Page 1 of 1 1
Topic Options
#200750 - 2010-11-24 04:42 PM Basic script not running via GPO for 1 user only
JTT Offline
Fresh Scripter

Registered: 2002-10-14
Posts: 32
Loc: Utah
I've been digging through the posts to see if I could find the answer to my question but so far I've been coming up short.

I'm working with a new client in which I inherited an existing Windows 2008 domain. Even though they had AD set up they were not actually logging onto the domain, the company before was just using AD for their Exchange. So I've connected them to the domain and set up a very simple logon script using the Kix 4.61 just mapping drives based on user groups.

The problem that I'm having is that one of the users, one of the original users, does not get the drive mappings from the GPO. I can however run the same command from the prompt that is set in the GPO (\\server\netlogon\wkix32.exe \\server\netlogon\logon.kix) and the mappings will occur. I've checked GPRESULT and it shows the group memeberships for the user and it shows the policy has been replied.

As a bandaid I've just added a batch script to her logon script to run the command above. I've seen mention in the forums about the group membership cache and using a /f option on the command, but if I can run the script from the command line would that be the problem? I can also log on as another user to the same computer and get the drive mappings, so it appears to be something related to this particular user.

Anyone have any suggestions?

Thanks in advance,

JTT

Top
#200753 - 2010-11-24 07:24 PM Re: Basic script not running via GPO for 1 user only [Re: JTT]
Glenn Barnas Administrator Offline
KiX Supporter
*****

Registered: 2003-01-28
Posts: 4396
Loc: New Jersey
Is this user in the same OU as other users that work?
Does the problem happen on specific computers, or all computers?
Have you checked the security on the GPO? I've found clients who have specific users excluded.

The group membership cache is usually only an issue right after group memberships change. Flushing it won't hurt, but may not help, either.

Specifying "\\server\netlogon..." isn't a good idea as it puts all the load and dependencies on one server. "\\DOMAIN_NAME\netlogon\..." will always use the first-responding DC.

Glenn
_________________________
Actually I am a Rocket Scientist! \:D

Top
#200755 - 2010-11-24 07:49 PM Re: Basic script not running via GPO for 1 user only [Re: Glenn Barnas]
JTT Offline
Fresh Scripter

Registered: 2002-10-14
Posts: 32
Loc: Utah
Glenn-

The user is in the same OU as the other users and from what I've been told the problem exists on other computers. However I have not verified that with this users account am basing that off me requesting she try from one of the other computers.

The GPO is new so there aren't any excluded users, I even tried to add her specifically with no success. As mentioned the RSOP data shows that the Logon GPO has been applied to her user account.

Thanks for the heads up on using the domain in the GPO. This client is fairly small at this time and only has the one server, but this will be good for some other installations that I'll be setting up in the near future.

Top
#200756 - 2010-11-24 08:03 PM Re: Basic script not running via GPO for 1 user only [Re: JTT]
Glenn Barnas Administrator Offline
KiX Supporter
*****

Registered: 2003-01-28
Posts: 4396
Loc: New Jersey
\:\) Small or not, treating all configurations the same way builds a foundation that will support them when they grow. More importantly, it preserves your sanity (and hair!) by creating consistency among your clients.

I generally avoid using GPO for login processing because it runs in a different context than the user. We pretty much use GPOs for security policy and admin tasks (installs, settings, etc) and use the User Profile to define the login script to map resources, display messages, and perform user-specific tasks (ie - perform tasks that the user is supposed to complete, like email profile setup, email sig creation, and such).

I assume your GPO references "kix32.exe logon.kix" from the netlogon folder. What happens to the user if you run a batch file instead - does the BAT file execute? Can the BAT file execute the kix script?

Do you have policies in place to run the logon synchronously? That may help to insure that the network is ready before running any scripts.

Glenn
_________________________
Actually I am a Rocket Scientist! \:D

Top
#200811 - 2010-11-26 10:42 PM Re: Basic script not running via GPO for 1 user only [Re: Glenn Barnas]
JTT Offline
Fresh Scripter

Registered: 2002-10-14
Posts: 32
Loc: Utah
Glenn-

Agreed, I try to do everything standard across all sites and try not to do anything that anyone following behind me can't figure out quickly.

I'll have to try having a batch script call the logon script, unfortunately the client is closed until Monday so that testing will have to wait until then.

How do you run the kix script from the User Profile? Back in the XP days I use to run a logon script bat file that would call the kix from the Profile properties in AD, but we couldn't get it to work with an different client and Windows 7. When I set this client up I read on the forums that using GPO was the way to go with Windows 7.

You are correct in that the GPO points to the executable and the script located in the netlogon folder.


-JTT

Top
#200813 - 2010-11-27 12:42 AM Re: Basic script not running via GPO for 1 user only [Re: JTT]
Glenn Barnas Administrator Offline
KiX Supporter
*****

Registered: 2003-01-28
Posts: 4396
Loc: New Jersey
Unless you have Win-9x systems, there's no need for a batch file. I'm not sure what forum you were reading, but that's not advice I'd give, and I have worked on some global enterprise environments. GPO logon script for computer and admin tasks and login script via profile for user/environment setup. This way, everything runs in the appropriate context.

I generally install our login script into the netlogon folder, customize the login.ini, and define one user to have "kix32.exe kixtart.kix" in the login script field of their profile. If that works as defined, I'll select groups of user with similar configurations in ADUC, edit the properties and change the login script setting for all of them. Our login script works on all platforms, from W2k to 2K8 and W7. In small environments (under 20 resource mappings and no lookups), it runs in sub-second times. We've actually had to allow admins to specify a "minimum display time" so the screen is visible for at least 5-6 seconds. In a large environment - 50+ resoureces and multiple 500-item lookup tables, it still runs in under 10 seconds. By eliminating custom coding (the login script is tokenized and the same script used at every client) and using a config file, I can usually have a login script installed and configured at a new client in a few minutes. At one client, I replaced 435 individual script files with a single script and config file in just a few days of review of existing scripts and change-control meetings.

Glenn
_________________________
Actually I am a Rocket Scientist! \:D

Top
#200941 - 2010-11-30 06:25 PM Re: Basic script not running via GPO for 1 user only [Re: Glenn Barnas]
JTT Offline
Fresh Scripter

Registered: 2002-10-14
Posts: 32
Loc: Utah
Glenn-

Thanks for the information, I didn't realize I could call the script from the profile like that. One thing I noticed with my test is that the drives are almost immediately available compared to when using the GPO.

Now I have something interesting to add on the original problem. The one user that will not map using Kix and the GPO can map using a bat file, I even changed the bat file to call the kix script, the same as the GPO is doing from netlogon and it works. However if I put just "kix32.exe logon.kix" in this users profile she will not get the drive mappings.

This just adds to my confusion now. What would be stopping this one user from running the kix script? The user is a domain admin so I don't think it's a rights issue.

-Jason

Top
#200946 - 2010-11-30 10:44 PM Re: Basic script not running via GPO for 1 user only [Re: JTT]
Glenn Barnas Administrator Offline
KiX Supporter
*****

Registered: 2003-01-28
Posts: 4396
Loc: New Jersey
How are you managing your script? Are the Kix32.exe and Login.kix only on the netlogon share?

Do you tokenize your script to protect it? If so, see if an instance of kix32 exists on her PC - either remove it or make sure its the same version as that in the netlogon folder. The netlogon folder is SUPPOSED to be first in the path during logon, protecting against local copies of scripts taking precedence.

You say she won't get the drive mappings.. do you have evidence that the script runs but does not map, or is the script not mapping? Scan her PC for a copy of login.kix and rename/delete any that are found.

What's the OS and SP level of her PC?

Why is the user a domain admin?

Change her profile to run "test.bat", then create test.bat with the following:
 Code:
@Set > %TEMP%\env.txt
Have her log in, then check that file.. post the contents here as it may provide some insight as to what's going on.

Glenn
_________________________
Actually I am a Rocket Scientist! \:D

Top
#200970 - 2010-12-01 05:23 PM Re: Basic script not running via GPO for 1 user only [Re: Glenn Barnas]
JTT Offline
Fresh Scripter

Registered: 2002-10-14
Posts: 32
Loc: Utah
Yes both the executable and the script are in the netlogon folder. At this point I'm not tokenizing the script, however I'm not sure if there is a copy of kix running on the machine that she uses since it's been in use before my involvment with this company. The problem does seem to follow the user because when we log her into a new machine that I know does not have kix installed the same thing happens, no drive mappings.

I have no proof that the script is running when the mappings don't occur, I could create a script with a pause or a window pop-up to test this. All the PC's are running Windows 7 Professional.

I did discover that there are two other users, users created before me, that have the same problem. I will be back on that site tomorrow and I will get you the information.

Thanks again for all your help on this.

Top
#200972 - 2010-12-01 05:55 PM Re: Basic script not running via GPO for 1 user only [Re: JTT]
JTT Offline
Fresh Scripter

Registered: 2002-10-14
Posts: 32
Loc: Utah
Glenn-

I was actually able to set up a remote session to a computer that is not in use yet and pulled this with the test.bat. Below is the contents of the env.txt file.

 Code:
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\bprice\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=VRX-STN12
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\bprice
LOCALAPPDATA=C:\Users\bprice\AppData\Local
LOGONSERVER=\\FILESERVER
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=\\FILESERVER\NETLOGON;C:\Windows\system32;C:\Windows;C:\Windows
System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program
Files\Intel\DMIX;C:\Program Files\NTRU Cryptosystems\NTRU TCG Software
Stack\bin\;C:\Program Files\Wave Systems Corp\Gemalto\Access Client\v
\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program
Files\Common Files\Roxio Shared\10.0\DLLShared\;c:\Program Files\Microsoft
SQL Server\90\Tools\binn\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 23 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=170a
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
PUBLIC=C:\Users\Public
RoxioCentral=C:\Program Files\Common Files\Roxio Shared\10.0\Roxio Central36\
SEE_MASK_NOZONECHECKS=1
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\bprice\AppData\Local\Temp
TMP=C:\Users\bprice\AppData\Local\Temp
USERDNSDOMAIN=VRX.LOCAL
USERDOMAIN=VRX
USERNAME=bprice
USERPROFILE=C:\Users\bprice
windir=C:\Windows


Edited by JTT (2010-12-01 06:26 PM)
Edit Reason: Modified Path so it wasn't one long line

Top
#200974 - 2010-12-01 06:44 PM Re: Basic script not running via GPO for 1 user only [Re: JTT]
Glenn Barnas Administrator Offline
KiX Supporter
*****

Registered: 2003-01-28
Posts: 4396
Loc: New Jersey
Sounds like it coulld be code..

Couple of things to track it down:
  • Use Kix32, not WKix32
  • Clear the DelayedDesktopSwitchTimeout in the registry (Create
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    DelayedDesktopSwitchTimeout - 0 - REG_DWORD) - this will allow you to see the login script actually run. Without this, the Windows "preparing your desktop" will display for up to 30 seconds while the login script runs behind that screen.
  • Include a SETCONSOLE('MAXIMIZE') with a version message and a SLEEP 10 or GET $ in the login script - this will make it visible and wait 10 seconds or until a key is pressed. This will verify that it is the correct script is running. Alternatively, use the MESSAGEBOX to display a unique version message. (This is a temporary change for debugging)
If, after this, you see that the expected script is running but not mapping drives, you'll need to start looking into the logic of the script itself.

Glenn
_________________________
Actually I am a Rocket Scientist! \:D

Top
#200976 - 2010-12-01 07:02 PM Re: Basic script not running via GPO for 1 user only [Re: JTT]
Glenn Barnas Administrator Offline
KiX Supporter
*****

Registered: 2003-01-28
Posts: 4396
Loc: New Jersey
 Code:
Path=\\FILESERVER\NETLOGON;C:\Windows\system32
is the important part I wanted to see.. you can see that it modified the path during logon to search the netlogon folder first. This SHOULD insure that your kix32 and .kix script are found before anything else.

This all looks OK.

Glenn
_________________________
Actually I am a Rocket Scientist! \:D

Top
#200989 - 2010-12-02 05:43 PM Re: Basic script not running via GPO for 1 user only [Re: Glenn Barnas]
JTT Offline
Fresh Scripter

Registered: 2002-10-14
Posts: 32
Loc: Utah
Glenn-

I've gone through the steps you suggested and it appears the script isn't running at all when using kix32 in the profile. I can run the same kix script if I call the script and kix32 from a bat file I place in the users profile without any errors so I'm pretty confident it's not the kix script itself. Seems to be something with the network and the users.

I have "Run logon scripts synchronously" enabled on both the computer and user configurations on the Default Domain Policy and I have the "Always wait for the network at computer startup and logon" enable on the computer configuration.

-Jason

Top
#200990 - 2010-12-02 06:09 PM Re: Basic script not running via GPO for 1 user only [Re: Glenn Barnas]
JTT Offline
Fresh Scripter

Registered: 2002-10-14
Posts: 32
Loc: Utah
Glenn-

I assume there is nothing wrong with calling the kix script from a bat file if it works. I'm just curious as to why using "kix32.exe logon.kix" in the profile tab is not working for certain users. It makes me concerned that there's a bigger issue on the network that I'm not seeing.

-Jason

Top
#200994 - 2010-12-02 09:54 PM Re: Basic script not running via GPO for 1 user only [Re: JTT]
Glenn Barnas Administrator Offline
KiX Supporter
*****

Registered: 2003-01-28
Posts: 4396
Loc: New Jersey
Jason,

Those GPO settings are good, even if they're in a bad place. ;\) You do know that the default policies should not be changed, right? (MS best practice).

Still, that's a strange issue that it runs the .BAT but not the kix. Using the BAT file will help in diagnostics.. use the SET > env.txt, followed by DIR \\domain\NETLOGON >>env.txt. This will show the environment (netlogon first in path!) and verify the ability to read the netlogon share.

Glenn
_________________________
Actually I am a Rocket Scientist! \:D

Top
#200995 - 2010-12-02 09:56 PM Re: Basic script not running via GPO for 1 user only [Re: Glenn Barnas]
Glenn Barnas Administrator Offline
KiX Supporter
*****

Registered: 2003-01-28
Posts: 4396
Loc: New Jersey
One more thought.. how many DCs on the LAN? If more than on, can you verify that the SysVol is replicating properly?

Glenn
_________________________
Actually I am a Rocket Scientist! \:D

Top
#201098 - 2010-12-07 10:41 PM Re: Basic script not running via GPO for 1 user only [Re: Glenn Barnas]
JTT Offline
Fresh Scripter

Registered: 2002-10-14
Posts: 32
Loc: Utah
Only one DC on the LAN. I'm out of state on another site, so I've had to put that one hold for the time being. Before I left I moved everyone over to use the bat script.

-Jason

Top
Page 1 of 1 1


Moderator:  Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart 
Hop to:
Shout Box

Who's Online
0 registered and 515 anonymous users online.
Newest Members
gespanntleuchten, DaveatAdvanced, Paulo_Alves, UsTaaa, xxJJxx
17864 Registered Users

Generated in 0.073 seconds in which 0.024 seconds were spent on a total of 13 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org