none
Logon scripts not running

    Question

  • Environment:
    Windows 2003 R2 DC's
    Windows XP SP3 Clients with gigabit cards

    I'm in the process of deploying new pc's to some of our remote office locations and have come across a problem when the machines login where it doesn't run any logon scripts.  If I log the machine out and then back in again the scripts run.  Startup scripts work fine and all other GP settings apply fine including folder redirection.

    The network links are 2mb private ADSL connections so it is a possibilty that the problem GP detecting a slow link speed.  I have so far tried the following:

    Enabled 'Always wait for the network at computer startup and logon'
    Enabled 'Do not detect slow network connections'
    Scripts policy processing: Enabled 'Allow processing across a slow network connection'
    Set 'GroupPolicyMinTransferRate' in the registry
    Set 'GpNetworkStartTimeoutPolicyValue' in the registry
    Our network guys have tried turning of portfast on the switch

    Is there anything I have missed or can try?

    Thanks in advance.








    Monday, June 29, 2009 4:18 PM

All replies

  • So are you using AD user object property to define login scripts or a group policy setting?
    If GPO is used, please make sure the GPO is applied to the users correctly.
    Login Scripts are part of "User Configuration" and have to be applied to user objects to take effect.
    You can use "gpresult /V"  to verify if the GPO and its settings are applied.
    Is there any other user settings in that GPO? If not, define one test setting and try if it works as expected
    (if you don't see that as well, the problem is probably GPO scope or filter).
    Also doublecheck the path you use for the loginscript. Is it correct and do users have access to it?
    Maybe try to run the script manually just to see if the user is able to execute the script at all.

    If you can't solve it this way, enable USERENV logging to gather more information:
    http://support.microsoft.com/kb/221833/en-us
    Use Registry Editor to add or to modify the following registry entry:
    Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    Setting: UserEnvDebugLevel
    Type: REG_DWORD
    Value data: 30002 (Hexadecimal)

    =>   Reboot the machine, and examine the following file:
    %Systemroot%\Debug\UserMode\Userenv.log file.
    This article can help you to do that:
    http://blogs.technet.com/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-1.aspx


    Patrick
    Monday, June 29, 2009 11:14 PM
  • So are you using AD user object property to define login scripts or a group policy setting?
    If GPO is used, please make sure the GPO is applied to the users correctly.
    Login Scripts are part of "User Configuration" and have to be applied to user objects to take effect.
    You can use "gpresult /V"  to verify if the GPO and its settings are applied.
    Is there any other user settings in that GPO? If not, define one test setting and try if it works as expected
    (if you don't see that as well, the problem is probably GPO scope or filter).
    Also doublecheck the path you use for the loginscript. Is it correct and do users have access to it?
    Maybe try to run the script manually just to see if the user is able to execute the script at all.

    If you can't solve it this way, enable USERENV logging to gather more information:
    http://support.microsoft.com/kb/221833/en-us
    Use Registry Editor to add or to modify the following registry entry:
    Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    Setting: UserEnvDebugLevel
    Type: REG_DWORD
    Value data: 30002 (Hexadecimal)

    =>   Reboot the machine, and examine the following file:
    %Systemroot%\Debug\UserMode\Userenv.log file.
    This article can help you to do that:
    http://blogs.technet.com/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-1.aspx


    Patrick

    Thanks for the reply.

    The logon scripts run as part of the GPO, all other settings in the GPO apply fine including startup scripts and desktop and start menu customisation.  This only seems to be an issue on machines with Gigabit NIC's.  If I run the script manually it works.  I'm fairly happy that this is not a permissions problem with the script and the path is correct as non gigabit machines run the scripts fine.

    I'll give the userenv debug a try, is there anything in particular I should look for.
    Tuesday, June 30, 2009 12:57 PM
  • Maybe there is a problem with "slow network detection".
    This detection is handled individually for each CSE (and scripts are a dedicated CSE).

    Anway, in the log search for the GUID of your GPO (which you can see in GPMC / details tab) and
    hopefully during settings processing an error message or waring occurs that explains that behavior.

    If not, try (carefully!) experimenting with the settings for "Scripts policy processing" located under
    Computer Configuration / Administrative Templates / System / Group Policies
    e.g. use "Allow processing across a slow network connection" and/or
    "Process even if the group policy objects have not changed".
    Patrick
    Tuesday, June 30, 2009 1:18 PM
  • OK, the userenv logging didn't show anything but I think the problem is linked to the users profile being cached.  If I delete the cached profile the scripts run fine, but if the cached remains the script does not run.

    Is there anyway I can force the script to run at every logon?
    Wednesday, July 01, 2009 2:11 PM
  • Hi,

    Try to enable "process even if the Group Policy objects have not changed" for XP clients and test.

    Create or edit a GPO for client machine and enable the following settings. Navigate to

    [Computer Configuration/ Policies / Administrative Templates / System / Group Policy]

    Double-click [Scripts Policy Processing] and set the properties to enable:
    -"Allow processing across a slow network connection"
    -"process even if the Group Policy objects have not changed"

    If the issue persists, please use Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the userenv.log and then give us the download address.

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, July 02, 2009 2:56 AM
    Moderator
  • Tried what you suggested but this didn't make any difference.  Have uploaded the files to http://cid-bceb21cd8c942642.skydrive.live.com/browse.aspx/Public.

    Thanks.
    Thursday, July 02, 2009 9:46 AM
  • How you tried updating the BIOS and the NIC drivers of the machines with gigabit NICs? I reckon encountering a similar problem before, turns out an update of the NIC driver fixed the problem.

    Regards,

    Salvador Manaois III
    MCITP | Enterprise & Server Administrator
    MCSE MCSA MCTS(x5) CIWA C|EH
    My Blog: Bytes and Badz 
    My Shots: View My PhotoStream

    Thursday, July 02, 2009 11:39 AM
  • That was the first thing I tried, BIOS was up to date but NIC drivers did need updating, didn't make any difference though.

    Thanks for the suggestion though.
    Thursday, July 02, 2009 11:42 AM
  • OK, I've played around with a few things and the cause of the problem seems to be that we have enabled 'Only allow local profiles'.  With this enabled a slow link is detected which causes the scripts not to run.  If you set this to not configured a slow link is not detected and the scripts run fine.

    I've set the GP settings to run scripts over a slow link so I'm not sure why this keeps failing.
    Thursday, July 02, 2009 12:28 PM
  • Interesting. If you look at the logfile (userenv.log) you created earlier, can you see the switch to "Slow link" status?
    It should be there...


    Patrick
    Thursday, July 02, 2009 2:15 PM
  • I can see USERENV(2e8.b34) 09:40:16:103 ProcessGPOs: A slow link was detected in the log file and then it continues to process the GP settings. 

    I've compared the userenv file against one when the script works and both look the same apart from the slow link references in the log file on the failing machine and near the end of the log file when it works there are entries referencing wscript as the scripts run.

    I don't understand why setting 'Only allow local profiles' all of a sudden causes the do not detect slow links settings to be ignored and why the script doesn't run even though I have set:

    -"Allow processing across a slow network connection"
    -"process even if the Group Policy objects have not changed"
    Thursday, July 02, 2009 3:25 PM
  • SRR1012

    I'd start off with a fresh Group Policy with just the login script and no other settings. Then add other settings little by little. I know this seems mundane, but I bet the "Only use local group policies" and "process even if the Group Policy objects have not changed" are conflicting. Starting a fresh group policy will help point to the culprit.

    Just make sure that if you enable it and you want to change it back, you'll most likely have to set it to Disabled. Putting it back to not configured will not override the settings most of the time.

    Once you determine what the problem setting is, you should be able to correct the live GPO and move on.

    Also, are the boxes Local GP untouched? I have seen similar issues with some of our older boxes that had "Tweaked" Default GP's and "Tweaked" Registry's.

    Good Luck!

    Mike



    Thursday, July 02, 2009 6:31 PM
  • Thanks for the suggestion Mike.  Have created a fresh GPO with the following settings and the logon script still fails to run.  If I remove 'Only allow local user profiles', script runs fine.  Seems to point to 'Only allow local user profiles' as the cause of the problem.


    System/Logon
    Always wait for the network at computer startup and logon Enabled

    System/User Profiles
    Only allow local user profiles Enabled

    User Configuration\Windows Settings\Scripts\Logon
    Printer.vbs

    Friday, July 03, 2009 10:58 AM
  • OK, but you have clients where the scripts run fine. Earlier you said:
    "This only seems to be an issue on machines with Gigabit NIC's".
    Is it a combination of both? Or is "Only allow local user profiles Enabled" not set on the clients where the scripts run fine?
    If not set, what happens if you set it there? Do login scripts immediately fail to run?

    If yes (which means the behavior is reproducable) for me this would be the point to create a case at MS support.
    Patrick
    Friday, July 03, 2009 11:37 AM
  • Sorry, I forgot that I had made the comment about the gigabit cards earlier in the post!!!  I have managed to replicate this on machines with non gigabit cards, so don't think this is the problem.

    Friday, July 03, 2009 11:51 AM
  • OK, thanks for clarifying.
    Anyway, if you have machines that run fine, but start to fail running loginscripts as soon as you enable that policy for local profiles,
    this is surely not as designed and can be addressed to MS.

    By the way, do you see any "Userinit" related entries in application eventlog after logon process?



    Patrick
    Friday, July 03, 2009 12:48 PM
  • Checked the eventlog's again and there are No Userinit entries in the application eventlog.
    Friday, July 03, 2009 1:17 PM
  • I just tried to reproduce it in my test lab:
    I have a user logging in and starting a login script via GPO.
    Then I enable the "Only allow local user profiles Enabled" policy.
    Login scripts still work...
    So I cannot confirm this to be a general issue.
    It must be something in combination with your environment (other settings etc.)
    Patrick
    Friday, July 03, 2009 8:31 PM
  • What network links are you using?  My test environment replicates our remote office live environment which is 2mb adsl connections.  I think this is only an issue as it is detecting the network link as a slow link due to the upload/download speed.

    I have no issues in a VM or fast network environment.
    Saturday, July 04, 2009 3:40 PM
  • Update on this.

    I currently have a call in with Microsoft who have confirmed that this is by design, solution so far from them is that the users will need to logoff and logon for the scripts to run.  I can appreciate that this is by design, but the ability to override this is not working. 

    I'm just trying to get clarified why Scripts policy processing: Enabled 'Allow processing across a slow network connection' does not work but Folder Redirection policy processing: Enabled 'Allow processing across a slow network connection' does. 

    Amazingly this problem didn't exist in SP2 as I have proven by taking SP3 off, SP2 machines work perfectly.

    Wednesday, July 15, 2009 1:19 PM
  • Note By default, the client-side extension is configured not to run over a slow link. So inspite of this if you have the scripts running on SP2 it is because of the below reason. Once you apply the below fix, you will not see scripts processing on a slow link. The below fix is a part of SP3 which is why you do not see the scripts applying on XP SP3 machines.

    892496 Group Policy scripts are executed over a slow link even though the client-side extension is configured not to run on a Windows 2000-based or Windows XP-based client computer
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;892496
    • Proposed as answer by AD guru Friday, July 17, 2009 12:00 PM
    Thursday, July 16, 2009 12:09 PM
  • Experienced the same symptoms described above.  We found disabling the UAC, nor launchapp.wsf, nor EnableLinkedConnections in the registry to be particularly effective.  We were able to get the logon script specified in the NT user profile to run normally by enabling "Always wait for the network at computer startup and logon" in the Computer Configuration within Group Policy. 

    Wednesday, May 02, 2012 6:44 PM