cannot run scripts on domain controler

[Guest RichGK]

I have a logon script located on a domain controler created to map a drive

to a shared resource on the same server (this is a test server for learning

purposes so the domain controler is also a file and print server). However

it fails to run.

 

When attempting to run the script manually via the client PC I get the

error message "Windows cannot access the specified device, path or file.

You may not have the appropriate permissions to access the item"

 

However, I can open the folder that the script is contained in and create

and delete items so security of that resource isn't a problem. I have also

replaced permissions on the script directly with the same result.

 

Is there a policy that is preventing scripts from being run on a domain

controler?

[Guest Meinolf Weber]

Re: cannot run scripts on domain controler

 

Hello RichGK,

 

Please post the script content here. Where did you place the script and how

will you start it, user logon script, startup script/logon script with GPO?

Is the workstation domain member and how are the share permissions and the

security settings from the shared folder?

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

** Please do NOT email, only reply to Newsgroups

** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> I have a logon script located on a domain controler created to map a

> drive to a shared resource on the same server (this is a test server

> for learning purposes so the domain controler is also a file and print

> server). However it fails to run.

>

> When attempting to run the script manually via the client PC I get the

> error message "Windows cannot access the specified device, path or

> file. You may not have the appropriate permissions to access the item"

>

> However, I can open the folder that the script is contained in and

> create and delete items so security of that resource isn't a problem.

> I have also replaced permissions on the script directly with the same

> result.

>

> Is there a policy that is preventing scripts from being run on a

> domain controler?

>

[Guest RichGK]

Re: cannot run scripts on domain controler

 

On 1 Apr, 22:18, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:

> Hello RichGK,

>

> Please post the script content here. Where did you place the script and how

> will you start it, user logon script, startup script/logon script with GPO?

> Is the workstation domain member and how are the share permissions and the

> security settings from the shared folder?

>

> Best regards

>

> Meinolf Weber

 

The client (client01) and domain server (server01) are both in the

same domain (contoso).

 

The script is located in a folder named C:\scripts\logon.bat (shared

as scripts$, share permissions are 'everyone has full access', NTFS

permissions are Domain users have read, read and execute access,

Administrators have full access).

 

I logged onto the client PC using the domain administrator logon. The

script was set to run (\\server01\scripts\logon.bat) from the logon

script in AD user properties.

 

When the script failed to run from logging on I also mapped a drive

directly to \\Server01\scripts$ from the client01 PC and attempted to

run the file from there with the same problem. However I could create

and delete files in that folder. If I changed a text file to a .bat it

would than fail to open.

 

The script content is simply

 

NET USE P: \\server01\public$

[Guest Meinolf Weber]

Re: cannot run scripts on domain controler

 

Hello RichGK,

 

You can use the \\domain\netlogon folder for logon scripts like this, advantage

is if you have more then one dc it will be replicated automatically. Also

you do not have to configure rights, every user has read&execute on it. You

also have to specifi logon.bat in the ADUC properties.

 

What error message do you get if you run the script by hand from the share?

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

** Please do NOT email, only reply to Newsgroups

** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> On 1 Apr, 22:18, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:

>

>> Hello RichGK,

>>

>> Please post the script content here. Where did you place the script

>> and how will you start it, user logon script, startup script/logon

>> script with GPO? Is the workstation domain member and how are the

>> share permissions and the security settings from the shared folder?

>>

>> Best regards

>>

>> Meinolf Weber

>>

> The client (client01) and domain server (server01) are both in the

> same domain (contoso).

>

> The script is located in a folder named C:\scripts\logon.bat (shared

> as scripts$, share permissions are 'everyone has full access', NTFS

> permissions are Domain users have read, read and execute access,

> Administrators have full access).

>

> I logged onto the client PC using the domain administrator logon. The

> script was set to run (\\server01\scripts\logon.bat) from the logon

> script in AD user properties.

>

> When the script failed to run from logging on I also mapped a drive

> directly to \\Server01\scripts$ from the client01 PC and attempted to

> run the file from there with the same problem. However I could create

> and delete files in that folder. If I changed a text file to a .bat it

> would than fail to open.

>

> The script content is simply

>

> NET USE P: \\server01\public$

>

[Guest RichGK]

Re: cannot run scripts on domain controler

 

On Wed, 2 Apr 2008 08:39:07 +0000 (UTC), Meinolf Weber wrote:

> Hello RichGK,

>

> You can use the \\domain\netlogon folder for logon scripts like this, advantage

> is if you have more then one dc it will be replicated automatically. Also

> you do not have to configure rights, every user has read&execute on it. You

> also have to specifi logon.bat in the ADUC properties.

>

> What error message do you get if you run the script by hand from the share?

>

> Best regards

>

> Meinolf Weber

 

Hi Meinolf,

 

I changed the location of the logon script to the Netlogon folder as you

suggested and corrected the name of the logon.bat script in the ADUC

properties. I was still getting the error but found from a search that with

the installation of IE7 you also get some added security that needs to be

edited if you want to allow scripts to be run.

 

You probably know about this already but it was in Internet options,

security and I edited the setting for 'Launching applications and unsafe

files' in the Internet zone of all places!

 

I can understand why they have done this, but I'm not convinced they have

chosen the most suitable location to place the setting. Surely the GPO is

far more suitable than IE settings?

 

Oh well I'm sure they have their reasons :)

 

Thanks for your help.