# Group Policy Logon/Logoff Scripts



## freaknut (Oct 12, 2007)

My Group Policy logon/logoff scripts aren't being run.

I have an Active Directory object with a group and user both located in it. I've joined the user to the group and applied some group policies to the object already that work just fine, so I know my structure is setup properly.

Now I try to add logon and logoff scripts. For troubleshooting sake, I went ahead and put both scripts on a network share and even referenced them in group policy through the network share instead of the server's local drives. The scripts have read/execute permissions for the group that this Group Policy is applied to. I have even gone as far as logging onto another computer with the user that this is supposed to apply to and manually running the scripts. They both work. I've added these scripts under User Configuration/Windows Settings/Scripts (Logon/Logoff) when editing the group policy from Active Directory.

They're not executing when I log on to a domain computer with this user.


----------



## freaknut (Oct 12, 2007)

Sorry to bump this. Any help would be appreciated. Thanks.


----------



## rhynes (Aug 14, 2006)

Is this a new install or existing? First thing coming to mind is dns setup.
Run nslookup on your server and a workstation from a dos prompt, nslookup should return the servername.domainname.suffix on both. If it doesn't, that's where to start.

Did the login scripts run from the default location of C:\WINDOWS\SYSVOL\sysvol\domainname\scripts ?


----------



## freaknut (Oct 12, 2007)

With Thanksgiving break, I won't be able to check on this until Monday. I'll get back to this then.

Thanks for your response!!!


----------



## freaknut (Oct 12, 2007)

nslookup returned the exact same entries on both the server and the client computer.

The scripts still don't run when placed in the folder you mentioned.


----------



## rhynes (Aug 14, 2006)

What is the first dns server in the list freaknut? Is it your ISP dns or your server IP?

Under "active directory users and computers", open one of your users. Click on the profile tab and enter the logonscriptname.bat where it says login script. Reboot a workstation and try logging on as the user you just changed.

What do you have in your logon scripts?


----------



## freaknut (Oct 12, 2007)

The only DNS server in the list is my domain server.

Defining the logon script on the profile tab worked. (will still need to get Group Policy working right though)


The contents of both scripts:
logon.bat - copy \\homebase\shared\shortcut.lnk "C:\Documents and Settings\All Users\Desktop\"

logoff.bat - del "C:\Documents and Settings\All Users\Desktop\shortcut.lnk"


----------



## rhynes (Aug 14, 2006)

ok, just wanted to make sure everything worked under the default. 

You are editing the default domain policy right? Try applying your group policy again but leave the script where it is. You may want to rename the script from .bat to .cmd.


----------



## freaknut (Oct 12, 2007)

I'm not sure what you mean by "editing the default domain policy".

Renamed the extension to .cmd. Still no go.


----------



## rhynes (Aug 14, 2006)

How are you editing policies???

If you open "active directory users and computers", right click on your OU and properties.
Click Edit and drill down to user configuration, windows setting, scripts.


----------



## freaknut (Oct 12, 2007)

That's how I'm editing them.


----------



## rhynes (Aug 14, 2006)

Is this 2003? It takes time for policies to take effect... from a command line on the server, run gpupdate /force
reboot a workstation and try again.


----------



## freaknut (Oct 12, 2007)

Yup. Running server 2003.

Still didn't work. Checked the event log as well and the only message was that group policy security settings were applied successfully.


----------



## rhynes (Aug 14, 2006)

Does it even try to run? Put a pause at the end of the logon script you created just to see if it's running but creating errors.


----------



## freaknut (Oct 12, 2007)

I put the pause in. It doesn't seem to even be executing. I had also manually run the script already and it executed just fine.


----------



## rhynes (Aug 14, 2006)

Move the script to the default location: C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logon 
and make the adjustments in the gpo. remember to /force again. 

Did you apply any other policies? Software restriction policies?


----------



## freaknut (Oct 12, 2007)

I won't be able to get back to this until tomorrow morning.

I really appreciate your help on this. Thank you.


----------



## rhynes (Aug 14, 2006)

This is normally not that hard... something else to try...

Computer Configuration -> Administrative Templates -> System -> Group Policy.
Look for Scripts policy processing. Double click on Scipts policy processing and select (check) Enabled. Then, also select (check) Allow processing across a slow network connection in the box and press OK.


----------



## freaknut (Oct 12, 2007)

I tried all of those suggestions and they didn't seem to work. I'm beginning to suspect the wireless NIC in the laptop I'm using for testing though. I think it might be taking way to long to connect, even for the "Allow processing over a slow network connection" option. I'm going to get my hands on another laptop and test it out. I'll let you know what I find.

Also, there is another login script that runs, but I disabled it for the specific user I'm using and it didn't make a difference.


----------



## freaknut (Oct 12, 2007)

Well...I tried a PC that's using CAT5 instead of wireless. Still didn't work. So I'm pretty sure I've ruled out slow network.


----------



## rhynes (Aug 14, 2006)

hmmm... gpo logon scripts are usually pretty easy. One more thing to check, make sure users have permissions to run the login scripts.


----------



## freaknut (Oct 12, 2007)

User permissions are set correctly. And just to double check, I ran the script from the start menu. It executed properly.


----------



## JCBNAZ (Nov 29, 2007)

I have a user Login & Log Off script that runs based either upon 'All users' or Individually (per MGR request.) My scripts reside in my DC's NETLOGON folder as .cmd type scripts. I am not sure how the general population does it, I can only offer what I found works as a solution.

Create a hidden share on a less known server that everyone within the domain can write to. Create a 'Out' Folder and a 'In' folder & Hide them (Properties/HIDDEN), within these folders create a new .txt with folder's designation. (ie: out.txt) 
Set the sharing & security to:
PERMISSIONS Button: 'Everyone' FULL CONTROL box checked
SECURITY TAB: Add your OU's and 'ALLOW': Modify, Read & Exc, List Folder, Read, Write

Create two new scripts in your NETLOGON @ your DC, with the following line (replace SERVER with a server name & 'FOLDER' with whatever you'd like to call that folder, and don't forget to add the $ at the end):

LOG IN SCRIPT:
echo Logon to, %computername%, by, %username%, at, %time%, on, %date%, >>\\SERVER\FOLDER$\in\in.txt

LOG OFF SCRIPT:
echo Log Off of, %computername%, by, %username%, at, %time%, on, %date%, >>\\SERVER\FOLDER$\OUT\out.txt



Create new GPO
Edit - User Configuration | Windows Settings | Scripts (Logon/Logoff)
Click Properties and then click 'SHOW FILES'. Point to the Log Scripts. Do this for both Logon & Logoff.
Close the EDIT window
Make sure under the SCOPE tab that your DOMAIN(s) is under LOCATION window
Select Users this should be appiled to under 'SECURITY FILTERING'.


Perhaps if you can compare these settings to your own and see where there's differences with your GPO Script and this one, process of elimination might get culprit!!

John


----------



## kodyleonard (Nov 28, 2007)

Under the profile tab of the user settings is there anything listed in logon script?

When you say you run the script from a workstation, are you copying the script and running it locally or are you browsing to the network location of the script and running it? I only ask to make sure the location is accessible by the user.


----------



## freaknut (Oct 12, 2007)

JCBNAZ - It doesn't seem to change anything when I try that.

kodyleonard - There is currently no script under the profile tab, although if you read up in this thread I have tried that. As for running the script from the client computer, the script was located on the server in the exact same location GP is looking for it in, so I know that the client machine can execute the script.


----------



## StumpedTechy (Jul 7, 2004)

What happens when you do a gpresult? Do you see this new group policy listed? If you modified an existing GPO possibly make a new one just for this with a new name and see if its applying? Also you mentioned the DNS the only server was your DNS server but you didn't mention if when you do an internal ping if your getting a FQDN or just a machine name? You can potentially have network connectivity without having fully 100% functioning DNS.


----------



## freaknut (Oct 12, 2007)

Stumped - gpresult returned "The user '_domain\user_' does not have RSOP data." I tried looking into this and, to make a long story short, found that I have event error 1054 in my Application event viewer.

It says "Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted."

I tried gpupdate, and it logged another 1054.

As for getting an FQDN when I ping...when I ping the DNS server from one of the client laptops, it says "Pinging _servername.domainname.org_". I'm assuming that's what you mean by getting an FQDN?


----------



## kodyleonard (Nov 28, 2007)

Have you tried taking the workstation out of the domain and then putting it back in?


----------



## rhynes (Aug 14, 2006)

FN, it sounds like there's problems with the domain functionality... download the support tools here: http://www.microsoft.com/downloads/...78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en
Install to c:\support and run the following commands from c:\support in dos. 
dcdiag /v >dcdiag.txt
netdiag /v >netdiag.txt

Post your results minus any identifying information.


----------



## freaknut (Oct 12, 2007)

I'm getting this on two wireless laptops and one CAT5 PC. One of the laptops I just joined to the domain this morning.


----------



## freaknut (Oct 12, 2007)

Rhynes - I do that on the server, correct?


----------



## rhynes (Aug 14, 2006)

yes


----------



## freaknut (Oct 12, 2007)

The results are too long for a thread, so I've attached them.


----------



## rhynes (Aug 14, 2006)

hmmm... most things look ok freaknut... didn't notice the netdiag at the end of the file. 

I notice you have WINS installed but not entered into the network card on the server, you should do this. 

Run IPCONFIG /all on your server, what is the first dns server address listed? And what about the workstations. Under your dhcp scope options, what is listed?


----------



## freaknut (Oct 12, 2007)

The first DNS server listed is the server's internal IP on both the server and client. As for DHCP, the only DHCP entry on the server is:

_DHCP Enabled. . . . . . . . . . . : No_​
On the client it says:

_DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
DHCP Server . . . . . . . . . . . : [IP Address of this office's gateway]_​
Something that I could have sworn I mentioned in my first thread is that this domain is setup over a WAN. There are two separate office locations, with the server at a third location. I'm pretty sure that at both office's the internet gateways are setup to VNC to the DNS server, although I have not had access yet to check on this (I didn't originally setup this network). I will try and check that today if possible. I apologize for not mentioning this earlier. I thought I did, but that must have been a thread for another issue I was having.


----------



## freaknut (Oct 12, 2007)

I'm reawakening this topic in hopes that someone will have a clue.

Another thought I didn't think about before is that this domain controller also happens to be a web server that is hosting a website that has the same name as the domain (both are _domain_.org).

Also, while on the network at either one of the offices, there are sometimes issues with browsing to domains or sub-domains that are hosted by the web server as well. I'm assuming that means there are some DNS issues, but I don't know much about DNS.

With further research, I've found that absolutely NO group policies have worked before, when I initially thought there was one working. A group policy has been put into place, but it failed to apply the settings to all the machines, so they were all manually configured.


----------



## Braknstuf (Feb 1, 2008)

Sometimes scripts dont run over a slow network connection, try this
Edit your policy
goto Computer Configuration
goto system
goto group policy
goto scripts policy processing
set this to enabled
check the allow processing over a slow connection
reboot/refresh and try again


----------

