Announcement

Collapse
No announcement yet.

Can't edit group policy logon script

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Can't edit group policy logon script

    Hi all.

    I'm having an issue editing logon scripts I use in AD to map drives. They have been in place and working for years now, but this morning when I go to edit the file (its a .bat file), I get the following message:

    "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item."

    I checked the permissions of the file and they seem fine. I'm logged in as our domain admin account so there should be no issue there. I even checked the effective permissions and they seem to check out ok.

    This is happening for all policies and as far as I know, nothing has been going on with our DC.

    I seem to remember having a similar issue once before, but can't recall exactly what caused it. I think it was something trivial, as it was resolved pretty quick.

  • #2
    Re: Can't edit group policy logon script

    How are you accessing the file?
    a) directly on a DC?
    b) via \\domain.corp?
    c) via \\dcname?

    While we're at it, what OS on the DCs and what domain functional level?
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Can't edit group policy logon script

      Originally posted by Ossian View Post
      How are you accessing the file?
      a) directly on a DC?
      b) via \\domain.corp?
      c) via \\dcname?

      While we're at it, what OS on the DCs and what domain functional level?
      Hey thanks for the quick response.

      I'm accessing the DC directly. I'm using Windows server 2003 and the domain functional level is Windows Server 2003

      Comment


      • #4
        Re: Can't edit group policy logon script

        OK, so you are going to C:\Windows\System\NTDS etc?

        Are these logon scripts in the NETLOGON share or under a group policy?
        If its the latter, have you tried going into GPMC and the "show files" button when editing the relevant section of the policy?
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Can't edit group policy logon script

          Originally posted by Ossian View Post
          OK, so you are going to C:\Windows\System\NTDS etc?

          Are these logon scripts in the NETLOGON share or under a group policy?
          If its the latter, have you tried going into GPMC and the "show files" button when editing the relevant section of the policy?

          I'm using the GPMC to edit the policies. All the policies are listed and I can open them. I drill down to the logon script section under user configuration and select properties. The dialog box has the "Show Files" button and I click that which opens an explorer window pointing to the location of the file. I can then try and edit the file. When I do that I get the error I posted before.

          From what I can tell the permissions are set correctly. I had tried giving extra permissions but then it yelled at me for them being different so they got changed back via AD.

          Ideas?

          Comment


          • #6
            Re: Can't edit group policy logon script

            Ok. Was trying some stuff out and found that permissions are ok EXCEPT if the file is an executable type (ie. a batch file for example which is what I'm using).

            So if I create a text file in the folder, I can edit it. The second I change the file type to .bat, it gives me the error message.

            Comment


            • #7
              Re: Can't edit group policy logon script

              On the computer you run GPMC try adding *.domain.local to the "Local Intarnet Zone" in Internet Explorer. (Where domain.local is the AD domain name)


              \Rems

              This posting is provided "AS IS" with no warranties, and confers no rights.

              __________________

              ** Remember to give credit where credit's due **
              and leave Reputation Points for meaningful posts

              Comment


              • #8
                Re: Can't edit group policy logon script

                Ok I found the solution a few weeks back and decided to post my results so others might find it.

                The problem was the enhanced security in internet explorer that was causing the issue.

                To solve it, you can either turn it off, or you can add the the server to the trusted local sites.

                Comment


                • #9
                  Re: Can't edit group policy logon script

                  Well done, and thanks for posting back
                  Tom Jones
                  MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                  PhD, MSc, FIAP, MIITT
                  IT Trainer / Consultant
                  Ossian Ltd
                  Scotland

                  ** Remember to give credit where credit is due and leave reputation points where appropriate **

                  Comment

                  Working...
                  X