2

I created a GPO startup script to execute for computers in a specific AD container. The script takes a file from the AD netlogon share and places it on a directory on the computer. Given the right permissions (ie: myself) can execute the script just fine and the file copies. But it doesn't work on startup - the file does not copy over from the AD server.

The startup script should run as localsystem (am I right?). So the question is why do the files not copy on startup? Could it be because of:

  • Is it permissions of the local system user?
  • Reading the registry is problematic on startup?
  • Obtaining files from the AD netlogon folder is problematic on startup?
  • Am I missing it completely?

My test machine does have the registry key and local directories as described in the script. I myself have standard user permissions on the test machine. AD server is Windows 2008, test client is Windows XP SP3 (and soon to be Windows 7, which I assume permissions issues will be inevitable)

Dim wShell, fso, oraHome, tnsHome, key, srcDir
Set wShell = WScript.CreateObject("WScript.Shell")
Set fso = CreateObject("Scripting.FileSystemObject")
key = "HKLM\Software\Oracle\Oracle_Home"
On Error Resume Next
orahome = wShell.RegRead(key)
If err.Number = 0 Then
tnsHome = oraHome + "\" + "network\admin\"
srcDir = wShell.ExpandEnvironmentStrings("%logonserver%") + "\netlogon\UpdatedFiles\"
fso.CopyFile srcDir + "file1.ext", tnsHome, true
End If

Side note: To ensure that the script is properly deployed, I purposely put some errors in the script, and on the next startup the error message appeared. So I know the GPO is deployed properly.

marcwenger
  • 235
  • 1
  • 6
  • 21

2 Answers2

2

Hmmm... What you're doing should work. That's not much consolation, I know, but I use a LOT of startup scripts (thousands of invocations on client comptuers throughout my Customer sites every day) and I don't have problems with script execution reliability.

I'd add an "On Error Goto 0" after the registry read so that any other errors in the script execution are reported. I'd also consider, at least for testing, adding some MsgBox calls to report on the values you've constructed for the fso.CopyFile call. Debug it with "PRINT" statements, basically.

Not that it's helpful, but here's how I'd do it with a batch file:

@echo off
for /f "usebackq tokens=2*" %%i in (`reg query HKLM\Software\Oracle /v Oracle_Home ^| find /i "Oracle_Home"`) do (
 if not "%%j"=="" copy /y "\\%USERDOMAIN%\netlogon\UpdatedFiles\some_file.tns" "%%j"
)

As an aside: You shouldn't have permissions issues running a startup script under Windows 7. The script will run as SYSTEM and UAC won't be enabled. Microsoft got this right.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
1

Running under the local system account, the script will be connecting to the network using the AD computer account (i.e. COMPUTERNAME$).

However, the %logonserver% variable might not be valid in the context of the system account - after all the local system account authenticates with the local machine, not the domain. The %logonserver% variable may either be blank, or equal to the local machine name.

try using \\domain.name\NETLOGON instead. This will connnect to a domain controller (and since the NETLOGON share contains the same files on all DCs because it uses FRS, it doesn't matter which DC you're talking to.

Chris McKeown
  • 7,128
  • 1
  • 17
  • 25