I am unable to get a GPO to run a script on startup. The script creates a shared folder on each machine in a group of windows 8 machines. The script itself works great, but attaching it to a GPO is giving me a problem. Even after gpupdate /force commands and several restarts I can't get the scripts to run.

Here's what I know:

  • RSOP shows that the GPO with the script is being applied
  • GPResult states that the script has not yet been ran (after several reboots)
  • There's no related events in the computer's application or system event logs
  • Executing the script on its own works great
  • Using psexec to run the script using SYSTEM credentials works as well
  • Moving the scripts from a network share to a local folder (C:\GPOFiles\ for example) made no diffence, the GPO still did not execute the scripts.
  • I've tried using other, simpler, scripts just to see if it was a problem with the script in question and they would not run either
  • I can run it as a logon script, but I would rather apply this to machines, not users, if possible

I'm not sure how to troubleshoot this, any ideas?

Heads up, I'm somewhat new to group policies, so its possible I missed something obvious.


I've also tried creating the GPOs from both a windows 7 box and a windows 8 box with the same results. The domain controllers are windows server 2008.

Here is the script I'm trying to run. :

Option Explicit  
Const FILE_SHARE = 0 
Dim strComputer 
Dim objWMIService 
Dim objNewShare 

strComputer = "." 
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") 
Set objNewShare = objWMIService.Get("Win32_Share") 

Call sharesec ("C:\Shared", "Shared", "Work Center Share", "Domain Users") 

Sub sharesec(Fname,shr,info,account) 'Fname = Folder path, shr = Share name, info = Share Description, account = account or group you are assigning share permissions to 
    Dim FSO 
    Dim Services 
    Dim SecDescClass 
    Dim SecDesc 
    Dim Trustee 
    Dim ACE 
    Dim Share 
    Dim InParam 
    Dim Network 
    Dim FolderName 
    Dim AdminServer 
    Dim ShareName 

    FolderName = Fname 
    AdminServer = "\\" & strComputer 
    ShareName = shr 

    Set Services = GetObject("WINMGMTS:{impersonationLevel=impersonate,(Security)}!" & AdminServer & "\ROOT\CIMV2") 
    Set SecDescClass = Services.Get("Win32_SecurityDescriptor") 
    Set SecDesc = SecDescClass.SpawnInstance_() 

    'Set Trustee = Services.Get("Win32_Trustee").SpawnInstance_ 
    'Trustee.Domain = Null 
    'Trustee.Name = "EVERYONE" 
    'Trustee.Properties_.Item("SID") = Array(1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0) 

    Set Trustee = SetGroupTrustee("LM", account) 'Replace ACME with your domain name.  
    'To assign permissions to individual accounts use SetAccountTrustee rather than SetGroupTrustee  

    Set ACE = Services.Get("Win32_Ace").SpawnInstance_ 
    ACE.Properties_.Item("AccessMask") = 2032127 
    ACE.Properties_.Item("AceFlags") = 3 
    ACE.Properties_.Item("AceType") = 0 
    ACE.Properties_.Item("Trustee") = Trustee 
    SecDesc.Properties_.Item("DACL") = Array(ACE) 
    Set Share = Services.Get("Win32_Share") 
    Set InParam = Share.Methods_("Create").InParameters.SpawnInstance_() 
    InParam.Properties_.Item("Access") = SecDesc 
    InParam.Properties_.Item("Description") = "Public Share" 
    InParam.Properties_.Item("Name") = ShareName 
    InParam.Properties_.Item("Path") = FolderName 
    InParam.Properties_.Item("Type") = 0 
    Share.ExecMethod_ "Create", InParam  
End Sub  

Function SetAccountTrustee(strDomain, strName)  
     set objTrustee = getObject("Winmgmts:{impersonationlevel=impersonate}!root/cimv2:Win32_Trustee").Spawninstance_  
     set account = getObject("Winmgmts:{impersonationlevel=impersonate}!root/cimv2:Win32_Account.Name='" & strName & "',Domain='" & strDomain &"'")  
     set accountSID = getObject("Winmgmts:{impersonationlevel=impersonate}!root/cimv2:Win32_SID.SID='" & account.SID &"'")  
     objTrustee.Domain = strDomain  
     objTrustee.Name = strName  
     objTrustee.Properties_.item("SID") = accountSID.BinaryRepresentation  
     set accountSID = nothing  
     set account = nothing  
     set SetAccountTrustee = objTrustee  
End Function  

To the best of my knowledge, the GPO hasn't even touched the script. For the sake of science, I've also tried the following script and it wasn't ran either:

Dim oShell
Set oShell = WScript.CreateObject ("WScript.Shell")
oShell.run "subst z: ""C:\Shared"""

Here's how I configured these scripts to run in the GPO: enter image description here

Adam H.
  • 71
  • 1
  • 1
  • 5
  • Two questions - 1. What was the OS of the machine you used to create this GPO? (I've found that W8/WS2012 machines don't play well with GPOs or GPPs made on a machine running and earlier OSes, like Windows 7). 2. What do you mean by `moving the scripts from a network share to a folder on the C drive yields the same result`? Does this mean that the GPO works when the script is local, or not? – HopelessN00b Oct 31 '14 at 15:45
  • 3. What does this mean exacly? `The script itself sets up a shared folder on a group of windows 8 machines`. 4. If you want the script to run under the computer context then why not configure it as a startup script? – joeqwerty Oct 31 '14 at 15:51
  • What are the GPO details? You state you want it to apply to machines so I'm guessing it's a computer configuration startup script? If so, do the NTFS permissions to the script allow for "Domain Computers" to have at least Read access to the script and it's location? – TheCleaner Oct 31 '14 at 15:52
  • @HopelessN00b 1. I've added some more information on that in an edit. 2. I meant that the GPO does run the scripts when the scripts are local. – Adam H. Oct 31 '14 at 17:24
  • @joeqwerty 3. I've adjusted the verbiage slightly. Each computer under the policy should have their own share. 4. You are correct, that's what I want. The scripts are currently configured to run as start up scripts. – Adam H. Oct 31 '14 at 17:27
  • @TheCleaner I went back and checked the permissions. 'Domain Computers' and 'SYSTEM' are both set to allow read/execute on both the files and the directory they are contained in. – Adam H. Oct 31 '14 at 18:13
  • @HopelessN00b I've added a few things. Are you looking for a screenshot of anything specific in the GPO? GP results maybe? – Adam H. Oct 31 '14 at 18:18
  • 1
    No, that's what I was looking for. I have a kind of out-of-left-field follow up question, though. Have you tested scripts that aren't vbs scripts to see if they behave as expected? (Try a batch or powershell script, perhaps.) I've seen a lot of problems with Windows 8 handling vbs scripts... although, admittedly, that doesn't explain why it works fine when you run it manually. – HopelessN00b Oct 31 '14 at 18:24
  • 2
    Why are your script files located in `C:\`? Try putting the script on a DC's NETLOGON share instead. Then click "Show Files" and make sure it is referencing the right location still. – TheCleaner Oct 31 '14 at 18:50
  • @TheCleaner I started out with the scripts in a share on the domain controller. I placed the files on the C drive to troubleshoot some suspicions I had about network connectivity. It's a poor practice, I know. I'll change it back to referencing the shared location once I find the problem. – Adam H. Nov 04 '14 at 16:31

1 Answers1


This is a bit silly on my part, but I found out the issue. Instead of restarting through Windows, I would tap the power button to shut the machine down and tap it again to start it up.

I restarted through Windows today and I finally started getting errors in the windows logs showing me why the scripts weren't being ran (misc WiFi connection issues to the domain controller). After some troubleshooting (mainly by using a wired Ethernet connection) and proper rebooting, I got the script to run.

Adam H.
  • 71
  • 1
  • 1
  • 5