VBS logon script and AppLocker

Hello
I have setup applocker with "Automatically Generate Rules" for "Script Rules".
When i try to execute a vbs logon script from a GPO it fails with the error below.
Execution of the Windows Script Host failed. (This program is blocked by group policy. For more information, contact your system administrator.)
I have tried to generate a new rule where I allow
\\%logonserver%\sysvol\*, without any luck.
Does anyone have a solution for this problem?.
Thanks,
/Jesper

Hello Again
OK, I figured it out. I made a new allow rule with the path below.
\\domain.com\SysVol\domain.com\Policies\*
Now my domain VBscript is running.
/Jesper

Similar Messages

Best way for a vbs logon script to check which version of Firefox is currently installed

I am currently writing a vbs startup script for our Windows PCs. In the script I wish to detect if Firefox is currently installed on the PC and if so what version is installed, so that I can then run the Firefox installer only if the installed version is out of date.
The main target for this is Windows 7 64-bit, although if it worked for XP that would be a bonus. The script will run as a PC startup script so will execute before a user has logged on.
Ideally I would like to avoid assumptions about the current installation location as we have a number of PCs configured for specialist roles where Firefox won't be in C:\Program Files(x86)\Firefox.
I believe that the information I need can be found in the registry, however the information I have been able to find has generally been conflicting and relating to very old versions of Firefox. Any information you can provide about this for Firefox 5/6 would be very much appreciated.

You can download Firefox 3.6.x from the link below
* [http://www.mozilla.org/firefox/all-older.html www.mozilla.org/firefox/all-older.html]
In TenFourFox, plug-ins are disabled for security reasons, because plug-ins for PPC are outdated and full of vulnerabilities. More information can be found on
* [http://code.google.com/p/tenfourfox/wiki/PluginsNoLongerSupported the TenFourFox wiki page].

Flash pushed via GPO, how to copy mms.cfg via logon script?

I feel foolish for having to ask such a question, but I can't get it figured out. I know very little about VBS scripting and need help pushing the mms.cfg file down to the clients via the logon script. Can someone please provide me the proper commands to enter into our existing vbs scripts? I sure would appreciate it!

I got it figured out...well, kinda. I gave up on trying to do it via the logon script and instead modified the GPO for the flash install to call a batch file in the startup script section.
This is the contents of the batch file that I created:
@echo off
if exist "C:\WINNT\System32\Macromed\Flash\" goto :NT2k
if exist "C:\WINDOWS\System32\Macromed\Flash\" goto :XPVista
if exist "C:\Windows\System\Macromed\Flash\" goto :Legacy
if exist "C:\Windows\SysWOW64\" goto :64bit
goto :END
:NT2k
if exist C:\WINNT\System32\Macromed\Flash\mms.cfg goto :END
xcopy \\SERVERNAME\NETLOGON\mms.cfg C:\WINNT\System32\Macromed\Flash\ /o /y
goto :END
:XPVista
if exist C:\WINDOWS\System32\Macromed\Flash\mms.cfg goto :END
xcopy \\SERVERNAME\NETLOGON\mms.cfg C:\WINDOWS\System32\Macromed\Flash\ /o /y
goto :END
:Legacy
if exist C:\Windows\System\Macromed\Flash\mms.cfg goto :END
xcopy \\SERVERNAME\NETLOGON\mms.cfg C:\Windows\System\Macromed\Flash\ /o /y
goto :END
:64bit
if exist C:\Windows\SysWOW64\mms.cfg goto :END
xcopy \\SERVERNAME\NETLOGON\mms.cfg C:\Windows\SysWOW64\ /o /y
goto :END
:END
I've tested it on both an XP box and Windows 7 64-bit box and it works perfectly! The one thing I am not sure of is what directory the cfg file needs to go in for a 32-bit install of Windows 7. We don't have any of those here yet, but that's something I'll have to remember once we do. I hope this helps those out there trying to push the mms.cfg file via GPO to disable that auto-update feature!

Powershell User logon script not Exiting With "Exit" scripts are set to be visible in GPO

I am trying to run this script as a user logon script and it is set to visible to the user. There are other parts of the script but It won't ever Exit. It works fine if I run it directly I only have the trouble when it is in the logon script. I'm thinking
of tryin "Kill -Id $PID" but I'm sure I'll get a bad return code.
Has anyone else experienced this or hav any ideas what I could try?
If (Test-Path U:){
Robocopy U:\ $Destination /E /move /XF "*.inf"
New-Item -Path HKCU:\Software\test\test -Name Test –Force
Else{
Exit
Else{
New-Item -Path HKCU:\Software\test\1 -Name Test1 –Force
Exit #here is where it will not stop!
Exit

Sorry, I did mention this was only a subset of the complete script.
So, what I am trying to accomplish in words.
1. Check for the existence of a certain folderon the c: Drive (that is created as apart of a different process)
2. Look to see if a registry key exisits that tells the script if it should run or not. So if certain registry key exists under HKCU then don't run if not continue.)
3. The first time a user logs in and does not find the value that the process is allready complete show the user a message box aski9ng them if they are ready to do (something) if not write a registry key saying step one has completed and then quit.
4. When the user logs in again the script looks to see if the process is complete and or if step one is complete, if step one is complete it allows the user to skip the process 2 more times but on the forth login forces the user to complete the process and
writes the final registry key that it is complete.
Like I say I have this all working correctly if I manually have the user run it. I just don't know why Exit is not being recognized when in the users login script processing of the script. I appreciate your reply and any direction you can point me to.

Assign a local logon script using Group Policy

Is there a way to assign a local logon script using Group Policy? The reason I ask is that I wrote a logon/logoff script that will record the date/time, user, and computer for everyone who logs on to any machine in the domain. Right now it's set on a domain
GPO, so it works great for domain accounts, but I'd like to extend that functionality to local accounts as well. The only way I know how to do that would be to set my script to run using the local policy. Since I don't want to manually go around to all 400+
machines in my domain, I would rather find a simpler way of modifying the local policy. Any ideas?

Martin, thank you for your response. That's exactly the kind of out-of-the-box answer I was looking for, unfortunately, it looks like I can only do that for Logon scripts. I don't see an option for Logoff. (Maybe the took the Logoff functionality out?
This article says there should be a Logoff item in the GPO, but they're talking about Windows 2000 in that article.)
Matthias, I started playing around with what you said, and I noticed that the "Scripts" key only seems to show up on my Windows 7 clients. The XP workstations don't have that key. Plus I did some testing, and I think I can do it without having
to mess with the registry at all.
So I think I have a workable solution at the moment. I found
this article that talks about copying Local Polices from one computer to another. I tried manually setting the Logon/Logoff scripts in the Local policy on a fresh machine. From that reference computer I copied the Scripts folder out of the %SYSTEMROOT%\System32\GroupPolicy\User
directory. It also created a gpt.ini file in the %SYSTEMROOT%\System32\GroupPolicy directory. The gpt.ini file contained an attribute called gPCUserExtensionNames, and one called Version. The gPCUserExtensionNames attribute specified two GUIDs, which
I assumed to be the GUIDs that identify the Local Policy. I tried manually creating the Local policy on several different machines, with several different Operating Systems, and those GUIDs always seemed to be the same (not sure why). So I copied the gpt.ini
file off the reference machine as well. When I placed all of the files I copied from the reference machine on to a new machine, everything seemed to work just fine (no registry modification necessary), with one caveat. It seemed to be running the script twice.
So I went back into the gpt.ini file and deleted one of the GUIDs listed under gPCUserExtensionNames, and now the script runs just once!
So I think this solution will work ok for me. We don't have any other Local Policies in place, so demolishing all existing Local Policies is perfectly acceptable in my case. I'm just not sure if I'm doing any damage by copying the gpt.ini file from a reference
machine (if anyone can expand on how that works, I would appreciate the peace of mind that I'm not making things worse by doing this). So all I need now is to write a Startup script, or an SCCM package to deliver the Logon scripts and associated ini files
to the appropriate location on all the domain PCs. Easy enough to do on my own. If anyone knows of a reason why this method is a bad idea, please post here. I'll be testing it out on a handful of PCs in the mean time.
Hi Guys,
Will this solution work for my case? I have a forcereboot batch script that I need to load on the local policy (logoff script through GPEDIT) however I can only load it manually. I need to do it on multiple machines (approx 5000 computers). I am having
trouble doing it using powershell. Is there any other options to do it?
Will I have to use the same GUID's you mentioned on the gpt.ini file? (gPCUserExtensionNames=[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B66650-4972-11D1-A7CA-0000F87571E3}] since it refers to the local script and how about the version on the gpt.ini file?
Thanks in advance.
Dash
https://social.technet.microsoft.com/Forums/en-US/1f636042-bcff-498d-93c0-e1aa89f80961/how-to-load-a-script-on-the-local-group-policy-on-multiple-computers?forum=mdopagpm

Logon script for looping - searching - deleting - copy

I was trying to do multiple functions within a logon script. If nobody wants to write the script, can you please point me to the right resource to find how to code it. I am completely new to this and need help.
The logic is to have a list of files on the server which were recently updated(this list changes all the time), using these files you would loop and search for these same files on the end user's machine upon logging in. When it finds that same file
on the end user's machine you would delete the file from the end user's machine, then copy the new updated file from the server onto the end user's machine in the same location the previous one was deleted from. If file not found on end user's machine
then just copy new one without deleting anything in highest level directory. When done, you would loop again until you went thru every file that was updated on the server. The source directory will always be the same and the copy to directory on
end user's machine will always be the same, but end user's machines have subdirectories and the files that will be getting updated are in both. Any help in any fashion would be appreciated.
We are in the process of migrating from XP to Windows 7. While in XP, we only had to do a copy function in the logon script and it would copy over the old file and replace it. But Windows 7 doesn't delete the old file, it appends the new one
to the old one, making it hard for the software looking for these files to work properly when it sees two files instead of one current one. Hopefully this makes sense, I can elaborate more if anyone wants to help and needs more details. Thanks.

I would definitely not recommend copying files to end user machines from a logon script.
But you are right that this isn't a script-on-demand forum.
You can post a script request here:
https://gallery.technet.microsoft.com/scriptcenter/site/requests
I would point out that, as with this forum, there is no service-level agreement that guarantees that someone will have the time do this work for you. You will need to provide a very detailed specification; your post here is very vague.
However: It sounds to me like you don't have a scripting question but some kind of application architecture question.
-- Bill Stewart [Bill_Stewart]

How to create a logon script to delete folder, subfolders and contents when a user logs on ?

I need to create a logon script which will delete a folder, subfolder and contents when a user logs on. I have no experience with scripting so any pointers you can give would be much appreciated.
Thanks

depending on how you have thing set up, it might be easier to make a LaunchAgent to handle this. do this:
copy the text below into a text editor
save it as a plain text file in /Library/LaunchAgents with the file name "user.startup.folderDeleter.plist" (the name doesn't matter so much, but the 'plist' extension is required)
load the plist into launchd by restarting the machine or by opening terminal and running the command launchctl load /Library/LaunchAgents/user.startup.folderDeleter.plist
This will delete the folder any time any user logs in. You could also expand this to delete the folder periodically (once a day, for instance) if that would be helpful.
Note, this file must be saved as plain text. apps like TextEdit sometimes default to making rich text files which will not work. Either download a programmer's text editor like TextWrangler, or make sure that TextEdit is using plain text (if the window has a formatting toolbar it's using rich text; select "Make Plain Text" from the Format menu).
copy the text below:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
          <key>Label</key>
          <string>user.startup.folderDeleter</string>
          <key>RunAtLoad</key>
          <true/>
          <key>ProgramArguments</key>
          <array>
                    <string>osascript</string>
                    <string>-e</string>
                    <string>tell application "Finder" to delete folder "Final Cut Express Data" of folder (path to preferences from user domain)</string>
                    <string>-e</string>
                    <string>tell application "Finder" to empty trash</string>
          </array>
</dict>
</plist>

Drives and printers can be connected manually when needed logon script is aborted

Hi All,
Could anyone help me with the issue "the computer is not in the location network (Domain) drives and printers can be connected manually when needed logon script is aborted"
Thanks
Atul Srivastava

Hi Atul,
>>the computer is not in the location network (Domain) drives and printers can be connected manually when needed logon script is aborted
How did this happen? Did you use logon script to map drives or printers to users? If yes, did the computer have network connection to the domain controllers? You can ping the IP addresses of your domain controllers to check network connectivity.
Besides, you can check event logs in Event Viewer to see if some related events were logged.
Best regards,
Frank Shen

Wirless and Logon Scripts

Hi,
New to enterprise wireless. Just installed 20 WAPs 1240s and 1 WLC 4402.
The users are using a radius server to authenticate against the AD.
How can I get the logon scripts to run?
Thanks,
Scott.....

The easiest way to do this is on the client side use the Microsoft client (suplicant) and use either PEAP or EAP-TLS. If you are using IAS, configure the wireless policy for a wireless users group and add the users as well as the computers to the group. When the users log in, they will be authenticated as that user. When they log off it reauthenticates as the PC. This allows group policy, remote desktop etc. The only problem you can have is with remote desktop and EAP-TLS. If you do a remote desktop connection to a PC that is authenticated with EAP-TLS it will drop your connection as the RDP client does not pass your cert info in the remote desktop session.
You can potentially do this with a third party supplicant, but they are usually pretty cludgy.

How do I have an exe in a logon script run as a different user (either a domain admin or even the local system account)

So, I'm having some problems getting a logon script to work. I need a way to deploy the agent that we use via login/startup scripts and what I have works fine if the user has admin rights, or if UAC is disabled. I've tried to convert the .exe
to an .msi to make it easier, but the .msi never works and it's only distributed as an .exe. We deploy this to different clients, I can't disable UAC in their environment unless they specifically tell us to. Can anyone think of a way around this?
I've been searching for days and I'm just lost. If we could execute the file as the system account, or connect to shares using a startup script instead of logon, that would be perfect. Basically what it does is check to see if the process for the
agent is running (agentmon.exe) so we don't attempt to install it if it is already installed, if it's not, then it calls on a different agent installer depending on the IP address of the system (for clients that have more than one location). Here's what
I've got written that works for me in my test environment:
Const strAgent1 = "\\home.wiginton.local\SysVol\home.wiginton.local\Policies\{CD4ED3BD-0709-4E3D-A303-C9E3B0F5198D}\User\Scripts\Logon\Test-KcsSetup1.exe"
Const strAgent2 = "\\home.wiginton.local\SysVol\home.wiginton.local\Policies\{CD4ED3BD-0709-4E3D-A303-C9E3B0F5198D}\User\Scripts\Logon\Test-KcsSetup2.exe"
Const strAgent3 = "\\home.wiginton.local\SysVol\home.wiginton.local\Policies\{CD4ED3BD-0709-4E3D-A303-C9E3B0F5198D}\User\Scripts\Logon\Test-KcsSetup3.exe"
Const strFolder = "C:\Temp\"
Const Overwrite = True
dim objFSO, objNIC1, arrNIC, strIP, strMask, objShell, objWMIService
dim
'Checks for Kaseya agent process, AgentMon.exe, exits if running
Set objWMIService = GetObject ("winmgmts:")
Set proc = objWMIService.ExecQuery("select * from Win32_Process Where Name='agentmon.exe'")
If proc.count > 0 Then
    WScript.Quit
End If
'Instantiate a NIC configuration object
Set objNIC1 = GetObject("winmgmts:").InstancesOf("Win32_NetworkAdapterConfiguration")
'Instantiate a shell object
Set objShell = CreateObject("wscript.shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
'Create Temp Dir if it doesn't exist
If Not objFSO.FolderExists(strFolder) Then
    objFSO.CreateFolder strFolder
End If
For Each arrNIC in objNIC1
    if arrNIC.IPEnabled then
        StrIP = arrNIC.IPAddress(i)
        strMask = arrNIC.IPSubnet(i)
        Set WshNetwork = WScript.CreateObject("WScript.Network")
    end if
next
Function NetworkID(Address, Mask)
    Dim AddressOctets, MaskOctets, Result, N
    AddressOctets = Split(Address, ".")
    MaskOctets = Split(Mask, ".")
    ReDim Result(UBound(AddressOctets))
    For N = 0 To UBound(AddressOctets)
        Result(N) = AddressOctets(N) And MaskOctets(N)
    Next
    NetworkID = Join(Result, ".")
End Function
Select Case NetworkID(strIP,strMask)
    Case "192.168.0.0"
    ' Kaseya install commands for 192.168.0.0 subnet
    objFSO.CopyFile strAgent1, strFolder, Overwrite
    Wscript.Sleep 1*60*1000
    objShell.run "C:\Temp\Test-KcsSetup1.exe"
    Case "192.168.1.0"
    ' Kaseya install commands for 192.168.1.0 subnet
    objFSO.CopyFile strAgent2, strFolder, Overwrite
    Wscript.Sleep 1*60*1000
    objShell.run "C:\Temp\Test-KcsSetup2.exe"
    Case "192.168.2.0"
    ' Kaseya install commands for 192.168.2.0 subnet
    objFSO.CopyFile strAgent3, strFolder, Overwrite
    Wscript.Sleep 1*60*1000
    objShell.run "C:\Temp\Test-KcsSetup3.exe"
    Case Else
    ' Some sort of error checking. Maybe a BLAT SMTP command to send an email
End Select
Set objWMIService = Nothing
Set objNIC1 = Nothing
Set objShell = Nothing
Set WshNetwork = Nothing
Wscript.quit

You need to read the documentation carefully:
The Deploy Agents install package is created using a Configure Automatic Account Creation wizard. The wizard copies agent settings from an existing machine ID or machine ID template and generates an install package called
KcsSetup.All settings and pending agent procedures from the machine ID you copy from—except the machine ID, group ID, and organization ID—are applied to every new machine ID created with the package.
Including Credentials in Agent Install Packages
If necessary, an agent install package can be created that includes an administrator
credentialto access a customer network. Credentials are only necessary if users are installing
packages on machines and do not have administrator access to their network. The administrator credential is encrypted, never available in clear text form, and bound to the install package.
¯\_(ツ)_/¯

Amending script to read list of computers, run script and output to log file

Hello all,
I have cobbled together a script that runs and does what I want, now I would like to amend the script to read a list of computers rather than use the msg box that it is currently using for the strcomputer, if the computers doesn't respond to a ping, then
log that, if it does continue with the script and when it is complete, log a success or failure. I have just started scripting and would really appreciate some help on this one,thanks. I created the script to fix an SCCM updates issue and failing task sequences,
so it may prove useful to others.
There are msg box entries that can be removed that were originally in there for the user running the script.
'setting objects
Dim net, objFSO, shell
Dim objFile, strLine, intResult
Set objnet = CreateObject("wscript.network")
Set objFSO = CreateObject("scripting.filesystemobject")
Set objshell = CreateObject("wscript.shell")
strfile = "c:\wuafix\wuafix.vbs"
strUser = "domain\user"
strPassword = "password"
'getting server name or IP address
strComputer=InputBox("Enter the IP or computer name of the remote machine on which to repair the WUA agent:", "Starting WUA Fix")
'check to see if the server can be reached
Dim strPingResults
Set pingExec = objshell.Exec("ping -n 3 -w 2000 " & strComputer) 'send 3 echo requests, waiting 2secs each
strPingResults = LCase(pingExec.StdOut.ReadAll)
If Not InStr(strPingResults, "reply from")>0 Then
WScript.Echo strComputer & " did not respond to ping."
WScript.Quit
End If
'Check if source file exists
If Not objFSO.FileExists(strFile) Then
WScript.Echo "The source file does not exist"
WScript.Quit
End If
MsgBox "The WUA Fix is in process. Please wait.", 64, "Script Message"
'mapping drive to remote machine
If objFSO.DriveExists("Z:") Then
objnet.RemoveNetworkDrive "Z:","True","True"
End If
objnet.MapNetworkDrive "Z:", "\\" & strComputer & "\c$", True
'creating folder for install exe on remote machine
If (objFSO.FolderExists("Z:\wuafix\") = False) Then
objFSO.CreateFolder "Z:\wuafix"
End If
'copying vbs to remote machine
objFSO.CopyFile strFile, "Z:\wuafix\wuafix.vbs"
'set command line executable to run a silent install remotely
strInstaller1 = "cscript.exe c:\wuafix\wuafix.vbs"
'strInstaller2 = "c:\wuafix\wuafix.vbs"
strExec = "c:\pstools\PsExec.exe "
'objshell.Run strExec & " \\" & strComputer & strInstaller1
On Error Resume Next
result = objshell.Run(strExec & " \\" & strComputer & " " & strInstaller1)
If Err.Number = 0 Then
WScript.Echo "PSXEC Runing WUA fix remotely"
Else MsgBox Err.Number
MsgBox result
End If
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
("SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Application' AND " _
& "EventCode = '4'")
Wscript.Echo "Event Viewer checked and Fix Applied:" & colLoggedEvents.Count
MsgBox "Removing mapped drive Please wait.", 64, "Script Message"
If objFSO.DriveExists("Z:") Then
objnet.RemoveNetworkDrive "Z:","True","True"
End If
MsgBox "The WUA Fix has been applied.", 64, "Script Message"
quit
wscript.quit
Any help appreciated and explanations on the process would be great as I would like to learn the process involved, which is difficult when working during the day.
many thanks

Hi Bill,
long story short, I have approx. 2800 clients with an old entry in WMI for updates that the sccm client cannot clear or run because they do not exist anymore, so the client will not run updates or use a task sequence because of this, so my script fixes this
and does a couple of other things, I have found another way to do this by running a different script that uses WMI to call a cscript function that uses the wuafix.vbs that is coped to the machine, I am also changing the echo entries to output to a log
file instead so that I can track what client has run the fix andn which ones haven't.
If you have any suggestions then please let me know, nothing nefarious :)
many thanks

Problem Windows 8 logon script not working from windows server 2008 R2

hi there , this is third post regard this problem, here is my problem goes .....
Is a very simple logon script for mapping drive purpose .... PLS take note Domain users can access and run this script for domain users using windows XP / WINDOWS VISTA / WINDOSWS 7 and only users " WINDOWS 8.1 " Does NOT run
at all . the script I put on logon script in Windows server 2008R2 group policy ...
@jrv :- http://social.technet.microsoft.com/profile/jrv/?ws=usercard-mini , insist said is my group policy setup problem so I post here agn...
Manually run the script on WINDOWS 8.1 is 100 % perfect so it is definitely not my logon script issue , PLS any guidance pls share for me ok ?? thanks
Below is my script syntax ;-
@echo off
REM Login.bat Version 1.0
REM Exit if user has logged on to the Server
IF %COMPUTERNAME%.==SL2011. GOTO END
REM Delete pre-existing drive mappings
REM
REM Map M: to SL2011 on sl2011
NET USE M: /DELETE >nul
NET USE M: \\SL2011\sl2011 /YES >nul
REM
REM Map Y: to AccScan on rss2
NET USE Y: /DELETE >nul
NET USE Y: \\rss2\Public\AccScan /YES >nul
REM

Hi Tee Ee Foong,
According to your post, the gpresult showed the GPO was applied and the script could run successfullymanully in the client. Right? Please follow the following step to narrow down
the issue:
1. Change the script to the following command: add
> %SystemDrive%\Users\test.txt to the script.
2. Log on to a client with a regular user account, run gpupdate/force, and then re-log on to this client.
3. Check if the test.txtfile exists in this location %SystemDrive%\Users.
If the test.txtfile exists, the GPO with logon script is applied successfully when user logs on. But the result of running logon script achieves the goal we excepted or not which
is still not sure.
Regards,
Lany Zhang

Machine authentication is a little slow causing logon script to fail

using:
- Windows Zero with PEAP
- Machine authentication only (AuthMode is set to 2 in the registry)
- PCs are loginning it automatically, so it's a fast process
It appears that machine authentication is a little slow. I can ping the PC's IP after the auto login happens. This cuses logon script to fail.
If I hold shift to cancel auto-login, and wait for 10-20 seconds, the ping of the PC starts, and then if I login the logon script works.
Does anyone know a solution to this issue? Maybe a way to introduce a delay for login window (msgina.dll) to appear, so that machine authentication has time to connect

It's a common issue when authentication takes time.
You can simply delay the logon scripts.
This is an example of waiting for network to be up by pinging 10.10.10.10
Only when network is up, then it will execute the script
:CHECK
@echo off
echo Please wait....
ping -n 1 -l 1 10.10.10.10
if errorlevel 1 goto CHECK
@echo on
# Now the actual Logon script:
net use L: \\fileserver\share
Note: Modify the script in accordance with the network topology.
Nicolas
===
Don't forget to rate answers that you find useful

Group Policy Logon Script to create folder based on username, run as admin

Hello,
I'm at a loss as to how to make this work. I wrote the following PowerShell script that will check to see if the currently logged in user has a folder on a share, and if not it will create the folder and set appropriate permissions. I want to
run it as a Group Policy Logon Script, however I need to run this script as an administrator because users don't have any write/create access at the folder level of the file share. The problem with that then becomes $ENV:Username resolves to the admin
account the script is running under.
Any ideas?
Thanks!
Ryan
# Declare Variables
$strName = $env:USERNAME
$strDomain = $env:USERDOMAIN
If ($strDomain -eq "domain.org") {
# Split Username into 2 variables
$data = $strName.Split("_")
$fname = $data[0]
$lname = $data[1]
#Find first character of last name
$firstcharacter = $lname[0]
# Figure out if last name begins with A-M or N-Z
$A_M=$firstcharacter -match "[a-m]"
$N_Z=$firstcharacter -match "[n-z]"
# Checks to see if folder exists
If ($A_M -eq $true){$FolderExists = Test-Path "\\staff-files\staff\Last Name A-M\$strName"}
elseif ($N_Z -eq $true){$FolderExists = Test-Path "\\staff-files\staff\Last Name N-Z\$strName"}
# Creates folder if it doesn't exist
If (($FolderExists -eq $false) -and ($A_M -eq $true)){
New-Item "\\staff-files.domain.org\Staff\Last Name A-M\$strName" -type directory
$DirPath = "\\staff-files.domain.org\Staff\Last Name A-M\$strName"
elseif (($FolderExists -eq $false) -and ($N_Z -eq $true)){
New-Item "\\staff-files.domain.org\Staff\Last Name N-Z\$strName" -type directory
$DirPath = "\\staff-files.domain.org\Staff\Last Name N-Z\$strName"
ElseIf ($strDomain -eq "students.domain.org") {
# Pull 2 digit year from username and make 4 digit year
$4digityear = "20" + $strName.Substring(0,2)
# Checks to see if folder exists
$FolderExists = Test-Path "\\files.domain.org\students\$4digityear\$strName"
# Creates folder if it doesn't exist
If ($FolderExists -eq $false) {
New-Item "\\files.domain.org\students\$4digityear\$strName" -type directory
$DirPath = "\\files.domain.org\students\$4digityear\$strName"
# Assign Permissions
If ($FolderExists -eq $false){
$target = $DirPath
$acl = Get-Acl $target
$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
$propagation = [system.security.accesscontrol.PropagationFlags]"None"
$accessrule = new-object system.security.AccessControl.FileSystemAccessRule ("CREATOR OWNER","Modify",$inherit,$propagation,"Allow")
$acl.AddAccessRule($accessrule)
$accessrule = new-object system.security.AccessControl.FileSystemAccessRule ("NT AUTHORITY\SYSTEM","FullControl",$inherit,$propagation,"Allow")
$acl.AddAccessRule($accessrule)
$accessrule = new-object system.security.AccessControl.FileSystemAccessRule ("administrators","FullControl",$inherit,$propagation,"Allow")
$acl.AddAccessRule($accessrule)
If ($strDomain -eq "students.hempfieldsd.org"){
$accessrule = new-object system.security.AccessControl.FileSystemAccessRule ("DOMAIN\Domain Users","Modify",$inherit,$propagation,"Allow")
$acl.AddAccessRule($accessrule)
$accessrule = new-object system.security.AccessControl.FileSystemAccessRule ("DOMAIN\Staff_Tech","FullControl",$inherit,$propagation,"Allow")
$acl.AddAccessRule($accessrule)
$accessrule = new-object system.security.AccessControl.FileSystemAccessRule ("DOMAIN\Enterprise Admins","FullControl",$inherit,$propagation,"Allow")
$acl.AddAccessRule($accessrule)
$accessrule = new-object system.security.AccessControl.FileSystemAccessRule ($strName,"FullControl",$inherit,$propagation,"Allow")
$acl.AddAccessRule($accessrule)
$acl.SetAccessRuleProtection($true,$false)
$acl.SetOwner([System.Security.Principal.NTAccount]$strName)
Set-Acl -AclObject $acl $target
Ryan Breneman - Systems Administrator - Hempfield School District

Thanks jrv. That is kind of what I thought but wasn't sure. I think I will attack this a different way and modify the script to run through all the AD accounts and check for folder existence and create if needed. Perhaps I'll play
with System Center Orchestrator and run it inside there.
These folders aren't being used for profile storage, and we already have folder redirection pointing to them, however I don't want a user to login to citrix and not have anywhere to save if they didn't have a folder to redirect to.
Folders are supposed to be created when the staff member/student AD account is created, but it doesn't always happen.
Thanks for your help!
Ryan Breneman - Systems Administrator - Hempfield School District

Logon script delayed by 5 minutes (300 seconds)

It appears Windows 8.1 may have a built in delay processing logon scripts of 5 minutes. Obviously, seems how it is brand new I'm not finding an ounce of information about it anywhere.
Basically, I have troubleshooted this problem for hours now. It boils down to the simple fact that I have several brand new Windows 8.1 systems joined to a Server 2003 domain. Users have a GPO applied to them that assigns a logon script that
maps network drives and printers. After logging in, the script does not execute until 5 minutes have passed.
I have removed all other GPOs, eliminated all non-microsoft services and shut off all startup items. It makes no difference of admin or limited account, roaming profiles or folder redirection makes no difference. Looking through the event viewer
-> Microsoft -> Group Policy I can follow the the process step by step and everything looks great. The event log shows the policy processing and application is happening within milliseconds. Then there is exactly a 5 minute delay down to
the second between:
Group Policy Winlogon Start Shell handling complete
and
Starting Logon script for domain\user
Task manager confirms that wscript.exe does not run until 5 minutes after logging in. Once wscript.exe starts the logon script is processed as normal and the drives and printers are mapped as expected.
I do not have any Windows 8 machines at this location, but I checked another location that has very similar policies and scripting and Windows 8 processes the logon script immediately. This issue appears isolated to Windows 8.1.
It appears that part of Microsoft's attempt to optimize the startup and logon process of Windows they may have added a 5 minute delay before processing logon scripts. What I need to know is why, and where is the registry key to change this.
Thanks

Mark Russinovich had a very good session about troubleshooting slow logins this year at Teched. I highly recommend you try running Procmon during bootup to identify exactly why its taking so long. In his example it was trying to access a path
for updates that no longer existed and it waited until it timed out and then continued on. Another example of this was an environment that was installing McAffee every time during bootup which was causing slow logons. Its worth a shot to at least
ensure all your policies have been applied as the event log isn't verbose enough.
This is not my blog, nor am I affiliated, but it seemed like a good tutorial for doing this.
http://www.msigeek.com/6231
Be kind and Mark as Answer if I helped.

VBS logon script and AppLocker

Similar Messages

Maybe you are looking for