[gptalk] Re: logon scripts not running
- From: "Nelson, Jamie R Contr 72 CS/SCBNF" <Jamie.Nelson.ctr@xxxxxxxxxxxxx>
- To: "'gptalk@xxxxxxxxxxxxx'" <gptalk@xxxxxxxxxxxxx>
- Date: Thu, 14 Dec 2006 08:39:13 -0600
Did you try a WScript.Sleep statement in your script as Darren suggested? I
would probably make it wait anywhere from 10-20 seconds just to ensure
everything is initialized before your script actually tries to do anything.
Since you're not getting any errors in your Application log and the problem
is only intermittent, I can't think of what else could cause this. We've
tried every setting that I know of.
If putting a delay in your script doesn't do anything, the only thing I can
think of would be to move a few of the more problematic user/computer
objects to a container where you have inheritance blocked. Then, one-by-one,
enable some of the policy settings we've suggested below and see if it does
anything. It's possible, although not likely, that some other policy is
affecting your logon script(s).
Jamie
_____
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Jeremy Hagan
Sent: Wednesday, December 13, 2006 4:47 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: logon scripts not running
On my systems this is ALWAYS blank, even when I can tell the script executed
properly. Does it matter if it is a vbscript?
RE: Userinit erros, there are none.
On 12/14/06, Nelson, Jamie R Contr 72 CS/SCBNF
<Jamie.Nelson.ctr@xxxxxxxxxxxxx <mailto:Jamie.Nelson.ctr@xxxxxxxxxxxxx> >
wrote:
It is only available on Windows XP and Vista, but the information comes from
the RSOP_ScriptCmd WMI class. When you use an actual RSOP console, drill
down to your script(s) section and scroll over a bit to the right. It is
right there under the "Last Executed" column. Or, if you use the Group
Policy Results wizard in GPMC, drill down into the resultant report and will
be listed under the "Last Run" column of the scripts section in question.
Jamie
_____
From: gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx>
[mailto:gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx> ]
On Behalf Of Darren Mar-Elia
Sent: Wednesday, December 13, 2006 9:09 AM
To: gptalk@xxxxxxxxxxxxx <mailto:gptalk@xxxxxxxxxxxxx>
Subject: [gptalk] Re: logon scripts not running
Where does RSOP list this? RSOP is stored in WMI, not in that registry entry
shown below. So, do you actually see this in an RSOP report? I don't
remember ever seeing it.
From: gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx>
[mailto:gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx> ]
On Behalf Of Nelson, Jamie R Contr 72 CS/SCBNF
Sent: Wednesday, December 13, 2006 6:21 AM
To: ' gptalk@xxxxxxxxxxxxx <mailto:gptalk@xxxxxxxxxxxxx> '
Subject: [gptalk] Re: logon scripts not running
RSOP does track the actual execution time, but as Jeremy mentioned it is
blank a lot of the time for some reason. I have yet to figure out why.
...Actually I spoke too soon. I just found it.
RSoP does not list an execute time for scripts.
Cause: RSoP shows a blank execution time for one of two reasons:
1.
A script has failed to run. If this is the case, an entry appears in the
Application event log, with the script name and the reason for the failure.
2.
The script has not run yet.
Forgive me for not going back through this entire thread, but did you say
whether or not you were getting Userinit errors in your application log?
Jamie
_____
From: gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx>
[mailto:gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx> ]
On Behalf Of Jeremy Hagan
Sent: Tuesday, December 12, 2006 11:09 PM
To: gptalk@xxxxxxxxxxxxx <mailto:gptalk@xxxxxxxxxxxxx>
Subject: [gptalk] Re: logon scripts not running
What I am after is some indication about whether or when or what the result
was of the script execution. Inside the script, just about the first
statement logs an event to the Application log and when the script fails I
don't event get that. I just figured there would be some way that the OS
tracks the actual execution of the script. So far I can't find anything
that shows this.
On 12/13/06, Darren Mar-Elia < darren@xxxxxxxxxx <mailto:darren@xxxxxxxxxx>
> wrote:
Not sure that is actually what you're after. Those keys are populated when
GP is processed and I don't know if they actually reflect the actual
execution of the script.
From: gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx>
[mailto:gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx> ]
On Behalf Of Jeremy Hagan
Sent: Tuesday, December 12, 2006 7:57 PM
To: gptalk@xxxxxxxxxxxxx <mailto:gptalk@xxxxxxxxxxxxx>
Subject: [gptalk] Re: logon scripts not running
Actually I just found it. ExecTime in
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts\Logon\0
\0
But it just shows as all zeros
On 12/13/06, Jeremy Hagan < jeremyahagan@xxxxxxxxx
<mailto:jeremyahagan@xxxxxxxxx> > wrote:
Darren,
You mentioned that RSOP logs the last execute time of the script. I have
found the column in the RSOP MMC and it is blank (even though the script was
executed). Any ideas where this info is stored? It would be useful to be
able to programatically log in the event of a failure...
On 12/13/06, Darren Mar-Elia < darren@xxxxxxxxxx <mailto:darren@xxxxxxxxxx>
> wrote:
One of these days I'm going to build a tool for better troubleshooting this
stuff. The problem is that script execution is actually completely separate
from Group Policy processing, so all of the normal tools for troubleshooting
policy problems don't apply. Typically intermittent problems in scripts are
caused by timing issues. The only thing I might suggest is that you put a
sleep statement of some kind into your script so that it waits a little
longer before doing the important stuff.
From: gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx>
[mailto:gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx> ]
On Behalf Of Jeremy Hagan
Sent: Tuesday, December 12, 2006 3:27 PM
To: gptalk@xxxxxxxxxxxxx <mailto:gptalk@xxxxxxxxxxxxx>
Subject: [gptalk] Re: logon scripts not running
Yes the script ALWAYS runs properly when you kick it off manually. In fact
I have deployed an All Users startup shortcut that detects the absence of
the mapped drive, kicks off the script from it's sysvol location and then
collect a bunch of data for troubleshooting purposes. Note the intermittent
nature of the problem. Most of the time it runs, sometimes it doesn't.
On 12/13/06, Darren Mar-Elia < darren@xxxxxxxxxx <mailto:darren@xxxxxxxxxx>
> wrote:
Jeremy-
That registry entry below, is where Windows looks to figure out which
scripts to run. If your script is listed there, that means the policy is
getting processed. If the script is truly not running, then I would agree
with Jamie-make sure you can run the script interactively first.
From: gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx>
[mailto:gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx> ]
On Behalf Of Nelson, Jamie R Contr 72 CS/SCBNF
Sent: Tuesday, December 12, 2006 6:28 AM
To: ' gptalk@xxxxxxxxxxxxx <mailto:gptalk@xxxxxxxxxxxxx> '
Subject: [gptalk] Re: logon scripts not running
Does the script run as expected when executed manually from SYSVOL? RSOP
should show you the last time a script was executed by policy, but other
than that I don't know how you would capture an exit code. I don't think
your USERENV log would show that, but it might.
Jamie Nelson
_____
From: gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx>
[mailto:gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx> ]
On Behalf Of Jeremy Hagan
Sent: Monday, December 11, 2006 5:27 PM
To: gptalk@xxxxxxxxxxxxx <mailto:gptalk@xxxxxxxxxxxxx>
Subject: [gptalk] Re: logon scripts not running
More on this one.
I have proved that the scrips just don't run when this failure occurs.
Loggiong shows that there are entires in the Registry under
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts\Logon\0
\0
For the script in question. I've added logging to that script that logs
execution to the client's Application event log and when the drives fail to
map I can't see any events.
How can I log/monitor the successful or failed execution of a logon script?
PS
I turned on "Always Wait for the Network" and "Run Logon Scripts
Synchronously" without any effect.
On 12/7/06, Darren Mar-Elia < darren@xxxxxxxxxx <mailto:darren@xxxxxxxxxx> >
wrote:
I think whatever you can do to isolate the problem is a good thing, so yes.
Also, I wouldn't necessarily trust that Q article below about logon script
optimization being disabled automatically under those circumstances. It
can't hurt to enable it, in any case.
From: gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx>
[mailto:gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx> ]
On Behalf Of Jeremy Hagan
Sent: Wednesday, December 06, 2006 2:41 PM
To: gptalk@xxxxxxxxxxxxx <mailto:gptalk@xxxxxxxxxxxxx>
Subject: [gptalk] Re: logon scripts not running
Yes I've thought about it (in fact I was just reading about it in your book
as we speak), but I was hoping to have some better troubleshooting to nail
down the issue before I go making tweaks. Do you think it is worthwhile
separating the login script into a GPO of its own?
On 12/7/06, Darren Mar-Elia < darren@xxxxxxxxxx <mailto:darren@xxxxxxxxxx> >
wrote:
How about trying to set the policy that forces scripts to run synchronously?
Its under computer config\admin templates\system\scripts\
From: gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx>
[mailto:gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx> ]
On Behalf Of Jeremy Hagan
Sent: Wednesday, December 06, 2006 2:20 PM
To: gptalk@xxxxxxxxxxxxx <mailto:gptalk@xxxxxxxxxxxxx>
Subject: [gptalk] Re: logon scripts not running
Gents,
A few extra points:
According to the q305293, Fast Logon Optimisation is always off when the
following conditions exist:
* When a user has a roaming user profile,a home directory, or a user
object logon script.
In our case the user has all of these things, so I guess Fast Logon
Optimisation isn't in effect even though the particular policy is set to
"Not Configured"
On the second point of the script running or not, as I previously stated, we
have put in a second script that simply logs the time and date to a text
file on the workstation's C: drive. When the symptom occurs, this script
has also failed to run.
Any more ideas?
On 12/7/06, Nelson, Jamie R Contr 72 CS/SCBNF <
<mailto:Jamie.Nelson.ctr@xxxxxxxxxxxxx> Jamie.Nelson.ctr@xxxxxxxxxxxxx>
wrote:
Jeremy,
Darren is right. This is usually the result of a race condition that occurs
when the Scripts CSE tries to run a remote script before the network has
come up. It happens a lot when using gigabit adapters because they sometimes
take a little longer to negotiate their link speed. Check out the following
KB article.
Group <http://support.microsoft.com/kb/840669> Policy application fails on
a computer that is running Windows 2000, Windows XP Service Pack 1, or
Windows XP Service Pack 2
You may also need to disable Fast Logon Optimization for your Windows XP
clients (since it is by default turned on). This is more commonly known as
the "Always wait for the network at computer startup and logon" option in
Group Policy.
Description <http://support.microsoft.com/kb/q305293/> of the Windows XP
Professional Fast Logon Optimization feature
We setup one GPO that disables Fast Logon Optimization for Windows XP and
also implements the GpNetworkStartTimeoutPolicyValue setting described in
KB840669. It seems to have fixed many of our problems, and even though GP
processing on our XP clients take a little longer at startup/logon, it is
worth it to know that your scripts are being applied consistently.
//signed//
Jamie R Nelson
Systems Engineer
Ingenium Corporation
72 CS/SCBNF
405.739.2811 (DSN 339)
_____
From: gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx>
[mailto:gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx> ]
On Behalf Of Darren Mar-Elia
Sent: Wednesday, December 06, 2006 9:05 AM
To: gptalk@xxxxxxxxxxxxx <mailto:gptalk@xxxxxxxxxxxxx>
Subject: [gptalk] Re: logon scripts not running
Jeremy-
The funny thing about scripts policy is that the running of the script
itself is actually totally disconnected from Group Policy processing. All
the Scripts CSE does is collect the information on which logon scripts it
needs to run during GP processing. That information is stored in the
registry and then I believe it's the Userinit process that runs the logon
script during logon. Typically logon scripts won't run for any number of
reasons, depending upon what they are doing and other things like the timing
of the network stack coming up, etc. What I usually suggest is to put some
kind of logging into your script to find out on which line it stops running
(or if its running at all). For example, in a batch file, the simplest way
to do that might be as below:
Echo y | Net use * /d > %temp%\log.txt
Net use p: \\myserver\public >> %temp%\log.txt
Etc.
So you get the output of each line in the file and you can look at log.txt
to see what happened.
Let us know if you need more info.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx>
[mailto:gptalk-bounce@xxxxxxxxxxxxx <mailto:gptalk-bounce@xxxxxxxxxxxxx> ]
On Behalf Of Jeremy Hagan
Sent: Tuesday, December 05, 2006 5:01 PM
To: gptalk@xxxxxxxxxxxxx <mailto:gptalk@xxxxxxxxxxxxx>
Subject: [gptalk] logon scripts not running
Hello All,
Ever since I have been putting in AD (since 2002) I have noticed the problem
where GPO logon scripts intermittently don't run. I've never bothered
troubleshooting it since it is so intermittent and not repeatable. I work
for a systems integration company so I'm not talking about 1 AD, but many.
Anyway, I'm currently working at a site that has been having this problem
since they put in AD about 2.5 years ago and I've taken up the challenge to
solve it.
The domain is Windows 2003, native domain and forest, that has been upgraded
from Windows 2000 AD, but no DCs remain that ever ran Windows 2000.
The login script is a VBscript that runs from a general purpose user policy
that has settings in folder redirection, and Admin Templates, but not in IE
maintenance.
We have added a second logon script that is just a batch file that logs the
fact that the script ran to a text file.
When the vbscript fails to run, the batch file also fails to run.
* We have disabled Group Policy Slow Link Detection
* We have enabled the "Allow processing across a slow network
connection" under the "Scripts Policy Processing" option
* We have enabled the "Process even if the Group Policy objects have
not changed" under the "Scripts Policy Processing" option
Servers run WS03 SP1 and clients run WinXP SP2.
We have enabled userenv logging and I can see that policy processing is
occuring for the particular policy that has the logon script, it just isn't
running the script.
I have set up a batch file in the startup folder that detects the absence of
a mapped drive and collects the Userenv.log, the last 100 System and
Application Event log entries, and a few regitry keys and other log files as
well as emailing me to let me know it fired off.
A sample userenv.log can be provided on request. Over to you guys!!
Cheers,
Jeremy.
Other related posts:
