none
Startup scripts dont have permission

    Question

  • Im having problems with my startup scripts, Even an easy task as copying a file from the server to the hard drive cant complete. It will create the folder i told it to make but the script ends there and does not copy files over. Im thinking its a permission problem but have no clue how to go about fixing it. Does anyone have any ideas?
    Tuesday, December 01, 2009 3:22 PM

All replies

  • Startup Scripts run in Systems (machine) context.
    Ensure to have read permissions on the share and the folder for the machine accounts.
    Depending on how security critical the information is on the server share either use dedicated accounts (maybe gathered in a group)
    or just use AUTHENTICATED USERS (which includes all machine accounts of the domain!).
    Patrick
    Tuesday, December 01, 2009 3:43 PM
  • All the permissions on the shared folder are fine. All systems have read and execute access.
    Wednesday, December 02, 2009 12:39 AM
  • Hi,

    To narrow down the cause of this problem, please try to run the script manully using PsExec with –s parameter.

    PsExec
    http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

    Please let us know if there is any error message.

    Please also try to run the script directly as normal user and administrator.

    If it cannot copy files manually, please let us know the content of the script so that we could test on our side.

    On server, run "cacls Path of Share" and paste the result here.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, December 02, 2009 3:54 AM
    Moderator
  • It works fine with the psexec and running as an admin or user. Everything copies over fine.
    Wednesday, December 02, 2009 4:21 AM
  • Please also provide the other things Mervy asked for (script content, cacls output). Thanks.
    Patrick
    Wednesday, December 02, 2009 9:35 AM
  • The cacls output is
    \\ad\upload\shen.bat HUSKIES\administrator:(ID)F
                         Everyone:(ID)R
                         HUSKIES\Domain Users:(ID)R
                         BUILTIN\Administrators:(ID)F
                         HUSKIES\Domain Computers:(ID)R
                         NT AUTHORITY\SYSTEM:(ID)F
                         BUILTIN\Users:(ID)R

    and the content of the bat file is
    mkdir "C:\program files\PedagogicalPC"
    xcopy "\\ad\upload\PedagogicaPC" "C:\program files\PedagogicaPC\" /s /e
    copy "\\ad\upload\Pedagogica.lnk" "C:\Documents and Settings\Default User\Desktop"
    
    Wednesday, December 02, 2009 3:45 PM
  • Hi,

    I test your script on my test machine as computer startup script and it works fine. Let’s try to modify your script and test again.

    echo mkdir >>c:\echo.txt

    mkdir "C:\program files\PedagogicalPC"

    echo xcopy >>c:\echo.txt

    xcopy "\\ad\upload\PedagogicaPC" "C:\program files\PedagogicaPC\" /s /e /y >>c:\echo.txt

    echo copy >>c:\echo.txt

    copy "\\ad\upload\Pedagogica.lnk" "C:\Documents and Settings\Default User\Desktop" /y >>c:\echo.txt

    After testing, open c:\echo.txt and let us know the content.

    If still no files copied, please also check the permission of "C:\program files\PedagogicaPC\" and "C:\Documents and Settings\Default User\Desktop".

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Friday, December 04, 2009 9:27 AM
    Moderator
  • Hi,

    Have you tried the suggestions? Any update is welcomed. If there is any problem, please let us know the detailed error message.

    Thanks

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, December 09, 2009 2:32 AM
    Moderator
  • Sorry, other problems on the network have come up. But when i tried it quickly, it did not even create the txt file. It seems like it can only create folders but cant create files
    Wednesday, December 09, 2009 6:57 AM
  • Startup scripts run with System privileges for local resources, but with the credentials of the computer object elsewhere in the network. I grant permissions either to the computer object, or better yet the group "Domain Computers" for remote resources in the file system needed in Startup scripts. Does this help?

    Richard Mueller
    MVP ADSI
    Wednesday, December 09, 2009 8:12 PM
  • Hi,

    Thank you for update.

    What’s the version of your clients? If they are Vista, UAC may affect this issue.

    What’s the permission settings of "C:\program files\PedagogicaPC\" and "C:\Documents and Settings\Default User\Desktop"?

    If the SYSTEM has proper rights, please modify the script as below to test again.

    echo mkdir >> C:\program files\PedagogicaPC\echo.txt
    mkdir "C:\program files\PedagogicalPC"
    echo xcopy >> C:\program files\PedagogicaPC\echo.txt
    xcopy "\\ad\upload\PedagogicaPC" "C:\program files\PedagogicaPC\" /s /e /y >> C:\program files\PedagogicaPC\echo.txt
    echo copy >> C:\program files\PedagogicaPC\echo.txt
    copy "\\ad\upload\Pedagogica.lnk" "C:\Documents and Settings\Default User\Desktop" /y >> C:\program files\PedagogicaPC\echo.txt

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, December 10, 2009 7:24 AM
    Moderator
  • Hi,

    Do you need any other assistance? If there is anything we can do for you, please let us know.

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, December 14, 2009 6:32 AM
    Moderator
  • Hi all, I have the same problem: my [machine] startup script can't access a shared folder. I need only read and execute rights.

    I have granted access to Domain Computers group, but again the result is: "Access denied".

    My clients are Windows XP Pro, server is Windows Server 2003 R2.

     

    Any ideas?

     

    Thank you

    Tuesday, May 11, 2010 5:00 PM
  • up...
    Thursday, May 13, 2010 12:46 PM
  • If you have set appropriate permissions for the machine account(s) on the share AND on the folder and it still does not work,
    try the following:
    Add account"ANONYMOUS" with the same permissions on share and folder.
    I have seen workstations trying to connect without authentication via their own account.
    This should not happen for XP clients under usual circumstances, so consider it only as a test to narrow down your issue.
    Patrick
    Sunday, May 16, 2010 6:44 PM
  • Thank gotsch-it for reply.

    I have tried with Anonymous, but again same problem, "access denied". Interesting... I don't understand why is denied also with this rights.

     

    What do you suggest?

    Thank you

    Monday, May 24, 2010 4:27 PM
  • up...

    sorry, I have tried, but I could not have tried a solution.

    Friday, May 28, 2010 3:31 PM
  • Please confirm that you take into account both, Share AND Folder permissions.
    If one is missing, it will not work.

    If you still can't get it working, I'd suggest to use "Process Monitor" or other monitoring tools on the File Server to see what happens with the shared folder:
    http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

    Do you see any GPO related event log entries on the client?

    Also, please verify the script path in your GPO to see there is no typo
    (copy, paste, execute).

     

     


    Patrick
    Monday, May 31, 2010 8:47 AM
  • Sorry gotsch for delay, I was ill.
    Please confirm that you take into account both, Share AND Folder permissions.
    If one is missing, it will not work.
    Yes, I can confirm that.

    If you still can't get it working, I'd suggest to use "Process Monitor" or other monitoring tools on the File Server to see what happens with the shared folder:
    http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
    I know Process Monitor, but I can't see anything, only some network TCP traffic, obviously.

    Do you see any GPO related event log entries on the client?
    No, nothing.

    Also, please verify the script path in your GPO to see there is no typo
    (copy, paste, execute).

    I'm sure for this. To test now I run my script with "psexec -s". If I run it as normal user it run ok with no errors, the script is ok. It is very very simple, it call a .bat script on the share, this second script only echo "Hello Awful World!".

    What can I try now?

    Thanks

    Monday, June 21, 2010 3:08 PM
  • There is no user when a Startup script runs. They run with the credentials of the computer. I grant permissions to the computer object, a domain group that includes the computer(s) as member(s), or the group "Domain Computers" (for all computers except Domain Controllers). Again, it needs to be share and folder permissions. Does this help?

    Richard Mueller


    MVP ADSI
    Monday, June 21, 2010 9:08 PM
  • Hi Richard, thank you for help. I have also read it on your site.

    I have read that, in a previous post I have written that I have shared that folder with right share and folder permissions, both "Domain Computers" and single computer account, but always get "access denied".

     

    I can't understand the problem. 

     

    My environment: Windows Server 2003 Std, Windows XP Pro

    Thursday, June 24, 2010 7:20 AM
  • In my test domain with Windows Server 2003 Std, I have a startup script that logs to a shared file on a server. My Windows XP pro client adds a line to the log every time it starts.

    Could a firewall be blocking?

    Richard Mueller


    MVP ADSI
    Thursday, June 24, 2010 4:05 PM
  • Yes I have read your script.

     

    No firewall, if I execute the script with a "normal" user there is no problem, only with "system" account I get "Access Denied", no time out or connection problem.

    Friday, June 25, 2010 7:30 AM
  • Hello, same problem here in a Windows 2003 Domain functional level with 2 Windows 2008 DCs.
    My situation :
    What I try :
    I have a computer startup script to execute at start of my PCs, some are Windows XP with SP3 and some are Windows 7 Enterprise, all 32-bit.
    This startup script, listed without comments at end of this message, must install the MS App-V Desktop Client on each computer --- a setup.exe bootstrapper executable.
    What I obtain, after enabling in corresponding GPO the visiblity of startup script execution  :
    1. on the Windows 7 PCs (with UAC on, set when PC installed), the script executes perfectly and the App-V client is installed and works ok.
    2. on the Windows XP PCs, the script starts, the setup.exe starts, followed by an access denied line, followed by a deinstallation of probably some prerequisites

    How couls I determine what is access denied ?
    Has the SYSTEM account really FULL control on the computer !
    Thank you.

    jmd

    The startup script is in the NETLOGON share off my DCs; the included setup.exe is on another share with all required permissions (share & ntfs) corrects (I think).
    It starts here :

    setlocal

    set ProductName_AppVDesktopClient={40C3258B-F9D1-46DF-AE97-72C1F86F2427}

    REM Set DeployServer to a network-accessible location containing the source files.
    set DeployServer=\\dc1\iesn\install-apps

    REM Set LogLocation to a central directory to collect log files.
    set LogLocation=\\dc1\iesn\install-apps

    IF NOT "%ProgramFiles(x86)%"=="" SET WOW6432NODE=WOW6432NODE\
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\%WOW6432NODE%Microsoft\Windows\CurrentVersion\Uninstall\%ProductName_AppVDesktopClient%
    if %errorlevel%==1 (goto Run) else (goto End)

    REM If 1 returned, the product was not found. Run setup here.

    start /wait \\dc1\iesn\install-apps\setup.4.6.exe /s /v"/qb /norestart SWICACHESIZE=65536 SWIPUBSVRDISPLAY=svr-App-V SWIPUBSVRTYPE=RTSP SWIPUBSVRHOST=svr-App-V.iesn.be SWIPUBSVRPORT=554 SWIFSDRIVE=Q"
    ::echo %date% %time% App-v Desktop Client setup ended with error code %errorlevel%. >> \\dc1\iesn\install-apps\%computername%.log
    set
    pause

    REM If 0 or other was returned, the product was found or another error occurred. Do nothing.
    :End

    Endlocal

    Thursday, August 05, 2010 2:49 PM
  • Hello.

    I found my problem.

    In my above startup script, I execute the setup.4.6.exe program through the share with :

         \\dc1\iesn\install-apps\setup.4.6.exe

    but dc1 is an alias for server.
    After replacing the alias with the netbios name, no more access denied and the setup runs perfectly.

    Voilà.

    Thursday, August 05, 2010 4:06 PM
  • I had this problem in the past and the way I resolved it is to avoid accessing UNC paths directly and instead run net use X: \\server\share /User:DomainName\UserName "password"

    of course having the password in clear text is not a good paractice for many reasons and will also cause audit failure :) so you will need to use batch to exe to compile your script to an exe file that no one can open and see what's in it.


    Mohsen Almassud

    Wednesday, March 07, 2012 12:55 AM
  • Hello.

    I found my problem.

    In my above startup script, I execute the setup.4.6.exe program through the share with :

         \\dc1\iesn\install-apps\setup.4.6.exe

    but dc1 is an alias for server.
    After replacing the alias with the netbios name, no more access denied and the setup runs perfectly.

    Voilà.


    See the link and you will be able to use also the alias in your script : http://support.microsoft.com/kb/926642/en-us

    " Never panic before reboot ! "

    Wednesday, March 07, 2012 1:07 AM
  • glad it's all working :)

    Mohsen Almassud

    Wednesday, March 07, 2012 1:22 AM
  • @ Voldar :

    Thank you.

    I have already done that (as referred in your link).

    But perhaps it's was on another server.

    I will recheck it on the dc1.

    Friday, March 09, 2012 8:55 PM
  • I'm having the same issue on Server 2003 SP2.

    Added this

    copy \\tserver\logon\tserver.rdp"\\SERVER\D$\UsersShared Folders\%username%\desktop"

    pause

    into the logon.bat file and I'm getting the same 'access denied' error. I've tried creating a new share called (logon) as above with domain users full permissions to the share and the file as a test but still no joy.

    Anyone?

    Thursday, September 20, 2012 6:48 PM
  • let's say you have 2 computers in a domain. Computer1 and computer2. computer1 is the one with the share. in order to run the copy, computer2 has to have read access to the share, because startup scripts run uneder system context like one of the guys mentioned here in this very long thread :).


    Mohsen Almassud


    Friday, September 21, 2012 10:24 AM