RE: login Scripts not running

Dear George,

Thank you for posting here.

According to your description, my understanding is that:

The scripts were set in "Computer Cnfiguration" of GPO, which is applied on
the computer account. I think this should be the "Startup Script" not
"Logon Script", since the "Logon Script" only applies during one user logon
session.

If something is misunderstood, please let me know.

Based on my research, I'd like to share some knowledge with you.

Analysis and Suggestions:
======================

1. By default, the child objects of Child OU should apply the Group Policy
which inherits from the parent OU if the "Block Inheritance" of child OU is
not enabled. In this way, the Group Policy setting of "WSUS OU" should be
flown down to the child object "Win2k OU" as your description.

2. To ensure the "Startup Script" can run normally through GPO, please
first try to run it locally on the client side to check if it works.

3. Since you have enabled the computer "Startup Scripts" in all the GPO and
the "Startup Script" is to start Windows Automatic Update service, the
proper share permission and security permission of the scripts share folder
is needed. Please grant "Domain Computer" at least "Read" share and
security permission on the machine\script share folder. I guess maybe this
is key point of that Windows 2000 clients cannot apply the startup script
in "Win2k OU" linked GPO.

Note: the "Startup Script" should be placed in the path
"%systemroot%\SYSVOL\sysvol\<domain>\Policies\<GPO
GUID>\Machine\scripts\Startup" on the Domain Controller.

Please refer to:

How to assign scripts in Windows 2000
http://support.microsoft.com/kb/322241
(This should also apply on Windows Server 2003)

4. As your description, you have more than 2 domain controllers in the
domain. I wonder whether there exists a DC in the site where the Windows
2000 clients are located. If there doesn't exist a DC in the site of these
Windows 2000 clients, I think the slow link may be a root cause that why
the Windows 2000 clients cannot apply the "Startup Script". By default, if
the WAN link between DC located-site and the Windows 2000 client-located
site is slower than 500Kbps, the "startup script" is not applied. In this
way, it is recommended to deploy one DC in each site of the domain.

5. Maybe the windows 2000 clients cannot locate Domain Controller to apply
the GPO. Please try to browse the scripts share folder with UNC path to DC
on the Windows 2000 client to see if it works.

6. Please verify that all the Windows 2000 computer accounts are in the
container of "Win2k OU" in "Active Directory Users and Computers".

7. I'm agreed with Meinolf that you'd better specify the different subnet
for the other site in "Active Directory Sites and Services", which could
help the Windows 2000 client to locate the nearest domain controller in the
domain.

If all the above troubleshooting steps cannot help to resolve the issue,
please enable the following logs for further troubleshooting.

Troubleshooting logs:
===================

1. You may enable user environment debug logging on windows 2000 client,
then reset the client, and then wait for the processing of GPO. After
loading the Windows Shell, you may obtain the "userenv.log" in the folder
"%systemroot%\Debug\UserMode". This log will help to see the processing of
applying GPO.

For more information, please refer to:

How to enable user environment debug logging in retail builds of Windows
http://support.microsoft.com/kb/221833

2. Afterwards, you may run "gpresult /z > C:\gpresult.log" on Windows 2000
client and obtain the log. This log will help to see the result of
processed GPO on the client side with your current logon session.

3. You may also run "netdiag /v > C:\netdiag.log" and "dcdiag /c /v >
C:\dcdiag.log" on the Domain Controller. This log will help to see the
healthy state of network and DC.

Note: the Windows support tools need to be installed on the domain
controller so that the command can be run.

You may send all the logs to my e-mail: v-dashen@xxxxxxxxxxxxx so that I
can troubleshoot the issue for you.

I hope all the information will help you.

Thanks for your time.


David Shen
Microsoft Online Partner Support
Microsoft Global Technology Support Center

.

Relevant Pages

  • Re: Windows/Macro Language Info?
    ... The point is that malware is often using Windows _features_. ... I totally understand the difference between client and server side (and you ... subverted by script code (the facilities to change file size, dates, etc. ...
    (comp.lang.cobol)
  • RE: GPO not working after Migration
    ... I suggest you use Active Directory Users and Computers to try again. ... Open the GPO and enable the following polciy. ... | We just moved to Windows 2003 AD and we were trying to ... | implement GPO on the client machines. ...
    (microsoft.public.windows.server.migration)
  • Re: Time Server [WildPacket]
    ... > Applied a GPO to a test server running 2003 Server and one client ... > Enable Windows NTP Client: ...
    (microsoft.public.windows.server.active_directory)
  • Re: RE: How to chnage registry by a GPO
    ... For Windows 2003 Server, in a GPO, ... Manage Your Server page at logon. ... >>>> I currently run a script to create/modify a registry ...
    (microsoft.public.win2000.group_policy)
  • Copy event log to access
    ... I used Windows XP Pro SP2, P IV 3.2 Ghz, 1 Go ram. ... I copied this script from the Microsoft web ... Windows Script Host ... Utilisateur client: toto ...
    (microsoft.public.windows.server.scripting)