RE: [ActiveDir] AD startup scripts problem

[Rocky Habeeb]

Title: Message

so ... 

 

[1] Where is the script supposed to be placed in this presumably segregated environment?

[2] How is the malevolent PC supposed to access the GPO, which would presumably be placed where, in this segregated environment?

__________________________________________

 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of joe
Sent: Tuesday, February 01, 2005 8:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD startup scripts problem

Hook up two computers to a shared hub (not a switch). The one with the issue and one to do the trace from. Alternatively, hook into a mirroring port on the corporate switch.

 

Doesn't matter what you do as a normal user, it isn't a normal user running that script. Doing a network trace shows you exactly what call outs the computer does on the network and will show you

 

a. It is really calling outside of the box.

b. Is resolving the names of all of the machines properly that are involved.

c. That it is really reading the startup script.

 

Anytime you are doing network stuff, unless all of the transactions are completely encrypted say in some form of tunnel, network traces are one of the fastest ways to determine what is wrong. If you want a bad analagy, not looking at a network trace is like making guesses on what happened in a horse race based on what is up on the winners board. You know that Horse 4 didn't win, but you don't know that she was winning by 3 lengths until the last corner where she threw a shoe.

 

The trace may not tell you exactly what is going wrong, but it tells you what it is doing so you can cut out those guesses. Often though, not only will it tell you what it did, but errors it gathered on the way accessing things across the network so in a way, tells you what to really look at for the problem.

 

 

 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark
Sent: Tuesday, February 01, 2005 5:06 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD startup scripts problem

How can I do a network trace whilst the computer is booting up ? When I have logged on as normal user the share and files are fully accessible. I looked at my bootup log (userenv.log) and can see that the GPO is called. But I just don't know what could prevent my startup script accessing the network share.

 

Are there any other GPO settings that may be set in another GPO that could be blocking network accessing during the bootup ?

 

As I say, using the batch after logging on causes absolutely no problems.

 

This is really frustrating !!

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Montag, 31. Januar 2005 17:57
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD startup scripts problem

Have you done a network trace yet? If you are getting an access denied, you will see it in the trace.

 

  joe

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark
Sent: Monday, January 31, 2005 4:09 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD startup scripts problem

Just to follow up on this problem, I would like to clarify my current situation :

 

I have now determined the script is actually running during startup. The problem however remains that I am not able to run the executable from the network share location. Everything works fine if I re-code the batch command and put the EXE locally on the computer. But using UNC addresses in the batch does not work.

 

On the network share and all sub-folders I have ensured that "Domain Computer" accounts have full access.

 

If I log on to the computer with a normal domain user account and then run the batch file that is coded with UNC references, the whole process works wonderfully.

 

So where can I look to see what has failed when I configure the script to run during startup and the batch file is using UNC paths ? I have looked in the standard places (event viewer) but dont see any error messages.

 

Many thanks

 

 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: Freitag, 28. Januar 2005 17:47
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD startup scripts problem

Put it in SYSVOL

 

RH

_______________________________________

 

-----Original Message-----
From: Robert Rutherford [mailto:[EMAIL PROTECTED]On Behalf Of Robert Rutherford
Sent: Friday, January 28, 2005 11:31 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD startup scripts problem

the local computer's system account does process the script but here it looks like it doesnt have permissions to read the script on the 'servers' share

---

From: [EMAIL PROTECTED] on behalf of Rocky Habeeb
Sent: Fri 28/01/2005 16:26
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD startup scripts problem

Correct me if I'm wrong, but doesn't the Local System account have full
control of the entire boot operation?  And isn't it responsible to process
the complete range of operations including network authentication and domain
based GPO processing?  And if not who is?  And if so, doesn't that mean >it<
should be processing this script?

Rocky
___________________________________________________________



-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Paul Wilkinson
Sent: Friday, January 28, 2005 10:58 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD startup scripts problem


I *think* that you do actually have network access at the point that
computer startup scripts run.  However, you'll have a security issue
because the local system account doesn't have access to your sever
share.  You could add each machine account to that share.  If one of
your computers is named Bob, add Bob$  to the ACL's of the share.  You
have to click on the "object types" button and select computers in the
window where you add the computer account.  You could also add "Domain
Computers" if you want all computers to be able to access the share with
the local system account.

I've never tried this myself, so I'm not sure if this will work.


Paul Wilkinson
865-974-0649
2422 Dunford Hall
OIT Lab Services
University of TN, Knoxville



Mark Abbiss wrote:

> I think this is it in a nutshell. When I put everything locally on the
> machine the script ran and created the report.
>
> As you say, I have no network connectivity when in the startup phase.
>
> Or is there a workaround ?
>
> Thanks for all the input
>
>
> ----Original Message Follows----
> From: <[EMAIL PROTECTED]>
> Reply-To: ActiveDir@mail.activedir.org
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] AD startup scripts problem
> Date: Fri, 28 Jan 2005 08:05:12 -0600
>
> Hi Mark...
>
> I believe it's running at system level on startup, and i believe
> system has
> no network rights.
>
> John
>
>
>
>
>
>              "Mark Abbiss"
>              <[EMAIL PROTECTED]
>
> ail.com>                                                   To
>              Sent by:                  ActiveDir@mail.activedir.org
>
> [EMAIL PROTECTED]                                          cc
>              ail.activedir.org
>
> Subject
>                                        [ActiveDir] AD startup scripts
>              01/28/2005 07:07          problem
>              AM
>
>
>              Please respond to
>              [EMAIL PROTECTED]
>                 tivedir.org
>
>
>
>
>
>
> I have tried everything I know but I just cannot make a script run at
> computer start up. I have successfully got it working on a user basis at
> logon but assigning it to a computer is just not working.
>
> Here is what I have done, please can someone let me know if I have I
> missed
>
> something completely obvious ?!
>
> 1. Wrote a very simple batch file. Contents of batch is :
>              \\server01\analysepc.exe /output \\server01\output
>
> 2. Created the necessary share on SERVER01
> 3. Created a new domain security group and added the PC object into that
> group
> 4. Made sure that the new group had full rights on the new share and
> "output" directory
> 5. Created the GPO to run the batch file from the Computer Config section
> of
> the GPO. Also disabled the User Config processing section.
> 6. Linked the GPO to the OU where my PC object is held
> 7. Set the filtering to apply the GPO only to the new security group.
>
> Made sure everything was replicated and then started the computer. But
> the
> script does not work ! I have checked with gpresult that the policy is
> being
> applied and it is. If I try the command from the batch when I have logged
> on, it works !
>
> What might I be missing ?
>
> Many thanks
>
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ    : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ    : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ    : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

=======================================================================
              Scanned for virus infection by Messagelabs
=======================================================================