Page 1 of 2 12>
Topic Options
#151836 - 2005-11-18 08:08 PM If ingroup error
Dan_H Offline
Fresh Scripter

Registered: 2005-06-23
Posts: 6
I'm experiencing a strange problem with an if ingroup command. I'm not sure if this is AD, Kixtart, or both. Here's the script...

Code:
 
IF INGROUP ("Agent") = 1
? "Checking for Agent Install..."
DIM $InstalledC, $InstalledD
$InstalledC = EXIST("c:\program files\patch\agent.exe")
$InstalledD = EXIST("d:\program files\patch\agent.exe")

IF $InstalledC = 0 AND $InstalledD = 0
? "Agent Not Found... Installing Agent now.... please wait"
SHELL '%comspec% /c "\\server\share\setup.exe -s"'
Else ? "Agent Found"
ENDIF
ENDIF



This script won't run if you are a member of this AD group. I checked everything that I can think of (syntax, extra spaces, etc...). So then I thought let me enumerate the group via Kixtart. Here's the script...

Code:
 
? "Agent"
?
ENUMGROUP("Agent")



Here are the results...

Agent
DOMAIN\cc_users

Now...the cc_users group is a valid group in our domain and there are several users in that group. I don't understand why it shows cc_users as the only member of that group. Does this look like an AD problem or is there something in Kixtart I'm missing? We have 20 if ingroup commands in our production login script.

Thanks for any advice.

Top
#151837 - 2005-11-18 08:15 PM Re: If ingroup error
Lonkero Administrator Offline
KiX Master Guru
*****

Registered: 2001-06-05
Posts: 22346
Loc: OK
well, your enumgroup syntax is wrong, to start with.

EnumGroup( )

Action: Enumerates all groups of which the current user is a member.
 
Syntax: ENUMGROUP (Index)
 
Parameters: Index

A numeric value representing the group whose name you want to discover (where 0 is the first subkey).

_________________________
!

download KiXnet

Top
#151838 - 2005-11-18 08:35 PM Re: If ingroup error
Dan_H Offline
Fresh Scripter

Registered: 2005-06-23
Posts: 6
Ok. What are some things I can try to determine why the script won't run if you're part of the domain group?

Thanks

Top
#151839 - 2005-11-18 11:02 PM Re: If ingroup error
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
Have you tried flushing the cache?
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#151840 - 2005-11-19 12:02 AM Re: If ingroup error
StarwarsKid Offline
Seasoned Scripter
*****

Registered: 2005-06-15
Posts: 506
Loc: Oregon, USA
I don't think you'll need the "= 1" after your IF INGROUP statement. The IF INGROUP command will just step you to the next level of the IF statement if you are a member.

You can flush the cache by adding a "/f" at the end of your kix32.exe string. (minus the double quotes)

The INGROUP command can enumerate nested groups so if your users are in the CC_Users group they should be running the code. What version of KiX are you running?

Also, try double quotes around your SHELL command syntax instead of the single quote (does the SHELLed DOS command recognize UNC paths?) You may need to run the setup file from a mapped drive.

You can also DIM your variables above the first IF statement (may clean up your code...)
_________________________
let the wise listen and add to their learning,
and let the discerning get guidance- Proverbs 1:5

Top
#151841 - 2005-11-19 12:33 AM Re: If ingroup error
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
The quotes on the SHELL line are just fine. I doubt however that the command interpeter would be required.
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#151842 - 2005-11-19 01:29 AM Re: If ingroup error
StarwarsKid Offline
Seasoned Scripter
*****

Registered: 2005-06-15
Posts: 506
Loc: Oregon, USA
*BING!!!*
_________________________
let the wise listen and add to their learning,
and let the discerning get guidance- Proverbs 1:5

Top
#151843 - 2005-11-21 05:41 PM Re: If ingroup error
Dan_H Offline
Fresh Scripter

Registered: 2005-06-23
Posts: 6
First off, thanks for the quick responses!

Quote:

I don't think you'll need the "= 1" after your IF INGROUP statement. The IF INGROUP command will just step you to the next level of the IF statement if you are a member.





I've tried this both ways. With and without "= 1"

Quote:


You can flush the cache by adding a "/f" at the end of your kix32.exe string. (minus the double quotes)





I've tried this too.

Quote:


The INGROUP command can enumerate nested groups so if your users are in the CC_Users group they should be running the code. What version of KiX are you running?





I'm starting to suspect AD at this point. If I modify the script to use an existing group, it works fine. I've added 3 different groups in AD trying to get this project working and none have worked. I even simplified the script. For example...

Code:

IF INGROUP ("PMAgent")
? "You are in the PMAgent group..."
ENDIF



Then I ran it with the following command

c:\kix32.exe -d PMAgent.kix /f

It just exits back out to the DOS prompt. Nothing was echoed to the DOS window.

Any thoughts?

Thanks

Top
#151844 - 2005-11-21 05:47 PM Re: If ingroup error
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
Sorry have to ask this - are you testing this script against your own account, that you just added to this group - and did you logoff and log back in before testing ?

-Shawn

Top
#151845 - 2005-11-21 07:09 PM Re: If ingroup error
Dan_H Offline
Fresh Scripter

Registered: 2005-06-23
Posts: 6
Quote:

Sorry have to ask this - are you testing this script against your own account, that you just added to this group - and did you logoff and log back in before testing ?

-Shawn




Yes. I've logged off, logged on, and forced replication in AD trying to figure this behavior out. I have also tried it with another user in that group on a different machine.

One more test that was done. VBScript was used to query the domain group and it listed the members correctly.

Oh...the version we have is 4.12

Thanks

Top
#151846 - 2005-11-21 07:15 PM Re: If ingroup error
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
Is your GC healthy?
Try to include the domain name with the groupname.
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#151847 - 2005-11-21 07:16 PM Re: If ingroup error
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
Any events in your application event log ?
Top
#151848 - 2005-11-21 07:20 PM Re: If ingroup error
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
Try deleting the HKEY_CURRENT_USER\Software\KiXtart\TokenCache reg key.
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#151849 - 2005-11-21 07:31 PM Re: If ingroup error
StarwarsKid Offline
Seasoned Scripter
*****

Registered: 2005-06-15
Posts: 506
Loc: Oregon, USA
It couldn't hurt to upgrade to the latest KiX version too. I would, however, verify with the "pros" about any compatibility caveats that might arise from the upgrade.

The physical steps to upgrading, however, couldn't be simpler (if you're on a winNT - 200x network (no 9x))

Just download the newer version and call the newer version's .EXE from your batch file or your user's logon script field (which ever you're using)
_________________________
let the wise listen and add to their learning,
and let the discerning get guidance- Proverbs 1:5

Top
#151850 - 2005-11-21 07:46 PM Re: If ingroup error
Dan_H Offline
Fresh Scripter

Registered: 2005-06-23
Posts: 6
Again everyone, thanks for all the tips. Here's the latest...

Quote:


Is your GC healthy?




I've looked at the event logs on all GC servers, nothing out of the ordinary. Is there another method you had in mind to test that?
Quote:


Try to include the domain name with the groupname.




Didn't work

Quote:


Try deleting the HKEY_CURRENT_USER\Software\KiXtart\TokenCache reg key.





Didn't help. It repopulated the key as soon as I ran the script. The information was the same as before.

Quote:


It couldn't hurt to upgrade to the latest KiX version too. I would, however, verify with the "pros" about any compatibility caveats that might arise from the upgrade.




I did this by downloading and copying the newest kix32.exe to my PC and the other test PC I'm using. Didn't work.

Now I'm really starting to question AD, yet I get positive results with VBScript querying the group.

Thanks

Top
#151851 - 2005-11-21 07:54 PM Re: If ingroup error
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
KiXtart get global group references from the user authentication token. The group sids are bound to the token at logon by the global catalog server. So if you do not have a global catalog server that the user can contact you may see these types of issues.

Edited by Howard Bullock (2005-11-22 03:56 PM)
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#151852 - 2005-11-21 08:01 PM Re: If ingroup error
Shawn Administrator Offline
Administrator
*****

Registered: 1999-08-13
Posts: 8611
Kixtart will spit-out errors to the local (workstation) appl. event log.
Top
#151853 - 2005-11-21 08:03 PM Re: If ingroup error
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
Oh, and you didn't tell us what was listed in the Token cache. Was the group in question listed there? Was the group in question renamed? Do other groups work or do all global groups fail? Is the group name long?

Edited by Howard Bullock (2005-11-21 08:05 PM)
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#151854 - 2005-11-21 08:08 PM Re: If ingroup error
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
Is it a security group?
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#151855 - 2005-11-22 03:42 PM Re: If ingroup error
Dan_H Offline
Fresh Scripter

Registered: 2005-06-23
Posts: 6
Again...my sincere thanks to everyone who responded to this post.

Quote:


Oh, and you didn't tell us what was listed in the Token cache. Was the group in question listed there? Was the group in question renamed? Do other groups work or do all global groups fail? Is the group name long?





These were wrong. They were showing some, but not all of the correct groups (no new ones).

Quote:

Is your GC healthy?
Try to include the domain name with the groupname.




Nope. I took a look at the GC settings on my domain controllers and noticed that the GC checkbox was unchecked on the domain controller with the FSMO roles.

I checked the box and ran my production logon script. The TokenCache registry entry immediately filled up with the appropriate groups. And the original script ran just fine.

Not sure how that happened. We haven't had any major changes to our domain lately aside from some new employees. It only really showed up when we started this project to roll out a piece of software based on group membership.

Thanks so much everybody!

Top
Page 1 of 2 12>


Moderator:  Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart 
Hop to:
Shout Box

Who's Online
1 registered (Allen) and 466 anonymous users online.
Newest Members
gespanntleuchten, DaveatAdvanced, Paulo_Alves, UsTaaa, xxJJxx
17864 Registered Users

Generated in 0.077 seconds in which 0.026 seconds were spent on a total of 13 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org