locked
VB Login Script Wierdness RRS feed

  • Question

  • Hi,

    We are seeing some weirdness on our profile delivered login scripts.  Most of the time they map network drives just fine but sometimes when people logon they don't map any network drives on the same computer (usually rebooting or logging out and back in fixes it).  We are new to the Microsoft Server world and our Environment consists of 3 domain controllers running Windows Server 2008 r2 and workstations running windows 7 professional and enterprise.  The profile is set to login.bat which contains:

    call \\domain\netlogon\login.vbs

    Then the login.vbs contains:

    Option Explicit

    Dim objNetwork, objUser, CurrentUser

    Dim strGroup

     

    '############Initialise Groups with Const##################

    Const Staffo_Group= "cn=STAFF_GRP"

    Const Studento_Group= "cn=STUDENTS"

    Const Shopg_Group= "cn=SHOP_HVAC"

    Const Transr_Group= "cn=EC_TRANSPORTATION"

    Const Staffh_Group= "cn=HOME1_STAFF_HDRIVE"

    Const Studenth_Group= "cn=HOME1_STUDENT_HDRIVE"

    Const Crepairo_Group= "cn=CREPAIR_GROUP"


    '##########Create objects and extract strGroup values######

    Set objNetwork = CreateObject("WScript.Network")

    Set objUser = CreateObject("ADSystemInfo")

    Set CurrentUser = GetObject("LDAP://" & objUser.UserName)

    strGroup = LCase(Join(CurrentUser.MemberOf))

     

    '##########################O,U,X Drives FS1, APP1##########

    If InStr(strGroup, lcase(Staffo_Group)) Then

    objNetwork.MapNetworkDrive "o:", "\\FS1\SHARE"

    objNetwork.MapNetworkDrive "u:", "\\APP1\APPS\U_SHARE"

    objNetwork.MapNetworkDrive "x:", "\\APP1\APPS\EC"

     

    ElseIf InStr(strGroup, lcase(Studento_Group)) Then

    objNetwork.MapNetworkDrive "o:", "\\FS1\SHARE"

    objNetwork.MapNetworkDrive "u:", "\\APP1\APPS\U_SHARE"

     

    End If

     

    '##########################G, J Drives SHOP APP1###########

    If InStr(strGroup, lcase(Shopg_Group)) Then

    objNetwork.MapNetworkDrive "g:", "\\APP1\apps\EC\SHOP\XBSDATA"

    objNetwork.MapNetworkDrive "j:", "\\APP1\apps\ec\SHOP\XBS"

    'objNetwork.MapNetworkDrive "j:", "\\APP1\apps\ec\SHOP\"

     

    End If

     

    '##########################S Drive HOME1\STAFF#############

    If InStr(strGroup, lcase(Staffh_Group)) Then

    objNetwork.MapNetworkDrive "s:", "\\HOME1\STAFF"

     

    End If

     

    '##########################T Drive HOME1\STUDENTS##########

    If InStr(strGroup, lcase(Studenth_Group)) Then

    objNetwork.MapNetworkDrive "t:", "\\HOME1\STUDENTS"

     

    End If

     

    '########################R Drive Transportation FS1########

    If InStr(strGroup, lcase(Transr_Group)) Then

    objNetwork.MapNetworkDrive "r:", "\\FS1\SHARE\EDC\Trans"

     

    End If

     

    '########################O,U Drive CREPAIR#################

    If InStr(strGroup, lcase(Crepairo_Group)) Then

    objNetwork.MapNetworkDrive "o:", "\\FS1\SHARE\Tech"

    objNetwork.MapNetworkDrive "u:", "\\APP1\APPS\U_SHARE"

     

    End If

    Am I missing some best practices?  Should we be delivering the login script a different way?

    Thanks in advance for any advice:)

    Tuesday, July 19, 2011 6:09 PM

Answers

  • I'm sorry.  Poor design.  I'd have a hard time recommending this consultant for any AD work.

    I would recommend either:

    1)  Use a GPO to assign the vbScript as a logon script and remove the login script from every user's profile.  VERY difficult to manage long term.  THEN you need to move the login script into the GPO's "Scripts" folder.

    2)  BEST SOLUTION:  Use the GPO to actually do the mapping and trash your logon script.  Yes it will work with XP assuming you have the latest updates, including the update titled "Update for Client-Side Extensions".  It can be found in the "Preferences" section of your user settings.  If you're looking for a consultant, see my website below!  I have lot's of national and international references. :-)

     


    C Shane Cribbs
    http://www.georgiatechnologies.com
    • Proposed as answer by BrianSlattery Wednesday, July 20, 2011 1:45 AM
    • Marked as answer by Miya Yao Friday, July 22, 2011 1:38 AM
    Tuesday, July 19, 2011 9:23 PM
  • There is a policy cache of sorts, but when a GPO is updated and the version changes, it should know to re-read the GPO.  One possible explanation is that you have multiple DCs and the GPO changes had not replicated to the DC you were using for logon authentication.

     

     


    C Shane Cribbs
    http://www.georgiatechnologies.com
    • Marked as answer by Miya Yao Friday, July 22, 2011 1:39 AM
    Thursday, July 21, 2011 3:38 PM

All replies

  • A couple of odd things just to think about.  

    1)  Why are you using the NETLOGON share?  That's primarily for backwards compatibility with older Windows OSs.

     

    2)  Why have a batch file call a VBScript?  Why don't you just have the VBScript run directly?

     

    3)  You say "profile based login scripts".  What do you mean?  Is the logon script assigned via a group policy (as it should be) or are you specifying the login script on the properties page of every user (old way)?

     

    4)  Why not just use a group policy to assign the drive letters and get rid of your logon script?


    C Shane Cribbs
    http://www.georgiatechnologies.com
    Tuesday, July 19, 2011 6:19 PM
  • Thanks for the reply Shane,

     

    1)  We hired a consultant to help with transition to Microsoft and that is what he recommended.

     

    2) Same as #1.

     

    3) Yes, the login scripts are assigned via the Profile tab on all users.

     

    4) I was unfamiliar with this method of mapping until after we had the above method in place.  

     

    From what you are saying we need to move to group policy delivered drive mappings.  We still have a handful of XP computers floating around will this method work well with those PCs?

     

    Thanks again for your help.

     

    Tuesday, July 19, 2011 7:58 PM
  • I'm sorry.  Poor design.  I'd have a hard time recommending this consultant for any AD work.

    I would recommend either:

    1)  Use a GPO to assign the vbScript as a logon script and remove the login script from every user's profile.  VERY difficult to manage long term.  THEN you need to move the login script into the GPO's "Scripts" folder.

    2)  BEST SOLUTION:  Use the GPO to actually do the mapping and trash your logon script.  Yes it will work with XP assuming you have the latest updates, including the update titled "Update for Client-Side Extensions".  It can be found in the "Preferences" section of your user settings.  If you're looking for a consultant, see my website below!  I have lot's of national and international references. :-)

     


    C Shane Cribbs
    http://www.georgiatechnologies.com
    • Proposed as answer by BrianSlattery Wednesday, July 20, 2011 1:45 AM
    • Marked as answer by Miya Yao Friday, July 22, 2011 1:38 AM
    Tuesday, July 19, 2011 9:23 PM
  • One thing I have noticed doing some GPO style drive mappings like your #2 is that I usually have to run gpupdate /force (which asks me to log out) before it maps the first time on the workstation.  Am I not being patient enough or did I miss a setting somewhere?

     

    Thanks again for all your help:)

    Wednesday, July 20, 2011 9:00 PM
  • While a gpupdate will cause GPOs to be re-read, some of them won't reapply while a user is logged in.  This is to prevent problems under certain cirumstances.  Don't worry about running the gpupdate, just logout and back in to test your GPO handy-work.  Much more reliable.

     


    C Shane Cribbs
    http://www.georgiatechnologies.com
    Thursday, July 21, 2011 1:56 PM
  • That is what I tried first was logging out and back in and even a workstation restart but the policy change didn't work until I did a gpupdate which prompted me to log out.....Any ideas? Is there a policy cache setting or something?

    Thanks for your help:)

    Thursday, July 21, 2011 3:36 PM
  • There is a policy cache of sorts, but when a GPO is updated and the version changes, it should know to re-read the GPO.  One possible explanation is that you have multiple DCs and the GPO changes had not replicated to the DC you were using for logon authentication.

     

     


    C Shane Cribbs
    http://www.georgiatechnologies.com
    • Marked as answer by Miya Yao Friday, July 22, 2011 1:39 AM
    Thursday, July 21, 2011 3:38 PM
  • We do have multiple DCs and that is probably it.  

    Thanks so much for all of your help:)

    Thursday, July 21, 2011 4:40 PM
  • If I helped I'd really appreciate you marking my posts as helpful.  :-)

     

    Glad it all worked out.

     


    C Shane Cribbs
    http://www.georgiatechnologies.com
    Thursday, July 21, 2011 4:58 PM