Help with logon scripts 2

[LawnBoy]

I'm in the process of converting from Netware to AD. I'm merely administering an OU, I don't have control of or access to the DCs.

For the life of me I can't get a user logon script to trigger. GPOs are working fine, home dir mappings are good. Scripts are located in a share I created on W2k3 R2 sp2. The user can run the script from a command prompt once logged in, so I know it's not a permissions issue.

Client is XPpro.

I'm not sure how to troubleshoot this, any suggestions?


"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes

 

[GrimR]

Are you running the script from a GPO in AD. This would be the correct way or could you put them in the netlogon folder

 

[LawnBoy]

No, the script is not a GPO. As far as I can tell, you can't assign a GPO to an individual user. I need to setup a special drive mapping for one user, and I don't want that user's group to map it.

I do not have a Netlogon folder, as I do not have access to the DCs. GPOs are processing scripts from the share that this logon script is in.


"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes

 

[GrimR]

So you want a logon script to run and to map drives to a single user. If yes, then have a look at Marks logon script in the vbscript forum.

 

[LawnBoy]

I have a script that works fine, that's not the problem. The script won't trigger when the user logs in.


"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes

 

[GrimR]

did you create the script add it to a GPO as a logon script?
add this to the top of the script, then you can check the reistry to see if it has run

'RunLogonScriptOnceADay
'==========================================================================
Dim varToday, Verify, LastRunDate
Set WshShell = CreateObject("Wscript.Shell")

varToday = Weekday(Date)
Verify = "HKLM\SOFTWARE\MyInstallsAndFixes\"

'Check if scan has run today and if so exit
LastRunDate = WshShell.RegRead(Verify & "LogonOnce")
If LastRunDate = cstr(Date) Then
WScript.Quit
Else
WshShell.RegWrite Verify & "LogonOnce",Date,"REG_SZ"
End If

 

[LawnBoy]

To repeat myself, GPOs work fine. This script will not function as needed as a GPO. I want this script to run when one single user logs in, and I'm not willing to create an OU just for this user to reside in.


"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes

 

[pagy]

As far as I can tell, you can't assign a GPO to an individual user

You could by using security filtering on the gpo and remove the authenticated users and add only that one user.



Paul
MCSE


"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe."
Albert Einstein

 

[LawnBoy]

Thanks, Paul. At first glance that looks pretty cumbersome, but if that's what I've gotta do...

Please excuse my newbie ways (I come from a Netware/*nix background), but I've gotta be missing something basic. I'm used to being able to say something like:

If <user> is a member of <group> then {whatever}

How would I do the same thing in AD/W2K3 (without loading a 3rd party interpreter, I know Kixtart will do this)? If I could say

 If user = "LawnBoy" then net use blah blah

then THAT could be placed in a GPO...

Is this possible?



"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes

 

[LawnBoy]

I guess I could create a group with a single user in it and then use GPOs, but there's gotta be a better solution.


"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes

 

[pagy]

You can do that in a vbscript, check out markdmac's login script faq faq329-5798. There is also a program called ifmember floating around on the web somewhere which you can use in a batch job.

It's not actually very complex at all to change the security filtering on a gpo. If you use the group policy management console when you look at the policy the security filtering option is in the right hand pane; and all you do is remove Authenticated users and add only the users/groups that you want that GPO to apply to. That way you can have multiple gpos linked to 1 ou but only have some gpos apply to certain groups/users who reside in that ou.

PS, I'm from a Netware background as well so I'm well aware of how awkward it can seem in windows to do what was very easy in netware.

Paul
MCSE


"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe."
Albert Einstein

 

[pagy]

Here's a link to the ifmember.exe download

http://www.microsoft.com/downloads/...Yzx3jKUBy817Rxlow7oV8iEMbbY5kSGTs9brr2VtZBw==

Paul
MCSE


"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe."
Albert Einstein

 

[LawnBoy]

Paul,
It's not that the security filters are tough to do, it's just difficult to track those settings without maintaining a static list of the policies I've done that to. And then trying to explain it to the help desk so they can duplicate it at need.

ifmember is not supported on W2k3 or XP; I'd have to load it on every machine anyway.

VBS is definitely the way to go with this, I just don't have time to get into it right now. My "Domain Admin" is supposed to be hacking something together for me.

Thanks for the suggestions.


"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes

 

[LawnBoy]

Lol, Marks script has exactly what I'm looking for, under the section Take Action Based On Login Name. I should have read the entire script (instaed of skimming it) when GrimR first suggested it.

Stars all around, sorry for wasting your time.

"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes

 

[pagy]

It's not that the security filters are tough to do, it's just difficult to track those settings without maintaining a static list of the policies I've done that to. And then trying to explain it to the help desk so they can duplicate it at need.

ah, yes I see. I obviously misunderstood you on that part.

markdmac faq on login scripts has saved me on a number of occassions and yeah vbs is the way to go.

Paul
MCSE


"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe."
Albert Einstein

 

[LawnBoy]

Well I couldn't get Mardmac's examples to work, but I did get this to fly:

Set objNetwork = WScript.CreateObject("WScript.Network")
UserString = objNetwork.UserName
If UserString = "LawnBoy" then
	objNetwork.MapNetworkDrive "R:", "\\server\share",True
End If

"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes