Announcement

Collapse
No announcement yet.

Login Script Question

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Login Script Question

    Hello,

    If a user's User GP doesnt update for a few days and the user has been logging on and off regularly, will changes to a login script take effect if the login script existed when the user GP was working?

    Thanks!

  • #2
    Re: Login Script Question

    Originally posted by alpha202ej View Post
    If a user's User GP doesnt update for a few days
    Meaning that you as the administrator don't make any changes to the policy?

    Originally posted by alpha202ej View Post
    if the login script existed when the user GP was working?
    What do you mean?

    If a logon script is applied either through GP or some other means, it runs at every user logon. Changes to the script will take effect from the next time the user logs in.
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

    Comment


    • #3
      Re: Login Script Question

      We have a someone on one of our networks that is having a drive mapping issue and I believe that it may be something to do with their GP. I was told about who had the issues and checked their GP status by running gpresult. I saw that their User GP hasnt been updated in over a month. My question is if they havent been able to update their User GP in that period of time and some lines of code were changed on the login script, will it take effect? I know it very well could because it already knows to look at the server for GP info. But I could be completely wrong and it turns out that when a login script is used each client computer downloads it and keeps it locally until it is updated through GP. Thats why I am asking if once a login script is pushed through GP is it downloaded to client and updated only when GP is updated or does it tell the client where to look for the script everytime login occurs?

      Comment


      • #4
        Re: Login Script Question

        Logon scripts are not downlaoded to the clients.

        What do you mean "they haven't updated their GP in a month"? Clients don't update GP.

        Comment


        • #5
          Re: Login Script Question

          Even if scripts were cached on workstations, clients refresh Group Policy every 90 minutes in the background.

          Logon scripts are not cached. Presumably you have the script stored in a share, rather than having it copied to each workstation?

          You could always verify that by putting some form of check in the script to popup a message/email you etc and ask the user to try logging in.
          Gareth Howells

          BSc (Hons), MBCS, MCP, MCDST, ICCE

          Any advice is given in good faith and without warranty.

          Please give reputation points if somebody has helped you.

          "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

          "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

          Comment


          • #6
            Re: Login Script Question

            Originally posted by joeqwerty View Post
            Logon scripts are not downlaoded to the clients.

            What do you mean "they haven't updated their GP in a month"? Clients don't update GP.
            The exact wording from gpresult was "Last time group policy was applied: " and then it would have a date and time from July under User Settings.

            Comment


            • #7
              Re: Login Script Question

              When was the last time the workstation was rebooted?

              Have you run gpupdate /force on the workstation? This won't make the logon script run but it will make the client side GP extensions run.

              Comment


              • #8
                Re: Login Script Question

                I just ran that using psexec and it said it refreshed the policy but when I do a gpresult it still says that it hasnt been applied in days.

                Comment


                • #9
                  Re: Login Script Question

                  probably a dumb question but are you psexec'ing the gpresult also?

                  Comment


                  • #10
                    Re: Login Script Question

                    Originally posted by fooey View Post
                    probably a dumb question but are you psexec'ing the gpresult also?
                    Correct, I psexec into target computer: psexec \\machinename cmd.exe and then run gpudate /force then run gpresult to see the applied status.

                    Comment


                    • #11
                      Re: Login Script Question

                      verified communication to the dc?

                      I just ran a gpupdate /force on a test box next to me after I unplugged the network cable....

                      Refreshing Policy...

                      User Policy Refresh has completed.
                      Computer Policy Refresh has completed.


                      ????

                      I guess maybe it has the info cached and will run what it has cached?

                      Comment


                      • #12
                        Re: Login Script Question

                        Originally posted by alpha202ej View Post
                        My question is if they havent been able to update their User GP in that period of time and some lines of code were changed on the login script, will it take effect?
                        Check the following registry key when that user is logged on and is the Current User.
                        HKEY_CURRENT_USER\Software\Policies\ Microsoft\Windows\System\Scripts\Logon

                        There should be at least one subkey found right under the Logon key. For every GPO where a logon script policy has been configured there is a subkey with a numeric name.

                        Then under that subkey there you can find one or more other keys with numeric names, one for every logonscript that has been configured in the same GPO.

                        During the logon process the USERINIT process will impersonate the user logging on. It reads those entries in the registry, and it is using the exact \\Path\Scriptname that is added to the "Script"-item in the subkey to start the scripts.

                        The \\Path\Scriptname points to a logonscript stored on the server and that would be the script that you have recently updated. So if the subkey is present in the user's registry and the value of the 'Script'-item is correct then the answer to your question above is 'yes'.

                        However, if the entries could not be found in the user's registry, then a temporay workaround could be adding the "\\Path\Scriptname" to the Login Script attribute of this specific useraccount in AD until you have been able to solve the problem.

                        Solve the "GPO is not being applied" issue anyway!
                        Have you looked in application_events log on that computer for records with as the sourse: USERINIT


                        There could be more explanations why the drives are not mapped correctly by the logonscript for this particular user. Like, -are the drive letters already in use?; -are there perhaps credentials saved on that computer from previous connections to the server?;,

                        Have you already tried to have this user run the script manually (by using "\\Path\Scriptname")??..then, were there error pop-ups or, error events logged? Can you show us the script?


                        \Rems

                        This posting is provided "AS IS" with no warranties, and confers no rights.

                        __________________

                        ** Remember to give credit where credit's due **
                        and leave Reputation Points for meaningful posts

                        Comment


                        • #13
                          Re: Login Script Question

                          Originally posted by alpha202ej View Post
                          Correct, I psexec into target computer: psexec \\machinename cmd.exe and then run gpudate /force then run gpresult to see the applied status.
                          Using psexec to run gpresult will not do of course when you don't provide the name of the user that is having problems with the logonscript. Can you show the syntax you used?

                          You can also use the GroupPolicy Management Console on the server and perform 'Group Policy Results' for that user on his/her computer.

                          \Rems
                          Last edited by Rems; 26th August 2009, 18:53.

                          This posting is provided "AS IS" with no warranties, and confers no rights.

                          __________________

                          ** Remember to give credit where credit's due **
                          and leave Reputation Points for meaningful posts

                          Comment


                          • #14
                            Re: Login Script Question

                            Originally posted by Rems View Post
                            Check the following registry key when that user is logged on and is the Current User.
                            HKEY_CURRENT_USER\Software\Policies\ Microsoft\Windows\System\Scripts\Logon

                            There should be at least one subkey found right under the Logon key. For every GPO where a logon script policy has been configured there is a subkey with a numeric name.

                            Then under that subkey there you can find one or more other keys with numeric names, one for every logonscript that has been configured in the same GPO.

                            During the logon process the USERINIT process will impersonate the user logging on. It reads those entries in the registry, and it is using the exact \\Path\Scriptname that is added to the "Script"-item in the subkey to start the scripts.

                            The \\Path\Scriptname points to a logonscript stored on the server and that would be the script that you have recently updated. So if the subkey is present in the user's registry and the value of the 'Script'-item is correct then the answer to your question above is 'yes'.

                            However, if the entries could not be found in the user's registry, then a temporay workaround could be adding the "\\Path\Scriptname" to the Login Script attribute of this specific useraccount in AD until you have been able to solve the problem.

                            Solve the "GPO is not being applied" issue anyway!
                            Have you looked in application_events log on that computer for records with as the sourse: USERINIT


                            There could be more explanations why the drives are not mapped correctly by the logonscript for this particular user. Like, -are the drive letters already in use?; -are there perhaps credentials saved on that computer from previous connections to the server?;,

                            Have you already tried to have this user run the script manually (by using "\\Path\Scriptname")??..then, were there error pop-ups or, error events logged? Can you show us the script?


                            \Rems
                            Okay, I think I have got a handle on it now. When I ran group policy results from the GPMC I saw that for the user in question that the policy WAS getting applied. I didn't realize that the gpupdate didnt reflect the User's applied status if you are using psexec to login.

                            Comment

                            Working...
                            X