[gptalk] Re: User not getting Logon script GPO

  • From: "Washington, Booker" <Booker.Washington@xxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 6 Dec 2006 16:49:19 -0500

I can post the script, but they are just simple batch files.... And
other users are getting the policy.  So to me, the unsolved mystery is
why the GPO's themselves never show up for these users in the Applied
Group Policy settings..

 

 

Some examples of the various scripts.  Each has a separate GPO

Script 1

 

rem *** map drive

 

 

net use L: \\fileshare\buildops$

net use n: \\fileshare\deansuite$

net use o: \\fileshare\acct$ <file:///\\fileshare\acct$> 

 

 

Script 2

 

@echo off

 

rem ****** Disconnect All Network Drives

rem net use * /del /yes

 

rem *** map drive

net use s: \\fileshare\communications$

net use n: \\fileshare\deansuite$ <file:///\\fileshare\deansuite$> 

 

 

and on and on....

 

But like I said... each of these batch files are in the user logon
section of a particular GPO.  The problem is these GPO's do not show up
as being downloaded to these particular users

 

So, take User A, who was in an OU that should have received Script 1.  I
move User A to another OU, where all users in that OU should receive
Script 2.  User A never receives the GPO, eveen though the RSOP shows
that their account is inside of the respective OU.

 

When I perform a GPO Modeling of that user against any DC, it shows that
the user SHOULD get the GPO, but an actual RSOP reveals that the policy
NEVER makes it to the user.

 

 

 

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Wednesday, December 06, 2006 4:19 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User not getting Logon script GPO

 

If that is the case, that seems like a problem with the script rather
than the user. Maybe you already did this but can you post the script?

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Washington, Booker
Sent: Wednesday, December 06, 2006 11:36 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User not getting Logon script GPO

 

So far, my general consensus is, no matter WHERE I put these users, they
will not pick up ANY logon scrip policies.  I have shifted the users
around to different OU's with different logon script polices, and after
a gpupdate on the machine, and the system recognizing that it is in a
new OU, it still will not pick up the logon script policy.

 

 

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Washington, Booker
Sent: Wednesday, December 06, 2006 2:09 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User not getting Logon script GPO

 

Let me add to this testing.  I set a computer start up script policy and
upon setting that in place and performing a gpupdate, and a gpresult, I
see the computer startup policy, but the logon policy will NOT
apply.....

 

Aarrrgghhh, I know it is something simple I am over looking

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Washington, Booker
Sent: Wednesday, December 06, 2006 12:43 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User not getting Logon script GPO

 

Back to this problem

 

When I do a GP modeling on the container that has the users where this
logon script is to be run, the model shows that they should receive the
policy

 

 

When I do a GP results from GPMC on those same users in that OU, the
policy does not show in the applied policy settings....

 

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Washington, Booker
Sent: Wednesday, November 15, 2006 3:32 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User not getting Logon script GPO

 

At this point, I am stomped.  Now here is another wild card to add to
the issue (just like an end user, huh, to leave out other details)

 

But when I was setting up the folder redirection policy, I set certain
users and computers to "Deny" the folder redirection policy.  In my
eyes, the folder redirect policy should have NOTHING to do with the
logon script GPO.  But from what I can remember, the 2nd client was
never a part of any Deny group for the folder redirect, but the other
users may have been. 

 

But again, that deny was ONLY set for the folder redirection policy and
nothing else....

 

If that sheds any light on anything

 

 

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Omar Droubi
Sent: Wednesday, November 15, 2006 3:17 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User not getting Logon script GPO

 

The date is pretty old and this error is very common. I don't think you
have a FRS issue.

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Washington, Booker
Sent: Wednesday, November 15, 2006 12:10 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User not getting Logon script GPO

 

On DC02, I saw the following events in the FRS log:

 

Event Type:       Warning

Event Source:    NtFrs

Event Category: None

Event ID:           13508

Date:                6/18/2006

Time:                6:37:17 PM

User:                N/A

Computer:         MGT-DC02

Description:

The File Replication Service is having trouble enabling replication from
MGT-DC01 to MGT-DC02 for c:\windows\sysvol\domain using the DNS name
mgt-dc01.mgt.gt.buzz. FRS will keep retrying. 

 Following are some of the reasons you would see this warning. 

 

 [1] FRS can not correctly resolve the DNS name mgt-dc01.mgt.gt.buzz
from this computer. 

 [2] FRS is not running on mgt-dc01.mgt.gt.buzz. 

 [3] The topology information in the Active Directory for this replica
has not yet replicated to all the Domain Controllers. 

 

 This event log message will appear once per connection, After the
problem is fixed you will see another event log message indicating that
the connection has been established.

 

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

 

Followed by:

 

Event Type:       Warning

Event Source:    NtFrs

Event Category: None

Event ID:           13509

Date:                6/19/2006

Time:                6:42:03 AM

User:                N/A

Computer:         MGT-DC02

Description:

The File Replication Service has enabled replication from MGT-DC01 to
MGT-DC02 for c:\windows\sysvol\domain after repeated retries.

 

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

 

 

On 9/25/06, I saw the following on the DS log:

 

Event Type:      Error

Event Source:  NTDS Replication

Event Category:           Replication 

Event ID:          1863

Date:                9/25/2006

Time:               7:12:15 AM

User:                NT AUTHORITY\ANONYMOUS LOGON

Computer:        MGT-DC02

Description:

This is the replication status for the following directory partition on
the local domain controller. 

 

Directory partition:

CN=Schema,CN=Configuration,DC=gt,DC=buzz 

 

The local domain controller has not received replication information
from a number of domain controllers within the configured latency
interval. 

 

Latency Interval (Hours): 

24 

Number of domain controllers in all sites:

1 

Number of domain controllers in this site:

1 

 

The latency interval can be modified with the following registry key. 

 

Registry Key:  

HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator
latency error interval (hours) 

 

To identify the domain controllers by name, install the support tools
included on the installation  CD and run dcdiag.exe. 

You can also use the support tool repadmin.exe to display the
replication latencies of the domain controllers in the forest.   The
command is "repadmin /showvector /latency <partition-dn>".

 

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Omar Droubi
Sent: Wednesday, November 15, 2006 1:44 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User not getting Logon script GPO

 

When you say edit the policy in a different window, do you mean look at
the policy under the SYSVOL folder?

 

I mean edit the group policy. When the window opens that will allow you
to change settings in the policy- right click the policy at the top of
the window and select properties- then select the Security tab and look
for any groups that have any denied settings.

 

Since the group thing may be the cause- open AD users and computers and
open the properties of the group to check the membership. When you open
AD users and computers look at the top left pane to see which Domain
Controller you are connected to.

 

After you see the group membership select the other DC in AD users and
computers to see if the other DC also sees the same group membership.

 

You wouldn't by any chance be controlling any group memberships with a
restricted group "group policy" would ya?

 

Also- when you added the logon script to this policy- what file path did
you specify for the logon script? Did you just open the script section
of the policy and just paste your file from the clipboard or did you
specify a server path like \\dc2\netlogon\deanlogonscript.vbs
<file:///\\dc2\netlogon\deanlogonscript.vbs> ?

 

If you just pasted the logon script into the default location of the
scripts in the GPO- I would check the sysvol location of that policy to
ensure that the logon script has been replicated to each Domain
Controller.

 

Check all your domain controller directory and file replication event
logs to see if there are any indications of replication errors.

 

Omar

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Washington, Booker
Sent: Wednesday, November 15, 2006 10:25 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User not getting Logon script GPO

 

The policy has the default security settings.  I did not apply any
security filtering to the policy.

 

I have deleted the policy and I am creating a new one.  Interesting
about the 2nd client not being a part of the deans suite group.  I
actually put that user in the group as I was troubleshooting.  You may
be on to something because even with the new policy, it is still not
showing on the 1st client, but still showing on the 2nd client because
the Group membership when the policy was applied does not reflect her
new status as a member of the MGT deans suite group.

 

When you say edit the policy in a different window, do you mean look at
the policy under the SYSVOL folder?

 

Thanks

 

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Omar Droubi
Sent: Wednesday, November 15, 2006 1:16 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User not getting Logon script GPO

 

The 2nd client is not a member of the "MGT Dean's Suite" security group
and he apparently gets the policy. 

 

Does your policy have any filtering enabled? If you are using GPMC it
will only show the group that the policy is being applied to example
"Authenticated Users."

 

If a group is denied policy it will not show in GPMC. You will need to
edit the policy to open it in a different window and then at the top of
the window select and right click the policy and review the entire ACL
in the Security tab to see if there are any groups that are getting
denied the policy.

 

 

Omar

 

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Washington, Booker
Sent: Wednesday, November 15, 2006 9:33 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User not getting Logon script GPO

 

Ok, I reapplied the GPO, but to no avail.

 

 I will provide a snippet of the rsop from the two clients.  One that is
not getting the GPO first, and the 2nd snippet from the client that is.
The only outright difference I see is that one DC2 is applying the
policy to the first computer and DC1 is applying the policy to the 2nd
computer.  Even though it may smell of replication, these polices have
not been changed for "months", at least the "Dean Suite non HR user
logon scripts" GPO.

 

 

 

First client

 

USER SETTINGS
--------------
    CN=rs85,OU=Users,OU=Admin-Finance,OU=Deans
Suite,OU=Groups,DC=agt,DC=at,DC=b
uzz
    Last time Group Policy was applied: 11/15/2006 at 12:15:59 PM
    Group Policy was applied from:      mgt-dc02.mgt.gt.buzz
    Group Policy slow link threshold:   500 kbps

 

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        Folder Redirection

 

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

 

         Services
            Filtering:  Not Applied (Empty)

 

        Test Remote Administration firewall opening
            Filtering:  Not Applied (Empty)

 

        Block IE 7
            Filtering:  Not Applied (Empty)

 

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        Local Access
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL
        MGT Accounting
        MGT No Public Folder Access
        MGT Dean's Suite

 

    Resultant Set Of Policies for User:
    ------------------------------------

 

        Software Installations
        ----------------------
            N/A

 

        Public Key Policies
        -------------------
            N/A

 

        Administrative Templates
        ------------------------
            N/A

 

        Folder Redirection
        ------------------
            GPO: Folder Redirection
                Setting:  InstallationType:  basic
                    Grant Type:        Exclusive Rights
                    Move Type:         Contents of Local Directory moved
                    Policy Removal:    Redirect the folder back to user
profile
location
                    Redirecting Group: Everyone
                    Redirected Path:
\\mgt-filesrvr-01\profile$\rs85\desktop
<file:///\\mgt-filesrvr-01\profile$\rs85\desktop> 

 

            GPO: Folder Redirection
                Setting:  InstallationType:  basic
                    Grant Type:        Exclusive Rights
                    Move Type:         Contents of Local Directory moved
                    Policy Removal:    Redirect the folder back to user
profile
location
                    Redirecting Group: Everyone
                    Redirected Path:
\\mgt-filesrvr-01\profile$\rs85\my
<file:///\\mgt-filesrvr-01\profile$\rs85\my>  docume
nts\My Pictures

 

 

 

 

2nd Client

 

USER SETTINGS

--------------

    CN=lwright7,OU=Users,OU=Admin-Finance,OU=Deans
Suite,OU=Groups,DC=agt,DC=at,

DC=buzz

    Last time Group Policy was applied: 11/15/2006 at 11:37:25 AM

    Group Policy was applied from:      mgt-dc01.mgt.gt.buzz

    Group Policy slow link threshold:   500 kbps

 

    Applied Group Policy Objects

    -----------------------------

        Default Domain Policy

        Dean Suite non HR user logon scripts

        Folder Redirection

 

    The following GPOs were not applied because they were filtered out

    -------------------------------------------------------------------

         Services

            Filtering:  Not Applied (Empty)

 

        Block IE 7

            Filtering:  Not Applied (Empty)

 

        Local Group Policy

            Filtering:  Not Applied (Empty)

 

        Test Remote Administration firewall opening

            Filtering:  Not Applied (Empty)

 

    The user is a part of the following security groups:

    ----------------------------------------------------

        Domain Users

        Everyone

        Local Access

        BUILTIN\Users

        NT AUTHORITY\INTERACTIVE

        NT AUTHORITY\Authenticated Users

        LOCAL

        MGT Graduate Office

        MGT Undergraduate Office

        MGT No Public Folder Access

 

    Resultant Set Of Policies for User:

    ------------------------------------

 

        Software Installations

        ----------------------

            N/A

 

        Public Key Policies

        -------------------

            N/A

 

        Administrative Templates

        ------------------------

            N/A

 

        Folder Redirection

        ------------------

            GPO: Folder Redirection

                Setting:  InstallationType:  basic

                    Grant Type:        Exclusive Rights

                    Move Type:         Contents of Local Directory moved

                    Policy Removal:    Redirect the folder back to user
profile

location

                    Redirecting Group: Everyone

                    Redirected Path:
\\mgt-filesrvr-01\profile$\lwright7\deskt

op

 

            GPO: Folder Redirection

                Setting:  InstallationType:  basic

                    Grant Type:        Exclusive Rights

                    Move Type:         Contents of Local Directory moved

                    Policy Removal:    Redirect the folder back to user
profile

location

                    Redirecting Group: Everyone

                    Redirected Path:
\\mgt-filesrvr-01\profile$\lwright7\my do

cuments\My Pictures

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Washington, Booker
Sent: Wednesday, November 15, 2006 12:05 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User not getting Logon script GPO

 

I don't see any userinit event erros on the client.

 

I am going to remove the link, wait about 5 or so minutes to make sure
that change replicates, and re-add the link and see what happens.

What I find as weird is that one of the users in that OU gets the
policy, so that would have me conclude that it was linked correctly.

 

I will keep the list posted as to the progress

 

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Wednesday, November 15, 2006 11:52 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User not getting Logon script GPO

 

Booker-

If the GPO containing the logon script doesn't even appear in the RSOP
list as "denied", that usually means one of two things. Either the GPO
is not really linked to the hierarchy containing the users or the DC
where those users are processing the GPO hasn't replicated that GPO
completely. Do you see any "userinit" error events in the application
event log on those clients?

 

Darren

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Washington, Booker
Sent: Wednesday, November 15, 2006 8:45 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: User not getting Logon script GPO

Let me add,

 

I "believe' for all intensive purposes, they USE to get the logon script
policy, but now it does not even show as being applied.

 

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Washington, Booker
Sent: Wednesday, November 15, 2006 11:38 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] User not getting Logon script GPO

 

        I have several users within a GPO that for SOME strange reason
are not getting a policy for a logon script

        For all intensive purposes, everything that I looked at, says
they should be getting the policy

         

        The policy itself has no special security filtering.

        The policy is applied to the OU where the user accounts reside
and they are logon user scripts, not Computer Configuration start up
scripts

        When I run a rsop from the user's computer, or a modeling from
within GPMC, I don't even see the policy in the list of applied or
denied policies

         

        The kicker.... ONE user in the OU gets the policy, while the
other 8 do not!!

         

        What troubleshooting step am I missing?

         

         

         

         

Other related posts: