|
|
|||||||
HI, I am migrating to Kix 4.61 and some WK7. I am starting to have a headache with Windows 7 + Kix 4.61 and the INGROUP command. Just it is not working *- i have serach a lot in the net and forums and nothing a part the post #196185 Anyone can tell if INGROUP (4.61) on windows 7 (32 and 64 bits) works if yes how ? Ps. INGROUP (4.61) works fine on XP, Windows Server 2008 Enterprise Edition 64 bits Code: IF INGROUP("ADMINS") = 1 AT (17,9) "Connexion \\SVRXSL02\CONSOLES " USE W: /D /PERSISTENT USE W: \\SVRXSL02\CONSOLES sleep 1 ENDIF Thanks Kaffee |
||||||||
|
|
|||||||
Try this and post back your results. Code: ? "kix:" + @kix IF INGROUP("ADMINS") ? "In the group" USE W: /D /PERSISTENT ? @result ? @serror USE W: "\\SVRXSL02\CONSOLES" ? @result ? @serror else ? "Not in Group" ENDIF Also, check the Eventlog for any errors that might be of use. Make sure your group name is spelled correctly. |
||||||||
|
|
|||||||
Hi, Result of the script Kix : 4.61 Not in Group There is an event error log see below (in french) but event ID is 1789 the error is on W7 32 bits and 64 bits The speeling name is correct as it works on XP, Windows 2008 Server and for information our Active Directory is Windows 2000 DC's I think that someting is missing to get a trust membership between the Server and Station Thanks for any suggestion Rgds, Kaffee Nom du journal :Application Source : KIXTART Date : 28/10/2009 11:20:51 ID de l’événement :1789 Catégorie de la tâche :Aucun Niveau : Erreur Mots clés : Classique Utilisateur : N/A Ordinateur : AdminSel-Win7.Xsl.Schneider-Electric.com Description : La description de l’ID d’événement 1789 dans la source KIXTART est introuvable. Le composant qui a déclenché cet événement n’est pas installé sur l’ordinateur local ou l’installation est endommagée. Vous pouvez installer ou réparer le composant sur l’ordinateur local. Si l’événement provient d’un autre ordinateur, les informations d’affichage doivent être enregistrées avec l’événement. Les informations suivantes étaient incluses avec l’événement : GetPrimaryGroup failed Error : La relation d’approbation entre cette station de travail et le domaine principal a échoué. (0x6fd/1789) |
||||||||
|
|
|||||||
This came up in the past but no fix was mentioned. This does not seem to be a kix issue. http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Number=193933#Post193933 |
||||||||
|
|
|||||||
If you find a solution, please post back. Looks like you are the 2nd or 3rd person with this problem. |
||||||||
|
|
|||||||
The OP of the link I posted was also on a Win2K AD so it might be some kind of compatibility issue between Win7 and Win2K AD. As Win2K AD was a baby, Win2K3 went to kindergarten and Win2K8 AD is a teenager I can imagine that some backwards compatibility between Win7 and Win2K AD is lost. Should not be but everything is possible. |
||||||||
|
|
|||||||
Hi, Sorry for taking some time for reply du to tests and work. So, In my case Kix version : 4.61 W2K DC + Windows 2000 AD - Clients : Windows XP, Windows Vista, Windows 7, Windows 2008 Srv : all 32 and 64 bits My simple script is to check if some users are in a goup : Code: ? "kix:" + @kix IF INGROUP("ADMINS") ? "In the group" USE W: /D /PERSISTENT ? @result ? @serror USE W: "\\SVRXSL02\CONSOLES" ? @result ? @serror else ? "Not in Group" ENDIF It work for all clients except for : Windows 7 32 and 64 bits The Microsfot KB 262958 doesnot resolve the issue http://support.microsoft.com/default.aspx?scid=kb;en-us;262958 But i have found something intersting: If I do use the BuiltIN Groups : (Domain Local Groups) - IT WORKS But NOT for Global Groups BuitIn group List (In French) Accès compatible Pre-Windows 2000 Administrateurs Duplicateurs Invités Opérateurs de compte Opérateurs de sauvegarde Opérateurs de serveur Opérateurs d'impression Utilisateurs Well, It is not working but i did progress a bit. I will continue in investigating if someone has a clue i take it. Rgds Kaffee |
||||||||
|
|
|||||||
Hi again, I have created a new DOMAIN GROUP , insert users in it and test : IT WORKS In my case, I cannot test the Universal Groups In conclusion for my part for Windows 7 : INGROUP doesnot work for Global Groups If anyone has a solution for Global Groups. Rgds, Kaffee |
||||||||
|
|
|||||||
Just a few notes: 1. Make sure if you added the user you are testing the INGROUP with, that that user has logged of and logged on again so his token is updated. 2. run kix32 -f (Flush tokencache) to make sure there are no errors there. I'm also on Windows 7 and with a 2000 AD and I have no problems so far. But I'll check monday and test a few things. |
||||||||
|
|
|||||||
I've been doing some googling on this myself. From what I can tell this 1789 Error has been around for a long while showing itself in different places (XP, Vista) and it appears that no one knows exactly what causes the error. Rejoining the domain seemed to be the most common answer given, but did not fix the problem most times. I did find an article or two that suggested that improperly configured DNS could play a role. One solution was given that they had used their firewall as the DNS Server and changing it to the AD DNS Server fixed the problem. Someone else suggested running ADPrep.exe (located on Server 2008 CD) to add the new properties to your 2000 AD. @Arend, please do post back on this. Glad to find someone here who has this environment. |
||||||||
|
|
|||||||
Rejoining the Domain doesn't provide the answer. The trust relationship is good. I suspect KiX handling this in a different way but I'm gonna see what I can come up with. So far this is the Case: Domain Local groups succeed. Universal groups fail. Global groups fail. Different 1789 messages though: Failed to resolve SID(s) Error : The trust relationship between this workstation and the primary domain failed. (0x6fd/1789) GetPG: LookupAccountSid failed Error : The trust relationship between this workstation and the primary domain failed. (0x6fd/1789) GetPrimaryGroup failed Error : The trust relationship between this workstation and the primary domain failed. (0x6fd/1789) I'll play around some more. |
||||||||
|
|
|||||||
Alright, update. It's definately the way KiX looks it up. If you try it using LDAP it works fine. for instance: Code: Dim $objSysInfo, $objUser, $objGroup $objSysInfo = CreateObject("ADSystemInfo") $objUser = GetObject("LDAP://"+$objSysInfo.userName) $objGroup = GetObject("LDAP://CN=Domain Admins,CN=users,DC=mydomain,DC=local") If $objGroup.IsMember($objUser.AdsPath) ? "Global Test Succeeded" Else ? "Global Test Failed" EndIf |
||||||||
|
|
|||||||
ok as my post in the Beta group reflects, PStools's PSGetSID generates the same errors as kixtart. This concludes that it is not KiXtart that is generating this problem. It is the way Windows 7 talks to the AD apparantly. As my XP clients don't have this problem. Also, Vista and 2008 (NOT R2) don't have this problem. I do assume that a Windows 2008 R2 server will have the same problems because it has the same core as Windows 7. |
||||||||
|
|
|||||||
ok WinNT test passes as well: Code: Dim $objGroup $objGroup = GetObject("WinNT://"+@LDOMAIN+"/Domain Admins") $objGroup.GetInfo If $objGroup.IsMember("WinNT://"+@LDOMAIN+"/"+@USERID) = -1 ? "Global Test Succeeded" Else ? "Global Test Failed" EndIf |
||||||||
|
|
|||||||
Since the GetSID fails in the psTools I figured I'll test my own Name2SID udf (as can be found in the UDF section). And all those tests pass, which means WMI works fine too. Code: ? Name2SID(@USERID) ? Name2SID("Domain Admins") Function Name2SID(Optional $userid,Optional $domain) If $userid = "" $userid = @USERID EndIf If $domain = "" $domain = @LDOMAIN EndIf Dim $objWMIService $objWMIService = GetObject("winmgmts:\\.\root\cimv2") $Name2SID = $objWMIService.Get("Win32_Account.Name='"+$userid+"',Domain='"+$domain+"'").SID If @ERROR EXIT @ERROR EndIf EndFunction So I can conclude the following: When talking to the AD; LDAP works fine. WinNT works fine. WMI works fine. So I can't seem to figure out how kixtart is talking to the AD. |
||||||||
|
|
|||||||
Does someone besides Ruud have any insights on how KiX actually does the Ingroup checking ? |
||||||||
|
|
|||||||
Has anyone else tested kix on Win 7 verses 2003 and 2008 AD? (I will be doing this in a few weeks) This information might be useful/relevant to Ruud. I sent him an email regarding this thread, so lets hope maybe he can come by and take a look. |
||||||||
|
|
|||||||
Well, I just upgraded a bunch of our workstations to Windows 7 during this week. These are fresh installs, not "upgrades". So far, I have a pretty even mix of 32b Pro, 32b Ultimate, and 64b Ultimate. We have a Windows 2008 Native mode domain. At this point, I've not experienced any InGroup issues. Glenn |
||||||||
|
|
|||||||
I'm wondering though if it has anything to do with some of the offered (not critical) updates that Microsoft has offered for policy stuff. I would not expect a Native 2008 AD to have any issues, but what others appear to be seeing is due to AD 2000, 2003 which is very old even for Vista let alone Windows 7 Maybe Microsoft just missed the boat on this and it slipped by in testing. |
||||||||
|
|
|||||||
Hi everyone, just to let you know that I am looking into this issue. It is definitely a generic Windows 7 <--> Windows 2000 issue (as is apparent from the PsGetSid tests). KiXtart uses the LookupAccountSid API's, just like PsGetSid. I'll let you know if/when I find a workaround. Ruud |
||||||||
|
|
|||||||
Here is a really old (2002) thread that might still have some value. http://www.adminscripteditor.com/forum/printable.asp?m=687 and the MS KB DOC http://support.microsoft.com/kb/262958 |
||||||||
|
|
|||||||
We're experiencing this issue as well with our network. However, we have a mixed W2003 and W2K server AD environment. Both of other W2K servers are pretty much defunct now. Hopefully sometime tonight or tomorrow, we're going to demote them both to test this W2K theory out. Ideally, we want to introduce our Windows 2008 servers into the AD domain, but can't do so until we raise the forest level. |
||||||||
|
|
|||||||
Just a short update: I can now confirm this is an issue in Windows 7. It is apparently caused by the new (stricter) SMB signing settings of Windows 7. It may be possible to work around the issue by tweaking the SMB settings, but this is clearly not for the faint-of-heart and should be carefully considered and aligned with the security guidelines you have in place. I will update this post if and when a fix for Windows 7 is made available. Ruud |
||||||||
|
|
|||||||
Thanks for the update Ruud. |
||||||||
|
|
|||||||
And one more update: a fix for the issue is available and a Knowledgebase article on it should be published in the coming weeks. The fix will be included in an upcoming service pack for Windows 7. Until then, you can get the fix by contacting Microsoft Support and referring to 976494. Note that there is no workaround or fix I can create in KiXtart. Kind regards, Ruud |
||||||||
|
|
|||||||
Good result, thanks for following up. |
||||||||
|
|
|||||||
So I guess there will be two versions of the patch (32, and 64bit)... anyone have support with MS and willing to contribute... Arend? |
||||||||
|
|
|||||||
That type of fix should be Free from Microsoft Allen. |
||||||||
|
|
|||||||
Sounds like it, I'm gonna run the test on a 32-bit machine in a minute. I've had similar problems using WDS. Actually pretty much the same error. When deploying Windows 7 from a 2003 WDS server (still W2K domain) The logon account fails. When deploying Windows 7 from a 2008 WDS server (still W2K domain) The logon account succeeds. Deploy Vista or 2008 (R1) from either servers and you don't get the problem. The error code you get in WDS is simply 0x80070056. Which relates to exactly the same problem as KiXtart, authentication fails/invalid credentials/password/username. Unfortunately I am sort of a Maverick in my Company, loose cannon, I'm not even yet supposed to test Windows 7, let alone ask headquarters to makea ticket for it... |
||||||||
|
|
|||||||
Update: x86 Machine has the same problems. So yeah most likely 2 different patches. |
||||||||
|
|
|||||||
Well... looks like the patch count is up to 4 now. Add 2008 Server 32 and 64bit to the list. http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Number=196923#Post196923 I wonder if this information has been passed on to MS? |
||||||||
|
|
|||||||
Hot off the presses... Error 1789 when you use the LookupAccountName function on a computer that is running Windows 7 or Windows Server 2008 R2 http://support.microsoft.com/kb/976494/en-us And you can request the hotfix online (no phone call) http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=976494&kbln=en-us |
||||||||
|
|
|||||||
I can Confirm the fix really does fix the problem. Thanks Allen :-) |
||||||||
|
|
|||||||
Thanks, this is going to save me a lot of grief. |
||||||||
|
|
|||||||
Sorry I cannot lend a hand but I am trying to give back in small measure as everyone on this site is so great in thier help to me. I do agree this sounds like something to do with the AD (schema) and it's interaction with Kix. When we updated our AD to 2008 here where I work, we did have to bring microsoft in to build a special hotfix for some various issues that arose out of updating our AD to 2008. Hope this helps some. Syn |
||||||||
|
|
|||||||
This should fix the ingroup function not working on Win7 of Win2k8R2 machine http://support.microsoft.com/kb/976494 current setup AD2000 domain and win7 client, kix 4.60 after applying the hotfix the kix script and ingroup function worked |
||||||||
|
|
|||||||
The microsoft hotfix sorted this out for my Windows 7 and AD2000 domain |
||||||||
|
|
|||||||
Just curious if anyone with this problem has tried SP1 yet, to see if the fix is in fact included. |
||||||||
|
|
|||||||
I applied SP1 and it seemed to work. The drives are mapped and some other policies applied, but I don't see ScriptLogic running as I log on. |
||||||||
|
|
|||||||
All you see is the welcome screen right? This is by design. If you Google on delayeddesktopswitchtimeout you will get soem hits with a "fix" for this. |