#151836 - 2005-11-18 08:08 PM
If ingroup error
|
Dan_H
Fresh Scripter
Registered: 2005-06-23
Posts: 6
|
I'm experiencing a strange problem with an if ingroup command. I'm not sure if this is AD, Kixtart, or both. Here's the script...
Code:
IF INGROUP ("Agent") = 1 ? "Checking for Agent Install..." DIM $InstalledC, $InstalledD $InstalledC = EXIST("c:\program files\patch\agent.exe") $InstalledD = EXIST("d:\program files\patch\agent.exe")
IF $InstalledC = 0 AND $InstalledD = 0 ? "Agent Not Found... Installing Agent now.... please wait" SHELL '%comspec% /c "\\server\share\setup.exe -s"' Else ? "Agent Found" ENDIF ENDIF
This script won't run if you are a member of this AD group. I checked everything that I can think of (syntax, extra spaces, etc...). So then I thought let me enumerate the group via Kixtart. Here's the script...
Code:
? "Agent" ? ENUMGROUP("Agent")
Here are the results...
Agent DOMAIN\cc_users
Now...the cc_users group is a valid group in our domain and there are several users in that group. I don't understand why it shows cc_users as the only member of that group. Does this look like an AD problem or is there something in Kixtart I'm missing? We have 20 if ingroup commands in our production login script.
Thanks for any advice.
|
Top
|
|
|
|
#151838 - 2005-11-18 08:35 PM
Re: If ingroup error
|
Dan_H
Fresh Scripter
Registered: 2005-06-23
Posts: 6
|
Ok. What are some things I can try to determine why the script won't run if you're part of the domain group?
Thanks
|
Top
|
|
|
|
#151843 - 2005-11-21 05:41 PM
Re: If ingroup error
|
Dan_H
Fresh Scripter
Registered: 2005-06-23
Posts: 6
|
First off, thanks for the quick responses!
Quote:
I don't think you'll need the "= 1" after your IF INGROUP statement. The IF INGROUP command will just step you to the next level of the IF statement if you are a member.
I've tried this both ways. With and without "= 1"
Quote:
You can flush the cache by adding a "/f" at the end of your kix32.exe string. (minus the double quotes)
I've tried this too.
Quote:
The INGROUP command can enumerate nested groups so if your users are in the CC_Users group they should be running the code. What version of KiX are you running?
I'm starting to suspect AD at this point. If I modify the script to use an existing group, it works fine. I've added 3 different groups in AD trying to get this project working and none have worked. I even simplified the script. For example...
Code:
IF INGROUP ("PMAgent") ? "You are in the PMAgent group..." ENDIF
Then I ran it with the following command
c:\kix32.exe -d PMAgent.kix /f
It just exits back out to the DOS prompt. Nothing was echoed to the DOS window.
Any thoughts?
Thanks
|
Top
|
|
|
|
#151845 - 2005-11-21 07:09 PM
Re: If ingroup error
|
Dan_H
Fresh Scripter
Registered: 2005-06-23
Posts: 6
|
Quote:
Sorry have to ask this - are you testing this script against your own account, that you just added to this group - and did you logoff and log back in before testing ?
-Shawn
Yes. I've logged off, logged on, and forced replication in AD trying to figure this behavior out. I have also tried it with another user in that group on a different machine.
One more test that was done. VBScript was used to query the domain group and it listed the members correctly.
Oh...the version we have is 4.12
Thanks
|
Top
|
|
|
|
#151850 - 2005-11-21 07:46 PM
Re: If ingroup error
|
Dan_H
Fresh Scripter
Registered: 2005-06-23
Posts: 6
|
Again everyone, thanks for all the tips. Here's the latest...
Quote:
Is your GC healthy?
I've looked at the event logs on all GC servers, nothing out of the ordinary. Is there another method you had in mind to test that? Quote:
Try to include the domain name with the groupname.
Didn't work
Quote:
Try deleting the HKEY_CURRENT_USER\Software\KiXtart\TokenCache reg key.
Didn't help. It repopulated the key as soon as I ran the script. The information was the same as before.
Quote:
It couldn't hurt to upgrade to the latest KiX version too. I would, however, verify with the "pros" about any compatibility caveats that might arise from the upgrade.
I did this by downloading and copying the newest kix32.exe to my PC and the other test PC I'm using. Didn't work.
Now I'm really starting to question AD, yet I get positive results with VBScript querying the group.
Thanks
|
Top
|
|
|
|
#151851 - 2005-11-21 07:54 PM
Re: If ingroup error
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
KiXtart get global group references from the user authentication token. The group sids are bound to the token at logon by the global catalog server. So if you do not have a global catalog server that the user can contact you may see these types of issues.
Edited by Howard Bullock (2005-11-22 03:56 PM)
|
Top
|
|
|
|
#151853 - 2005-11-21 08:03 PM
Re: If ingroup error
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
Oh, and you didn't tell us what was listed in the Token cache. Was the group in question listed there? Was the group in question renamed? Do other groups work or do all global groups fail? Is the group name long?
Edited by Howard Bullock (2005-11-21 08:05 PM)
|
Top
|
|
|
|
#151855 - 2005-11-22 03:42 PM
Re: If ingroup error
|
Dan_H
Fresh Scripter
Registered: 2005-06-23
Posts: 6
|
Again...my sincere thanks to everyone who responded to this post.
Quote:
Oh, and you didn't tell us what was listed in the Token cache. Was the group in question listed there? Was the group in question renamed? Do other groups work or do all global groups fail? Is the group name long?
These were wrong. They were showing some, but not all of the correct groups (no new ones).
Quote:
Is your GC healthy? Try to include the domain name with the groupname.
Nope. I took a look at the GC settings on my domain controllers and noticed that the GC checkbox was unchecked on the domain controller with the FSMO roles.
I checked the box and ran my production logon script. The TokenCache registry entry immediately filled up with the appropriate groups. And the original script ran just fine.
Not sure how that happened. We haven't had any major changes to our domain lately aside from some new employees. It only really showed up when we started this project to roll out a piece of software based on group membership.
Thanks so much everybody!
|
Top
|
|
|
|
Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart
|
0 registered
and 507 anonymous users online.
|
|
|