Logon scripts not running
- Environment:
Windows 2003 R2 DC's
Windows XP SP3 Clients with gigabit cards
I'm in the process of deploying new pc's to some of our remote office locations and have come across a problem when the machines login where it doesn't run any logon scripts. If I log the machine out and then back in again the scripts run. Startup scripts work fine and all other GP settings apply fine including folder redirection.
The network links are 2mb private ADSL connections so it is a possibilty that the problem GP detecting a slow link speed. I have so far tried the following:
Enabled 'Always wait for the network at computer startup and logon'
Enabled 'Do not detect slow network connections'
Scripts policy processing: Enabled 'Allow processing across a slow network connection'
Set 'GroupPolicyMinTransferRate' in the registry
Set 'GpNetworkStartTimeoutPolicyValue' in the registry
Our network guys have tried turning of portfast on the switch
Is there anything I have missed or can try?
Thanks in advance.
All Replies
So are you using AD user object property to define login scripts or a group policy setting?
If GPO is used, please make sure the GPO is applied to the users correctly.
Login Scripts are part of "User Configuration" and have to be applied to user objects to take effect.
You can use "gpresult /V" to verify if the GPO and its settings are applied.
Is there any other user settings in that GPO? If not, define one test setting and try if it works as expected
(if you don't see that as well, the problem is probably GPO scope or filter).
Also doublecheck the path you use for the loginscript. Is it correct and do users have access to it?
Maybe try to run the script manually just to see if the user is able to execute the script at all.
If you can't solve it this way, enable USERENV logging to gather more information:
http://support.microsoft.com/kb/221833/en-us
Use Registry Editor to add or to modify the following registry entry:
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Setting: UserEnvDebugLevel
Type: REG_DWORD
Value data: 30002 (Hexadecimal)=> Reboot the machine, and examine the following file:
%Systemroot%\Debug\UserMode\Userenv.log file.
This article can help you to do that:
http://blogs.technet.com/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-1.aspx
PatrickSo are you using AD user object property to define login scripts or a group policy setting?
If GPO is used, please make sure the GPO is applied to the users correctly.
Login Scripts are part of "User Configuration" and have to be applied to user objects to take effect.
You can use "gpresult /V" to verify if the GPO and its settings are applied.
Is there any other user settings in that GPO? If not, define one test setting and try if it works as expected
(if you don't see that as well, the problem is probably GPO scope or filter).
Also doublecheck the path you use for the loginscript. Is it correct and do users have access to it?
Maybe try to run the script manually just to see if the user is able to execute the script at all.
If you can't solve it this way, enable USERENV logging to gather more information:
http://support.microsoft.com/kb/221833/en-us
Use Registry Editor to add or to modify the following registry entry:
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Setting: UserEnvDebugLevel
Type: REG_DWORD
Value data: 30002 (Hexadecimal)=> Reboot the machine, and examine the following file:
%Systemroot%\Debug\UserMode\Userenv.log file.
This article can help you to do that:
http://blogs.technet.com/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-1.aspx
Patrick
Thanks for the reply.
The logon scripts run as part of the GPO, all other settings in the GPO apply fine including startup scripts and desktop and start menu customisation. This only seems to be an issue on machines with Gigabit NIC's. If I run the script manually it works. I'm fairly happy that this is not a permissions problem with the script and the path is correct as non gigabit machines run the scripts fine.
I'll give the userenv debug a try, is there anything in particular I should look for.- Maybe there is a problem with "slow network detection".
This detection is handled individually for each CSE (and scripts are a dedicated CSE).
Anway, in the log search for the GUID of your GPO (which you can see in GPMC / details tab) and
hopefully during settings processing an error message or waring occurs that explains that behavior.
If not, try (carefully!) experimenting with the settings for "Scripts policy processing" located under
Computer Configuration / Administrative Templates / System / Group Policies
e.g. use "Allow processing across a slow network connection" and/or
"Process even if the group policy objects have not changed".
Patrick - OK, the userenv logging didn't show anything but I think the problem is linked to the users profile being cached. If I delete the cached profile the scripts run fine, but if the cached remains the script does not run.
Is there anyway I can force the script to run at every logon? - Hi,
Try to enable "process even if the Group Policy objects have not changed" for XP clients and test.
Create or edit a GPO for client machine and enable the following settings. Navigate to
[Computer Configuration/ Policies / Administrative Templates / System / Group Policy]
Double-click [Scripts Policy Processing] and set the properties to enable:
-"Allow processing across a slow network connection"
-"process even if the Group Policy objects have not changed"
If the issue persists, please use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the userenv.log and then give us the download address.
Thanks.
This posting is provided "AS IS" with no warranties, and confers no rights. - Tried what you suggested but this didn't make any difference. Have uploaded the files to http://cid-bceb21cd8c942642.skydrive.live.com/browse.aspx/Public.
Thanks. How you tried updating the BIOS and the NIC drivers of the machines with gigabit NICs? I reckon encountering a similar problem before, turns out an update of the NIC driver fixed the problem.
Regards,
Salvador Manaois III
MCITP | Enterprise & Server Administrator
MCSE MCSA MCTS(x5) CIWA C|EH
My Blog: Bytes and Badz
My Shots: View My PhotoStream- That was the first thing I tried, BIOS was up to date but NIC drivers did need updating, didn't make any difference though.
Thanks for the suggestion though. - OK, I've played around with a few things and the cause of the problem seems to be that we have enabled 'Only allow local profiles'. With this enabled a slow link is detected which causes the scripts not to run. If you set this to not configured a slow link is not detected and the scripts run fine.
I've set the GP settings to run scripts over a slow link so I'm not sure why this keeps failing. Interesting. If you look at the logfile (userenv.log) you created earlier, can you see the switch to "Slow link" status?
It should be there...
Patrick- I can see USERENV(2e8.b34) 09:40:16:103 ProcessGPOs: A slow link was detected in the log file and then it continues to process the GP settings.
I've compared the userenv file against one when the script works and both look the same apart from the slow link references in the log file on the failing machine and near the end of the log file when it works there are entries referencing wscript as the scripts run.
I don't understand why setting 'Only allow local profiles' all of a sudden causes the do not detect slow links settings to be ignored and why the script doesn't run even though I have set:
-"Allow processing across a slow network connection"
-"process even if the Group Policy objects have not changed" - SRR1012
I'd start off with a fresh Group Policy with just the login script and no other settings. Then add other settings little by little. I know this seems mundane, but I bet the "Only use local group policies" and "process even if the Group Policy objects have not changed" are conflicting. Starting a fresh group policy will help point to the culprit.
Just make sure that if you enable it and you want to change it back, you'll most likely have to set it to Disabled. Putting it back to not configured will not override the settings most of the time.
Once you determine what the problem setting is, you should be able to correct the live GPO and move on.
Also, are the boxes Local GP untouched? I have seen similar issues with some of our older boxes that had "Tweaked" Default GP's and "Tweaked" Registry's.
Good Luck!
Mike
Thanks for the suggestion Mike. Have created a fresh GPO with the following settings and the logon script still fails to run. If I remove 'Only allow local user profiles', script runs fine. Seems to point to 'Only allow local user profiles' as the cause of the problem.
System/Logon
Always wait for the network at computer startup and logon EnabledSystem/User Profiles
Only allow local user profiles EnabledUser Configuration\Windows Settings\Scripts\Logon
Printer.vbs- OK, but you have clients where the scripts run fine. Earlier you said:
"This only seems to be an issue on machines with Gigabit NIC's".
Is it a combination of both? Or is "Only allow local user profiles Enabled" not set on the clients where the scripts run fine?
If not set, what happens if you set it there? Do login scripts immediately fail to run?
If yes (which means the behavior is reproducable) for me this would be the point to create a case at MS support.
Patrick Sorry, I forgot that I had made the comment about the gigabit cards earlier in the post!!! I have managed to replicate this on machines with non gigabit cards, so don't think this is the problem.
- OK, thanks for clarifying.
Anyway, if you have machines that run fine, but start to fail running loginscripts as soon as you enable that policy for local profiles,
this is surely not as designed and can be addressed to MS.
By the way, do you see any "Userinit" related entries in application eventlog after logon process?
Patrick - Checked the eventlog's again and there are No Userinit entries in the application eventlog.
- I just tried to reproduce it in my test lab:
I have a user logging in and starting a login script via GPO.
Then I enable the "Only allow local user profiles Enabled" policy.
Login scripts still work...
So I cannot confirm this to be a general issue.
It must be something in combination with your environment (other settings etc.)
Patrick - What network links are you using? My test environment replicates our remote office live environment which is 2mb adsl connections. I think this is only an issue as it is detecting the network link as a slow link due to the upload/download speed.
I have no issues in a VM or fast network environment. Update on this.
I currently have a call in with Microsoft who have confirmed that this is by design, solution so far from them is that the users will need to logoff and logon for the scripts to run. I can appreciate that this is by design, but the ability to override this is not working.
I'm just trying to get clarified why Scripts policy processing: Enabled 'Allow processing across a slow network connection' does not work but Folder Redirection policy processing: Enabled 'Allow processing across a slow network connection' does.
Amazingly this problem didn't exist in SP2 as I have proven by taking SP3 off, SP2 machines work perfectly.- Note By default, the client-side extension is configured not to run over a slow link. So inspite of this if you have the scripts running on SP2 it is because of the below reason. Once you apply the below fix, you will not see scripts processing on a slow link. The below fix is a part of SP3 which is why you do not see the scripts applying on XP SP3 machines.
892496 Group Policy scripts are executed over a slow link even though the client-side extension is configured not to run on a Windows 2000-based or Windows XP-based client computer
http://support.microsoft.com/default.aspx?scid=kb;EN-US;892496- Proposed As Answer byAD guru Friday, July 17, 2009 12:00 PM
