8R2 machine
http://support.microsoft.com/kb/976494
current setup AD2000 domain and win7 client, kix 4.60
after applying the hotfix the kix script and ingroup function worked
| Biggus |
| (Fresh Scripter) |
| 2010-11-12 05:36 PM |
|
Re: Kix 4.61+ INGROUP + Windows 7
|
The microsoft hotfix sorted this out for my Windows 7 and AD2000 domain
|
Allen
|
| (KiX Supporter) |
| 2011-03-11 10:18 PM |
|
Re: Kix 4.61+ INGROUP + Windows 7
|
Just curious if anyone with this problem has tried SP1 yet, to see if the fix is in fact included.
| bruheard |
| (Just in Town) |
| 2011-11-07 03:18 PM |
|
Re: Kix 4.61+ INGROUP + Windows 7
|
I applied SP1 and it seemed to work. The drives are mapped and some other policies applied, but I don't see ScriptLogic running as I log on.
| Mart |
| (KiX Supporter) |
| 2011-11-07 04:06 PM |
|
|
|
Re: Kix 4.61+ INGROUP + Windows 7
|
All you see is the welcome screen right? This is by design.
If you Google on delayeddesktopswitchtimeout you will get soem hits with a "fix" for this.