Announcement

Collapse
No announcement yet.

GPO Permissions Needed

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO Permissions Needed

    We have a GPO shutdown script that is used to install updates. In order to track which computers have had the update applied, we would like to create a file on the server called %computername%.txt from an existing text file in NETLOGON. The command looks like this..

    copy UNC path to NETLOGON\file.txt UNC path to NETLOGON\%computername%.txt

    We have tested and updates get applied, however, it won't create the file. During a GPO shutdown script, are addition permissions needed to write to the NETLOGON directory? Is there a different way to accomplish this?

    Any help would be greatly appreciated.

    Many thanks in advance.

  • #2
    Re: GPO Permissions Needed

    What kind of updates are you installing?
    Also I wouldn't create the files to the Netlogon folder but to an other share.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: GPO Permissions Needed

      The last thing you want to be doing is modifying permissions on NETLOGON. Only Domain Admins should be able to modify this, for obvious reasons. I would therefore agree with Dumber and strongly recommend that you create a new share to place the files in question. NETLOGON is designed for scripts - essentially static content.
      Gareth Howells

      BSc (Hons), MBCS, MCP, MCDST, ICCE

      Any advice is given in good faith and without warranty.

      Please give reputation points if somebody has helped you.

      "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

      "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

      Comment


      • #4
        Re: GPO Permissions Needed

        I agree as well, never mess with system components. Also, to clarify: the Netlogon folder is for scripts for legacy clients (Win9x, WinNT, etc.). All clients from Win2k and newer should be using logon or logoff scripts in GPO's (which are stored with the GPO in the sysvol directory).

        Comment


        • #5
          Re: GPO Permissions Needed

          Good point.
          Gareth Howells

          BSc (Hons), MBCS, MCP, MCDST, ICCE

          Any advice is given in good faith and without warranty.

          Please give reputation points if somebody has helped you.

          "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

          "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

          Comment


          • #6
            Re: GPO Permissions Needed

            Originally posted by joeqwerty View Post
            I agree as well, never mess with system components. Also, to clarify: the Netlogon folder is for scripts for legacy clients (Win9x, WinNT, etc.). All clients from Win2k and newer should be using logon or logoff scripts in GPO's (which are stored with the GPO in the sysvol directory).
            The NETLOGON share is the SCRIPTS folder in the associated domain's SYSVOL directory... it's the same place. The share name NETLOGON is provided as you say but it's just a share name for the folder which is used by ALL logon/logoff/startup/shutdown scripts.


            Tom
            For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

            Anything you say will be misquoted and used against you

            Comment


            • #7
              Re: GPO Permissions Needed

              I think the suggestion was that it is better to store scripts that are set through a GPO *with* the GPO they apply to, which would not be in NETLOGON. But you're right, NETLOGON is the correct place to store scripts etc that are not related to GPOs.
              Gareth Howells

              BSc (Hons), MBCS, MCP, MCDST, ICCE

              Any advice is given in good faith and without warranty.

              Please give reputation points if somebody has helped you.

              "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

              "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

              Comment


              • #8
                Re: GPO Permissions Needed

                Thanks for everyones input. I would ideally like to use a different share. I will create one and test. My understanding was that SYSTEM is used during a shutdown script and it only has access to the NETLOGON share during the shutdown. Is this correct? I really just need to verify this. I can find an alternative if this won't work.

                Thanks again.

                Comment


                • #9
                  Re: GPO Permissions Needed

                  If the shutdown script is defined in a GPO, then go with joeqwerty's suggestion and store the scripts with the GPO - the folder that opens when you press Show Files.
                  Gareth Howells

                  BSc (Hons), MBCS, MCP, MCDST, ICCE

                  Any advice is given in good faith and without warranty.

                  Please give reputation points if somebody has helped you.

                  "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                  "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                  Comment


                  • #10
                    Re: GPO Permissions Needed

                    To Stonelaughter: I didn't want to bog down the post with details that may have been confusing to the OP, but thanks for clarifiying for everyone in case anyone didn't know.

                    Comment


                    • #11
                      Re: GPO Permissions Needed

                      Microsoft also only recommends using robocopy to stabilize a NTFRS issue with the Sysvol share.

                      So in essence disabling NTFRS on all DC's and then using robocopy to copy a good copy to the sysvol.

                      Also you have to make sure that you gpt.ini version is the same as what's your AD backend through adsiedit. Either one or the other, doesn't really matter, just make sure they're the same.
                      GoogleFu is strong with this one ^

                      Comment

                      Working...
                      X