domain login script doesn't work with Win7 RRS feed

  • General discussion

  • I've successfully joined my Win7 beta machine to our domain, but when logging into the domain the login script does not run--or at least the drive mappings, which are the sole purpose of the login script, do not get set. The only network drive that gets set is the home folder which is set in the user's profile. Is there an easy fix for this, or am I eventually going to have to completely rebuild the system login script? - JR
    • Changed type Mark L. Ferguson Sunday, February 15, 2009 1:58 AM no reply to suggestions
    Monday, February 9, 2009 4:51 PM

All replies

  • are the logon scripts batch / cmd files or group policy?  I will have to check mine in the morning to verify that our group policies are executing.  I will have to test drive mapping to see if it works for me.
    Tuesday, February 10, 2009 2:01 AM
  • Can the drives be mapped by the user after logon? Are your drives being mapped by NET USE, CSCRIPT, something else? Do the scripts even execute or is it just the drive mappings (an easy way to tell is add a line to the end of a batch script that contains:

    @echo off
    echo I ran >> %userprofile%\flag.txt
    time /t >> %userprofile%\flag.txt
    date /t >> %userprofile%\flag.txt

    You can also enable script extension debug logging if you are using GP-based logon scripts and not legacy NT4 logon script processing:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon 

    (This is a DWORD and it writes to WindowsFolder \Debug\Usermode) 

    Ned Pyle [MSFT] - MS Enterprise Platforms Support - Beta Team
    Tuesday, February 10, 2009 4:22 AM
  • I was seeing the same behavior with the Home Drive, even in Vista and Server 2008.

    The login script re-mapped the drive but it didn't take.

    To fix it I created a vbs script to change the volatile environment variables involved.

    That did it for me.

    On Error Resume Next  
    Public strHomePath, strHomeShare  
    strComputer = "." 
    Set objShell = WScript.CreateObject("WScript.Shell")  
    Set objWMIService = GetObject("winmgmts:" _  
        & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")  
    Set colItems = objWMIService.ExecQuery("Select * from Win32_MappedLogicalDisk Where Name = 'H:'")  
    For Each objItem in colItems  
        strHomeShare = objItem.ProviderName  
    Set colVolatileEnvVars = objShell.Environment("Volatile")  
    strHomePath = colVolatileEnvVars("HOMESHARE")  
    If Len(strHomePath) > Len(strHomeShare) Then  
        strHomePath = Right(strHomePath,Len(strHomePath)-Len(strHomeShare))  
        colVolatileEnvVars("HOMEPATH")  = strHomePath  
    ElseIf Len(strHomePath) = Len(strHomeShare) Then  
        strHomePath = colVolatileEnvVars("HOMEPATH")  
    End If  
    colVolatileEnvVars("HOMESHARE") = strHomeShare  
    Tuesday, February 10, 2009 4:28 AM
  • Just to follow up on my post above, I tested group policies and logon scripts today.  All seems to work ok for me.  Via group policy we push out WSUS that overrieds the Windows Update settings on each computer, and that works.  We also have a policy that disables Windows Firewall, which works also.  We have another policy that defines Proxy settings (for a differnt type group of users) and that worked too.

    I created a logon batch file that mapped a network drive.  Through my user profile I specified the logon script to run.  The script ran fine, although you do not see it run when logging in like you would in earlier versions of Windows.  But it did map the drive correctly.

    I did not try to create a group policy for drive mapping.

    Wednesday, February 11, 2009 12:28 AM
  • Since we do have the same problem but also some additional infos I bump this thread in the hopes of getting some answers.

    The login script does run, but unfortunatly only when I start it manually. It does not run during login.

    The only purpose of the script is to map some drives and it works fine under XP. Where else can I find infos about the problem?

    Our script looks like that:

    On Error resume next  
    Set objADSystemInfo = CreateObject("ADSystemInfo")  
    Set objUser = GetObject("LDAP://" & objADSystemInfo.UserName)  
    strDn = objUser.Get("distinguishedName")  
    strSam = objUser.Get("sAMAccountName")  
    strCn = objUser.Get("cn")
    Set colGroups = objUser.Groups  
    Pos = Instr(strDn,"OU=")  
    if Pos = 0 then  
        strOu = "" 
        strOu = Mid(strDn,Pos+3,2)  
    end if  
    Set objNetwork = CreateObject("WScript.Network")   
    objNetwork.MapNetworkDrive "h:""\\frodo\user\" & strSam  
    objNetwork.MapNetworkDrive "j:""\\frodo\misc" 
    objNetwork.MapNetworkDrive "l:""\\frodo\department" 
    objNetwork.MapNetworkDrive "q:""\\frodo\projects" 
    objNetwork.MapNetworkDrive "k:""\\frodo\department\" & strOu  
    if strOu = "IT" then  
        objNetwork.MapNetworkDrive "x:""\\frodo\software" 
    end if  
    'WScript.Echo strOut  
    For Each objGroup in colGroups  
        if objGroup.CN = "DreCash" then  
        objNetwork.MapNetworkDrive "p:""\\gollum\drehcash" 
        end if  
    objNetwork.MapNetworkDrive "i:""\\\shares" 

    Thursday, March 12, 2009 2:10 PM
  • Starocotes,

    Do you call this script via a GPO at login or do you have it being called as part of the users profile in AD as their login script?
    Saturday, March 14, 2009 8:48 PM
  • Mine is called by the "Default Domain Policy" GPO.
    Saturday, March 14, 2009 9:22 PM
  •  @bnborg - does yours work then - based on the feedback you provided earlier?
    Saturday, March 14, 2009 9:40 PM
  • Yes, mine usually works. When it does not work it seems to be a domain network connectivity problem.

    Even though the GPO default path for the script would be \\domain.name\SYSVOL\domain.name\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\Scripts\Logon, it did not work for Windows 7 or Server 2008 R2 until I moved it to the NETLOGON share, \\domain.name\NETLOGON, which is at \\domain.name\SYSVOL\domain.name\Scripts.
    Tuesday, March 17, 2009 10:43 PM
  •  If it's a login script, it's normal for it to simply be in the NETLOGON share, however if it's a GPO you should expect to see it in a {GUID} type folder as each GPO has a specifically created GUID for when you make it, when you amend it and when (should you) delete it - and potentially need to recover it - come Windows 2008 R2.
    Tuesday, March 17, 2009 11:44 PM
  • I don't have the access on our network to move the login script to the NETLOGIN share.  I only have the ability to create computers and users in appropriate OU's.  Is there anything I can try to get my Windows 7 PC to run the login script?
    Of course I can put a copy in the Startup folder, but I don't want to have to do that for 100 PC's if we decide to rollout Win 7 later.
    Thursday, March 19, 2009 6:50 AM
  • hello dutchie027,

    i´m a co-worker off starocotes and i answer for him. yes, we call this script via a GPO at login.
    Thursday, March 19, 2009 10:57 AM
  • Was this resolved?   We have a login script launched from a GPO which doesn't work either.  The other parts of the GPO seem to be working fine, but not the script/drive mappings.   I can run the script manually after login and everything seems to work.   This is launched from...
    \\LogonServer\sysvol\Domain\scripts folder.
    Thursday, April 9, 2009 1:43 PM
  • Mine works for me.

    See my previous post in this thread about the Volatile Environment.
    Thursday, April 9, 2009 8:46 PM
  • I had the same issue you did. I also use a VBS script to map drives from the Default Domain Policy GPO.    I found this article on Windows Connected.com and even though it was targeted to Windows Vista, it solved my issue immediately.


    Hope this hels.

    Friday, April 17, 2009 4:07 PM
  • I had a similar issue.  When logging into the domain from the RC, I could not access the \\Domain\SYSVOL share.  Since I didn't have access, the logon scripts would not run.  I could manually run them by connecting to a specific domain controller (\\DC01\SYSVOL) but no matter what I tried I could not connect to the generic domain share.  It ended up being that my domain user accoun had the "Use Kerberos DES encryption types for this account" box checked.  After unchecking that, I was able to log in with no problems.
    Thursday, May 7, 2009 9:14 PM
  • I have the same problem. The login script works on XP and Vista machines but not Windows 7.  I can run the script locally on the machine as a .vbs file and it works - go figure. 
    Tuesday, May 26, 2009 10:56 PM
  • I checked out "Hubble IT Guy's" link and the registry entry did not exist on my system. I added the entry and logged back in and it worked.  I don't know what Windows setting provides this regitry entry, but it works none the less. 

    EnableLinkedConnections = 1 (DWord)

    I found this when searching for "EnabledLinkedConnections".  Looks like it's related to UAC (big supprise).


    Thursday, May 28, 2009 3:24 PM
  • I'm having a similiar problem with my Win7 RC1 client (no problem with the XP Clients tough). I also have a script which is set in the Group Policy (Logon Script). I can confirm that the script runs because it checks for the presence of the Exchange server and then automatically starts Outlook. However, the network mapping does not work, even after adding the EnableLinkedConnections=1 Dword in the registry.

    When I run the same script again after the logon, the netword drives are mapped.

    I'm going to try running the script in the user profile instead via GP. So I should know more next time I'm logging in.
    Wednesday, June 10, 2009 7:49 AM
  • Man thank you for this!!
    Ive been trying to get this answered since January and finally I stumbled across this thread after posting my own yesterday!

    I too have had the same issues since I first installed the beta. Im the domain admin, and while I can join our domain here at work just fine, I could NEVER get it to run our GPO script that maps our network drives.
    It runs from the \SYSVOL\fis.ucsb.edu\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\Scripts\Logon and sets three shares we have on a fileserver as our G, H, and T drives.
    Aside from that I had a user logon script (for my account only) that mapped a couple of addition locations just for me that always worked fine. It was the GPO stuff that never ran.
    I would get everything applied from the DC except the mapped drives, I even got the custom welcome message when you login, and could browse the domain just fine.

    Just added the EnableLinkedConnections entry to the registry, rebooted, and voila! Theres my G, H and T drives finally!!

    Now I just have to remember and keep that registry key somewhere safe haha!

    This takes me back to the old days of when we ran NT 4 and when we installed a new machine, we had a couple of registry keys we had to run and add afterwards for something or other..
    Wednesday, June 10, 2009 2:47 PM
  • Good luck you made that posting. It still didn't work for me so I double checked my registry entry. And I noticed that I missed the "s" in EnableLinkedConnections.

    It's now working for me, too.
    Thursday, June 11, 2009 5:14 AM
  • I had a similar issue.  When logging into the domain from the RC, I could not access the \\Domain\SYSVOL share.  Since I didn't have access, the logon scripts would not run.  I could manually run them by connecting to a specific domain controller (\\DC01\SYSVOL) but no matter what I tried I could not connect to the generic domain share.  It ended up being that my domain user accoun had the "Use Kerberos DES encryption types for this account" box checked.  After unchecking that, I was able to log in with no problems.

    I have this same problem, but I can't uncheck the box. If I do, I can't manage my BES from my local workstation - it's required for that software to work.

    I suspect this will become a significant issue as Windows 7 arrives in the workplace. Any help would be greatly appreciated! I tried the Reg key, but to no avail...

    Thursday, July 30, 2009 7:54 PM
  • Dr. Jes -

    Out of curiosity, have you tried unchecking the DES encryption box and then accessing your BES?  Here at work we need the box checked to access our KVM but I was able to still access the KVM even after unchecking the box.  It seems like once you enable Kerberos DES for you account, it doesn't matter if the box remains checked or not. 

    Thursday, July 30, 2009 8:59 PM
  • we have the same issue.. I did a post on it the other day and noticed this thread while looking to see if there were any answers in mine. Our computers map fine in XP and Vista.  They fail about 80% of the time with Windows 7. Yet if I log off and back on after the failure the drives will map.  The error logs are also full of group policy errors when the drives don't map.
    Thursday, July 30, 2009 9:12 PM
  • We experience the same problem. Windows 7 Professional Clients joint to our domain do not execute the login script. I can run the script locally and it would map the drives. Though, it doesnt run on logon. We compared the local sec policies with our Vista and XP clients where the mapping script works fine and could not identify yet the cause of this problem. Thanks


    Here's the script.

    ::  ****************************************
    ::      Windows 2003 Server Login
    ::      login.bat
    ::    ****************************************

    ::  ------   Variables  ------
    SET WINVER=NotSupported
    SET errMsg1=
    SET netlogon=\\xxx\netlogon
    TITLE Logon Script File at xxxxx

    ::  ------ OS analyze  ------
    if %OS%==Windows_NT goto setOS

    VER | FIND "Windows 2000 [Version 5"  >NUL && SET WINVER=W2K
    VER | FIND "Windows XP [Version 5"  >NUL && SET WINVER=WXP
    VER | FIND "Windows [Version 6"  >NUL && SET WINVER=WVista
    VER | FIND "Windows [Version 6.1.7600"  >NUL && SET WINVER=W7
    IF "%WINVER%"=="" GOTO beforeEnd
    goto makeCalls

    IF %USERNAME%==xxxx GOTO testArea

    :: ------   Windows 2000   ------
    IF %WINVER%==W2K (
        CALL %netlogon%\mapdrives.bat
        CALL %netlogon%\log.bat
        GOTO beforeEnd   
    :: ------   Windows XP   ------
    IF %WINVER%==WXP (
        CALL %netlogon%\mapdrives.bat
        CALL %netlogon%\log.bat
        GOTO beforeEnd   
    :: ------   Windows Vista   ------
    IF %WINVER%==WVista (
        CALL %netlogon%\mapdrives.bat
        CALL %netlogon%\log.bat
        GOTO beforeEnd   
    :: ------   W7   ------
    IF %WINVER%==W7 (
        CALL %netlogon%\mapdrives.bat
        CALL %netlogon%\log.bat
        GOTO beforeEnd   
    GOTO beforeEnd

    CALL %netlogon%\mapdrives_test.bat
    CALL %netlogon%\log.bat
    GOTO beforeEnd

    GOTO beforeEnd


    Wednesday, October 28, 2009 8:41 AM
  • I just wanted to let people know how I fixed my problem with network drives not being mapped via domain login script just in case someone else made the same silly mistake I did. 

    When my company got Vista we used the launchapp.wsf method to get our administrators network drives mapped. Since we had Windows Vista installed on only 3 computers and we (as IT Administrators) still needed to log into Windows XP machines, we changed the launchapp.wsf file to check to see which OS version we were logging into.

    ' Get operating system so XP maps the drives correctly
    Dim WSHShell, compname, objGroup, osVer
    Set WSHShell = WScript.CreateObject("WScript.Shell")
    ' Get local computer name to figure OS version below
    compname = WSHShell.ExpandEnvironmentStrings("%COMPUTERNAME%")
    Set objGroup = GetObject("WinNT://" & compname & ",computer")
    osVer = objGroup.OperatingSystemVersion
    If osVer = "6.0" Then
      ' LAUNCHAPP.WSF Code
      ' This is a windows XP machine, so run the script right away
    End If
    If we were on a Vista machine it used launchapp.wsf. If we were not on a Vista machine it would run the login script right away. 

    Fast forward to when we installed Windows 7 on the same 3 machines Vista was on. None of our network drives were being mapped. I finally figured out that it was because when we edited launchapp.wsf to check for the OS version we only checked for version 6.0. I changed the script again to check for an OS version of anything greater than or equal to version 6.0 (which includes 7.0).  
    If osVer >= "6.0" Then
      ' LAUNCHAPP.WSF Code
      ' This is a windows XP machine, so run the script right away
    End If
    If you use the launchapp.wsf method to run your login script you will not need to make any registry changes (which did work but is not supported) or deal with volatile environment variables (which did not work for me anyway).

    Good luck everyone!
    Tuesday, November 24, 2009 5:13 PM
  • I have a network with only WIN7 machines and running just a straight launchapp.wsf to push out a simple drive mapping via the GPO and the results are inconsistent. Sometimes it works, sometimes it doesn't.  Any idea why?  I have confirmed the policy runs on every client at login. Here is the code:

    <script language="VBScript">
    ' This sample launches the application as interactive user.
    ' A constant that specifies a registration trigger.
    const TriggerTypeRegistration = 7
    ' A constant that specifies an executable action.
    const ActionTypeExecutable = 0
    ' A constant that specifies the flag in RegisterTaskDefinition.
    const FlagTaskCreate = 2
    ' A constant that specifies an executable action.
    const LogonTypeInteractive = 3
    If WScript.Arguments.Length <> 1 Then
    WScript.Echo "Usage: cscript launchapp.wsf <AppPath>"
    End If
    strAppPath = WScript.Arguments(0)
    ' Create the TaskService object.
    Set service = CreateObject("Schedule.Service")
    call service.Connect()
    strTaskName = "Launch App As Interactive User"
    ' Get a folder to create a task definition in.
    Dim rootFolder
    Set rootFolder = service.GetFolder("\")
    'Delete the task if already present
    On Error Resume Next
    call rootFolder.DeleteTask(strTaskName, 0)
    ' Create the new task
    Dim taskDefinition
    Set taskDefinition = service.NewTask(0)
    ' Create a registration trigger.
    Dim triggers
    Set triggers = taskDefinition.Triggers
    Dim trigger
    Set trigger = triggers.Create(TriggerTypeRegistration)
    ' Create the action for the task to execute.
    ' Add an action to the task. The action executes the app.
    Dim Action
    Set Action = taskDefinition.Actions.Create( ActionTypeExecutable )
    Action.Path = strAppPath
    'WScript.Echo "Task definition created. About to submit the task..."
    ' Register (create) the task.
    call rootFolder.RegisterTaskDefinition( _
    strTaskName, taskDefinition, FlagTaskCreate, _
    ,, LogonTypeInteractive)
    'WScript.Echo "Task submitted."
    Wednesday, November 25, 2009 1:49 PM
  • I am having trouble with my windows 7 computer mapping drives via a VBS script as well. I used the enablelinkedconnections registry fix but it suddenly stopped working after a couple of months. Either way, a registry fix is hardly the preferred way to fix this problem if you have one hundred computers. Has anybody come up with how to resolve this on networks with several computers?


    Wednesday, January 20, 2010 5:19 PM
  • I've also been having some issues with logon scripts and drive maps.  We are testing a Windows 7 machine to make sure that it will work with our network and the rest of our software.

    Anyway, I have tried the registry hack but it didn't work.  I've also tried running the cmd prompt as an elevated user and as a non-elevated user and running 'net use' but I can't see the drives in either case.  If I log on as a standard user then the drives will map as many people have stated.
    The really weird thing is that at logon the cmd prompt stays running with the following line:
    "Enter the user name for 'files':"

    'files' is our file server on which I am trying to map the drive shares.  Almost like its looking for authentication to map one of the shares.

    Does anybody know how to fix this problem?  It would be nice if MS could just make things simple for once.
    Wednesday, January 20, 2010 7:50 PM
  • Has anybody found a solution to this yet?
    Thursday, January 21, 2010 2:05 PM
  • I actually did a test with using a batch file instead of a VBscript and it worked. The problem is if I go that route that I have to convert my VBscript to a batch file. My concern was that I have a lot of syntax that only maps drives if the person logging in is a member of a certain group. Someone showed me this link.

    This will help map drives if a person is a member of a certain group. I have not tested this yet though. 

    However, converting to a batch file may not be a solution for everybody so I am still looking for a better way. 


    Thursday, January 21, 2010 6:08 PM
  • What I did was use the VBscript for just what I couldn't do in a batch file, and use a batch file for the rest.  The batch file calls the script.  I just have to make sure I put them in the same directory.
    Friday, January 22, 2010 7:24 PM
  • Hi guys

    I have some problems that looks like yours, and i have just found out something strange..

    When i set up myself as a Administrator on the machine with domain\username i dont get my vbs mapped drives, but when i change my profile to "standard user" all my drives is mapped on logon.

    I don´t use a logon script, but use a GPO to run the scripts... but i guess that the above information could be of use for solving your problems..


    Monday, January 25, 2010 1:25 PM
  • Jazz,

    I think the reasoning for that is explained here.

    Specifically in that article, the part that is titled "Consumption of Windows Vista settings
    Group Policy Scripts can fail due to User Account Control."

    Tuesday, January 26, 2010 3:04 PM
  • Hey,

    Did anyone find the solution to this?

    We have several 100's Windows 7 computers and VBS scripts are not executing via GPO. UAC is also turned off.


    Mark Bayliss

    Monday, February 22, 2010 6:40 AM
  • Mark,

    Here is what ended up working for me. 

    I changed my VB script into a batch script and used ifmember.exe from Microsoft. I was able to map all drives by group membership and it worked just fine in my tests. If you can do everything with a batch that you are doing in your VBscript, this will work for you.

    Monday, February 22, 2010 2:26 PM
  • Justin, I couldn't figure out how to change the volatile environment from a batch file.

    Yon can change values in HKEY_CURRENT_USER\Volatile Environment, but they don't "take" unless you do it using the API.  This can be done in a VB script.
    • Edited by Brian Borg Saturday, July 31, 2010 11:36 PM
    Tuesday, February 23, 2010 5:19 AM
  • This may not be your issue, but one thing that I found on ours was the drives wouldn't map because the drive letter was in use by the memory card readers installed. When I change the drive letters of the card reader to x:, Y: Z: the drives that I was tring to map worked.

    Maybe that will help someone


    Friday, March 19, 2010 7:38 PM
  • I enabled
    group policy>computer configuration>administrative
    templates>system>logon>"always wait for the network at computer
    startup and logon" now everything seems to be working.


    I was experiencing the same issue, and I think part of the problem with my network was that windows 7 booted up with cached credentials before it pulled an IP from the network.  If the computer does not have a network connection, the 'net use' commands in my .bat scripts are rendered useless.

    Thursday, May 6, 2010 1:19 PM
  • Same issue for me.  Adding the "s" fixed it.  Oh happy day!
    Thursday, May 6, 2010 6:24 PM
  • Thanks for your post Kahnman. I had this problem when I first tested Vista in 2006 and gave up with it at the time (we ended up ditching Vista) but I am rolling out Windows 7 and your post made things clear. I decided to write up my working launchapp.wsf method in full, mainly because the Microsoft script contains illegal characters so if you copy and paste it direct from the Technet page it won't work but it's not clear why not. I also found additional configurable properties for the Scheduled Task Action object that don't seem to be documented anywhere:


    Monday, May 17, 2010 9:33 PM
  • Hi Mark have you already found any solution?

    Here after our Vista computers were upgraded (2k3 domain, OLV media for upg), plus all our others FPP W7 do not run our logon.cmd script (is in netlogon share, assigned via GPO).

    Eventvwr GPO log says that script completed 'in 0 (sometimes 1) seconds' after startshell event. No network mappings in the script - simply put it just does not run, as admin or limited user.

    Our older XP and Vista still run same script, *** as well as our 2k8R2 ***, and the script runs fine in  them, and for the same users (admins or not) !!!


    In Feb 2010 you said: 

    "Did anyone find the solution to this?

    We have several 100's Windows 7 computers and VBS scripts are not executing via GPO. UAC is also turned off."


    Saturday, July 31, 2010 2:38 PM
  • . . .

    We have several 100's Windows 7 computers and VBS scripts are not executing via GPO. UAC is also turned off."

    Do you execute the scripts directly or are they called from a .cmd or batch file?  I call mine explicitly from Logon.cmd, such as:  "cscript \\Borg.local\sysvol\Borg.local\Scripts\Logon.vbs".

    Saturday, July 31, 2010 11:41 PM
  • I'm already using "IfMember" it makes no difference, Win7 client machines don't run the logon batch file called from a GPO.
    Friday, October 29, 2010 7:25 PM
  • Disabling UAC altogether resolved this issue for me. Mapped drives were not mapping on windows 7 domain clients through GPO as batch files. But, would prefer to leave UAC enabled at some level but still be able to map drives via GPO memberships. 
    Sunday, October 31, 2010 5:43 AM
  • I am having the same problems getting a simple login.bat file to run on a Windows 7 machine.  It has worked in our AD for years but does not work with Windows 7.  It is a simple three line file

    @echo off

    net use s: \\server1\share1$ /persistent:no

    net use h: \\server2\share2$ /persistent:no

    The machine has the EnabledLink registry key, and the Always wait for Network Connection GPO.    I started using the lauchapp.wsf method as per this Vista Technet article.


    The ONLY way I can get the bat file to run is by disabling UAC everytime I reable UAC the drives no longer map.  And it can't be one below the default UAC level it has to be turned off completely.  I have spent way more time on this then should be required for something as simple as a login script.  I'm very disappointed that this is still an issue with Windows after so many years.

    Tuesday, November 23, 2010 4:24 PM
  • It seems the issue would be that the GPO VBS script runs using a different assigned token than the user within the administrator group uses for normal (unelevated activity).  The drives are mapped using the elevated (unflitered) token but the user is prevented from accessing (or seeing) the drives when using the computer normally.

    Is that the jist?  If so, is there a way to run the GPO scripts using the user's filtered token?



    Wednesday, December 8, 2010 4:35 PM
  • I work at a local community college whose network is fairly extensive, lately we have been expierencing a similar problem as everyone else here on this post. We have certain logon scripts that run for certain people through their profile in AD. This issue is not happening to everyone but regardless it is happening. In my case I have 5 network drives that connect at logon, all are connecting with the exception of 1. When I try to map it again the drive letter is not shown in the list of available letters. When I open a command prompt and use 'net use' it shows all my drives and the one that doesnt connect is listed as unavailable. I have even copied the bat file and placed  it in the start up folder but that did not work. When I go to another machine and log in all my drives are there. Now when this happens to other people it is alway the same drive that fails to connect,  here is the bat file that runs for me:

                 I:        \\mccmain\mcc\as\Infosys  Microsoft Windows Network
                 J:        \\mccmain\mcc\lab\labapps Microsoft Windows Network
    Unavailable  S:        \\mccmain\mcc\an\shared   Microsoft Windows Network
                 U:        \\mccmain\mcc\users\jesusv
                                                    Microsoft Windows Network
                 X:        \\mccmain\mcc\as\Apps     Microsoft Windows Network
    The command completed successfully.

    As you can see the 'S' drive is the one that fails to connect. Most of our staff/faculty machines are running Win7 Pro and the other are Win XP Pro, very few of thes machines are 64bit. When this first started happening we could not figure out why so we would simply (yeah right) re-do the machine with a deploy of a fresh install. All would be good for awhile then it would happen again. i should also add that when I run the bat file by dbl clicking on it, it does run but the drive still does not connect. I have read through all the posts here and I have brought some of them to my network mgr's attention and are still checking on things. Anyone have any new info that can shed some light on this??

    thanks in advance -


    Thursday, December 9, 2010 5:48 PM
  • Disabling UAC worked for me
    Monday, December 20, 2010 8:44 PM
  • Had the same problem. In my case it was caused by the removable disks configured, as by default, by HP. They all have a drive letter assigned. One of them was H:, even with no memory card in the device. A net use doesn’t list me the H drive and when connecting to the \\srv01\home.... share, I received an error saying that the drive was already in use. My H: drive was visible from the next logon after I changed the default drive letter for the removable disk.

    Monday, February 7, 2011 9:48 PM
  • I stopped using logon script for mapping drives and printer, I'been using GPO preferences for drive/printer mapping and all other stuff.. it works great.. :)

    Thursday, September 22, 2011 8:28 PM
  • Windows Registry Editor Version 5.00
    Thursday, January 19, 2012 8:10 AM
    Wednesday, January 25, 2012 11:16 PM
  • Experienced the same symptoms described by the original author, more specifically batch files unable to map network drives.  We found disabling the UAC, nor launchapp.wsf, nor EnableLinkedConnections in the registry to be particularly effective.  We were able to get the logon script specified in the NT user profile to run normally by enabling "Always wait for the network at computer startup and logon" in the Computer Configuration within Group Policy. 

    • Edited by Jeff Cheah Wednesday, May 2, 2012 6:27 PM
    Wednesday, May 2, 2012 6:25 PM
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]


    That Worked!!!!

    I did not have to rewrite my VBS Script to Batch, I got to keep my RBAC Group / Drive Setup, and a simple Registry GPO fixed it across my network.

    a sample of my VBS Script follows.

    'Logon Script
    'DM Combs
    Set objNetwork = CreateObject("WScript.Network")
    Set objUser = CreateObject("ADSystemInfo")
    Set objCurrentUser = GetObject("LDAP://" & objUser.UserName)
    strGroup = LCase(Join(objCurrentUser.MemberOf))
    If InStr(strGroup, lcase("Ts_FIN_ROLE_GRP")) Then
    objNetwork.MapNetworkDrive "I:", "\\TServ\Accounting"
    objNetwork.MapNetworkDrive "Z:", "\\TSERV1\CompanyDocs$\Accounting"
    End If
    If InStr(strGroup, lcase("Ts_AEGIS_ROLE_GRP")) Then
    objNetwork.MapNetworkDrive "I:", "\\TServ\Aegis"
    objNetwork.MapNetworkDrive "Z:", "\\TSERV1\CompanyDocs$\Aegis"
    End If


    'just keep repeating the "if ... end if" lines for all Role / Access Groups Needed

    • Edited by d4d Wednesday, August 14, 2013 2:41 PM
    Wednesday, August 14, 2013 2:40 PM
  • I guess its different strokes for different folks...I've tried everything on this thread  (registry change etc.) and so far this is the only solution that works for me. It is a very configurable solution too. Thanks very much!
    Tuesday, June 10, 2014 2:50 AM