Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

"Access Denied" Running Startup Script on Domain PC

Status
Not open for further replies.
bobcrane

bobcrane

MIS
Sep 12, 2003
17
US
I'm trying to run a .cmd file that applies the dst registry fix and runs a vbscript to apply the update.

When I start the local PC I see Event ID:1000 access denied when it tries to launch the .cmd file. Here are the details:

All scripts are in the [domain controller]\netlogon folder.

I've created an OU called DST_Fix and placed 4 test PC's in it.

I then added a GPO with the batch file in the startup script. I gave Domain Computers read, execute and Apply policy rights to the policy. I also added domain computer rights to the netlogon folder.

 
Sort by date Sort by votes
Actually, I followed the steps in that link to the "T".

But I get access denied. Even with the Domain Computers having read/execute/apply policy rights.
 
Upvote 0 Downvote
Can you determine where in the process it is failing? Is it failing on the registry import? Do your computers have the Remote Registry service enabled? Do you have Windows Firewalls enabled that may be blocking?

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
 
Upvote 0 Downvote
That's the other tough thing, I can't see where it is failing.

The error in the log seems to indicate simply executing the script fails with access is denied. I can try breaking down the script and see if anything gets through.

I've gone ahead and shut down the firewall to get that out of the way. Remote Registry is enabled and working.

Out of curiosity I tried running the script with xcmd and my credentials and it fails as well. I am a domain admin.

Thanks for the reply.
 
Upvote 0 Downvote
bobcrane,

Do you have anything in a local or domain policy limiting who access to change the system time?

John
 
Upvote 0 Downvote
There is a default group policy at the top of the domain. It basically allows power users to add printers on their own, has some settings for RIS, and that's about it. There is an area for load/unload device drivers but I don't think that would effect things.

Out of curiosity I created a second batch file that had the following:
dir >dir.txt

I then made that the startup script.


Same failure. So it seems either it doesn't have rights to the NETLOGON folder or it doesn't have rights to launch a script against the local PC.

I see nothing in the DC log.

Thanks again for all the replies.

Bob
 
Upvote 0 Downvote
Block inheritance on your test policy.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.
 
Upvote 0 Downvote
Blocked inheritance, same error.

Out of curiosity I took out the script and put %windir%\regedit.exe in the command script and got no error. Changing the directory caused an error (File not found) but telling it to actually apply a registry key to the PC resulted in no action whatsoever.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
187
DTGMI
DTGMI
goombawaho
  • Locked
  • Question
Domain join from wifi connected laptop
Replies
4
Views
341
goombawaho
goombawaho
MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
130
ADB100
ADB100
tscstl
  • Locked
  • Question
access to local folder
Replies
1
Views
119
hairlessupportmonkey
hairlessupportmonkey
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
134
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top