RE: [ActiveDir] AD startup scripts problem

[Marcus.Oh]

Title: Message

So it turns out that the fix in our environment for this is that Win2k machines and WinXP machines behave differently in system context at machine startup script or shutdown script execution.   Our Win2k machines have .VBS associated to notepad so that user execution of .VBS by simple double-click brings up a notepad with the script inside.  During startup of these machines, they process the script properly – in other words, system context executes the .VBS.  In XP, the machine would hang for the default 10 min timeout value.  Turns out execution of .VBS was bringing up a hidden notepad window.  Once it timed out, the machine logged in.  Script was never executed, obviously.  Fresh installs of XP didn’t exhibit this problem because they didn’t have the notepad association created as part of the imaging process.   The fix was to drop cscript.exe in front of the .vbs script path… now our XP machines appear to process the startup and shutdown scripts just fine.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oh, Marcus (CCI-Atlanta) Sent: Thursday, February 03, 2005 11:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD startup scripts problem   Does gpresult –z show a script execution time that’s current?  Also, consider the batch file is running in system context… so with that in, do you have any funny security settings that may be blocking batch or vbs script execution that may be generating a pop-up dialog or some sort… ?   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, February 03, 2005 6:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD startup scripts problem   Get the latest version of ethereal, it has a "windows" kind of mode now. Just select that package on the install.   Either way, spend a couple of hours with it and you will work it out pretty quickly. It is worth it for the "follow stream" function all by itself where you click on a packet and tell it to filter everything but that stream. But the filtering overall smokes netmon and the decoding of packets is at least an order of magnitude better from what I have seen. I have also been very happy in that every single trace someone has sent me regardless of what tool was used to generate the trace, ethereal has been able to open and translate for me.   I was just looking at the nomas tool and scanning the trace thinking, man this doesn't look very efficient. I did a resync on my test lab domain of like 30 users and I saw binds strewn all through the trace. So then I go into the filters, tell it to only show me LDAP binds, bam, I all of a sudden just have LDAP binds on the screen. How many you ask? 43.... I can't for the life of me understand why a program that only needs one bind or at most one bind per thread if it is multithreaded to bind 43 times for 30 users. I won't go into the searches other than to say I think the DN for one of the stores was retrieved a good 20+ times as well.   I am going to write up everything I see that doesn't seem quite right and send it to PSS.      joe   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, February 03, 2005 5:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD startup scripts problem I once tried to figure out how to use that damn thing. Netmon has the UI factor that I need <g>.   --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org   v - 773.534.0034 x135 f - 773.534.8101   From: [EMAIL PROTECTED] on behalf of joe Sent: Thu 2/3/2005 12:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD startup scripts problem I would concur but say use ethereal. Much easier generally to read the traces.     joe   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, February 01, 2005 8:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD startup scripts problem Mark-   If you put the problem computer, and your computer on a hub (not a switch), and use the version of netmon included with SMS, then you can run the trace. To make things easier, I’d set a filter in Netmon to only capture traffic to/from the problem host.   Thanks.   --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org   v - 773.534.0034 x135 f - 773.534.8101   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Tuesday, February 01, 2005 4:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD startup scripts problem   How can I do a network trace whilst the computer is booting up ? When I have logged on as normal user the share and files are fully accessible. I looked at my bootup log (userenv.log) and can see that the GPO is called. But I just don't know what could prevent my startup script accessing the network share.   Are there any other GPO settings that may be set in another GPO that could be blocking network accessing during the bootup ?   As I say, using the batch after logging on causes absolutely no problems.   This is really frustrating !! -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Montag, 31. Januar 2005 17:57 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD startup scripts problem Have you done a network trace yet? If you are getting an access denied, you will see it in the trace.     joe   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Monday, January 31, 2005 4:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD startup scripts problem Just to follow up on this problem, I would like to clarify my current situation :   I have now determined the script is actually running during startup. The problem however remains that I am not able to run the executable from the network share location. Everything works fine if I re-code the batch command and put the EXE locally on the computer. But using UNC addresses in the batch does not work.   On the network share and all sub-folders I have ensured that "Domain Computer" accounts have full access.   If I log on to the computer with a normal domain user account and then run the batch file that is coded with UNC references, the whole process works wonderfully.   So where can I look to see what has failed when I configure the script to run during startup and the batch file is using UNC paths ? I have looked in the standard places (event viewer) but dont see any error messages.   Many thanks     -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Freitag, 28. Januar 2005 17:47 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD startup scripts problem Put it in SYSVOL   RH _______________________________________   -----Original Message----- From: Robert Rutherford [mailto:[EMAIL PROTECTED]On Behalf Of Robert Rutherford Sent: Friday, January 28, 2005 11:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD startup scripts problem the local computer's system account does process the script but here it looks like it doesnt have permissions to read the script on the 'servers' share From: [EMAIL PROTECTED] on behalf of Rocky Habeeb Sent: Fri 28/01/2005 16:26 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD startup scripts problem Correct me if I'm wrong, but doesn't the Local System account have full control of the entire boot operation?  And isn't it responsible to process the complete range of operations including network authentication and domain based GPO processing?  And if not who is?  And if so, doesn't that mean >it< should be processing this script? Rocky ___________________________________________________________ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Paul Wilkinson Sent: Friday, January 28, 2005 10:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD startup scripts problem I *think* that you do actually have network access at the point that computer startup scripts run.  However, you'll have a security issue because the local system account doesn't have access to your sever share.  You could add each machine account to that share.  If one of your computers is named Bob, add Bob$  to the ACL's of the share.  You have to click on the "object types" button and select computers in the window where you add the computer account.  You could also add "Domain Computers" if you want all computers to be able to access the share with the local system account. I've never tried this myself, so I'm not sure if this will work. Paul Wilkinson 865-974-0649 2422 Dunford Hall OIT Lab Services University of TN, Knoxville Mark Abbiss wrote: > I think this is it in a nutshell. When I put everything locally on the > machine the script ran and created the report. > > As you say, I have no network connectivity when in the startup phase. > > Or is there a workaround ? > > Thanks for all the input > > > ----Original Message Follows---- > From: <[EMAIL PROTECTED]> > Reply-To: ActiveDir@mail.activedir.org > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] AD startup scripts problem > Date: Fri, 28 Jan 2005 08:05:12 -0600 > > Hi Mark... > > I believe it's running at system level on startup, and i believe > system has > no network rights. > > John > > > > > >              "Mark Abbiss" >              <[EMAIL PROTECTED] > > ail.com>                                                   To >              Sent by:                  ActiveDir@mail.activedir.org > > [EMAIL PROTECTED]                                          cc >              ail.activedir.org > > Subject >                                        [ActiveDir] AD startup scripts >              01/28/2005 07:07          problem >              AM > > >              Please respond to >              [EMAIL PROTECTED] >                 tivedir.org > > > > > > > I have tried everything I know but I just cannot make a script run at > computer start up. I have successfully got it working on a user basis at > logon but assigning it to a computer is just not working. > > Here is what I have done, please can someone let me know if I have I > missed > > something completely obvious ?! > > 1. Wrote a very simple batch file. Contents of batch is : >              \\server01\analysepc.exe /output \\server01\output > > 2. Created the necessary share on SERVER01 > 3. Created a new domain security group and added the PC object into that > group > 4. Made sure that the new group had full rights on the new share and > "output" directory > 5. Created the GPO to run the batch file from the Computer Config section > of > the GPO. Also disabled the User Config processing section. > 6. Linked the GPO to the OU where my PC object is held > 7. Set the filtering to apply the GPO only to the new security group. > > Made sure everything was replicated and then started the computer. But > the > script does not work ! I have checked with gpresult that the policy is > being > applied and it is. If I try the command from the batch when I have logged > on, it works ! > > What might I be missing ? > > Many thanks > > > List info   : http://www.activedir.org/List.aspx > List FAQ    : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info   : http://www.activedir.org/List.aspx > List FAQ    : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info   : http://www.activedir.org/List.aspx > List FAQ    : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info   : http://www.activedir.org/List.aspx List FAQ    : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info   : http://www.activedir.org/List.aspx List FAQ    : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ =======================================================================               Scanned for virus infection by Messagelabs =======================================================================