AD GPO's Computer Startup script: How

  • Thread starter Thread starter hecresper
  • Start date Start date
H

hecresper

Hi,

Hopefully, this doesn't turn up to be a double posting. I used FreeAgent
for my first post, but I'm not sure if it went through. So, here it goes.

I created a Workstations OU and a moved all my Domain Computers into that
OU. I created a Workstations GPO specifically for that OU. Now I want to
put that GPO to good use by leveraging the Computer Startup script portion
of it. I made sure that Domain Computers had Read and Apply Policy security
settings. I copied my script into the GPO's Computer Startup script folder.
I added the command line argument needed for my script. I clicked 'OK. The
next day my PCs are all stuck at 'Running startup scripts...' I don't know
what I'm doing wrong here. The script runs fine when done manually.

Here's the script:

@echo off
net use s: \\path-to-replicated-share\support /persistent:no

if exist s:\scriptlog\%computername%.txt goto end

net user administrator %1
echo Administrator password changed > s:\scriptlog\%computername%.txt

:end
net use s: /delete

The %1 gets expanded from the command line argument supplied in the GPO.

Anyone knows of maybe a checklist that I could go through to make sure I
didn't miss something?

Thanks,
Hector
 
Hello Hector.

It appears that you should be implementing a logon script, not a startup
script. Startup scripts operate in the context of the computer, not a user.
Mapping a network drive for the computer is not possible...

Instead, please implement this as a logon script for the users.

David Fisher
Enterprise Platform Support
 
So, if I implement this as a Logon script, would the user be able to change
the Local Admin's password? That's why I was trying to get the computer to
do this. Thanks for your replies.

Local Administrators group only has Domain Admins and Local Admin as
members.

Local Users group is completely empty.

Local Power Users group only has Domain Users.
 
Hello.

The problem is likely the commands to map a network drive.

Please remove the instructions to map the drive. Then, simply use the
following UNC path instead of "s:\scriptlog\%computername%.txt" to specify
the output redirection:
\\path-to-replicated-share\support\scriptlog\%computername%.txt

The full command will be as follows:
echo Administrator password changed >
\\path-to-replicated-share\support\scriptlog\%computername%.txt

It would be more secure to get a list of all workstations in the domain and
run the command at one time from a domain controller...

David Fisher
Enterprise Platform Support
 
Back
Top