Unable to modify logon scripts

[nimblegimble]

Hi folks,

I've created a couple of simple logon scripts but I don't seem to make any changes to the sysvol\domain\scripts folder - including editing logon.bat or copying another .bat file into the folder.

I've logged on using an admin account but keep getting 'access denied'. Does anyone know what I'm doing wrong?

Also, in the Sysvol folder we have Domain and Sysvol folders, Sysvol being shared but both having similar, un-editable contents.

Many thanks,

Nimble.

[alsenior]

Check the admin's account privalages. it may sound stupid but you would be suprised what windows will do. also you dont mention what version of windows server you are using

[nimblegimble]

oop, sorry, it's 2000 Server... from what I can gather the admin account has full privileges.

[Splash]

Are you logging directly onto the DC with the administrator account or are you using a mapped drive?

[nimblegimble]

directly onto the DC

[Splash]

Hmmm - how strange. Whenever I make changes through GP I do it from a workstation with the GP Editor installed - are you able to change them scripts like that?

[nimblegimble]

hi, you'll have to forgive my noobiness but I'm fairly new to the networking malarky and the acronyms and abbreviations fly straight over my head. So, in my most embarressed voice might I ask - GP?

All I've tried to do is logon as admin, open Notepad, write my little script and then both save and/or copy the file to the scripts folder.

[Splash]

Group Policy - you are setting the scripts through GP, right?

[EtheAv8r]

You should check the ACLs (security permissions) on the scripts folder that contains the logon scripts that you get access denied for. Just because you are an Administrator (what kind - is it a Domain Administrator, a member of domain local group Administrators - if you have local admins on other boxes it won't count on a DC) - does not necessarily mean you can access the data.

For instance we remove Domain Admins from the local group Administrators on all our Member servers, and grant admin rights to those who actually need it via other groups dropped into the local Administrators group, and Domain Admins have NO access to any Business data - DAs are there to manage the infrastructure, not have access to business data... Sure they can take ownership, but this will be immediatly reported and dealt with!

I think you may find it is a simple permissions issue - or you are not an Admin!

Don't worry about the GP stuff, logon scripts are .bat files and can quite happily be created and edited with notepad - GP Editor is not required.

Path for logon scripts is \\servername\SYSVOL\Domain\scripts\...

[nimblegimble]

I agree, I'm not an admin But Splash's suggestion has led me to the solution - thanks again guys

[Splash]

and Domain Admins have NO access to any Business data - DAs are there to manage the infrastructure, not have access to business data... Sure they can take ownership, but this will be immediatly reported and dealt with!

In my humble and limited experience Domain Admins have far better things to do than trawl through business reports etc....

[EtheAv8r]

In my humble and limited experience Domain Admins have far better things to do than trawl through business reports etc....

... then I expect you don't work in a high security, price sensitive environment, ... with internal (infernal) auditors crawling about everywhere and an independant IT Security team, and Regulators....

Because in such an environment, whether the Domain Admins have the time or not, they are configured out. Indeed only 4 people in our entire organisation have Doman Admins (3000 people in 18 countries) - all normal working Admins rights are delegated via an third party AD management tool (AD native delegation is not granular enough nor it it effectively auditable).

[Moby-Dick]

... then I expect you don't work in a high security, price sensitive environment, ... with internal (infernal) auditors crawling about everywhere and an independant IT Security team, and Regulators....

Because in such an environment, whether the Domain Admins have the time or not, they are configured out. Indeed only 4 people in our entire organisation have Doman Admins (3000 people in 18 countries) - all normal working Admins rights are delegated via an third party AD management tool (AD native delegation is not granular enough nor it it effectively auditable).

You are right - High Security Environments do tend to have very different ideas about Access control ( eg. Government/Financial stuff)

The role I'm just finishing is of a similar sized company ( fewer countries but possible more sites , about the same level of people ) , Theres not that many domain admins but the security infrastructure is probably more relaxed / less frequently reviewed

[Splash]

Hence the "humble and limited experience". That said, in such an environment I should imagine that the DAs are also security cleared, right?

Not disagreeing with you in any way, merely pointing out that the DA is in a position of pretty high trust and authority on a domain.


Anyways, glad we managed to help the OP

[Moby-Dick]

There are different levels of clearance

Even in small environments , its potentially unwise to let the DA ( who is usually relatively low down on the ladder ) have carte blanche over all the data. For example salary scales , staff reviews etc.

but I digress , in terms of the topic , the Domain admins should have pretty full control over the infrastructure part (the c: drive in a standard deployment

[nimblegimble]

Cheers guys! As always, although the discussion ended up completely confusing me, you've put me on the right track and I now know what it is I have to do...

Thanks again, this is easily THE BEST forum and the most help I've received EVER!