Results 1 to 16 of 16

Thread: Unable to modify logon scripts

  1. #1
    Member
    Join Date
    May 2006
    Location
    Stoke-On-Trent
    Posts
    122
    Thanks
    0
    Thanked
    0 times in 0 posts

    Unable to modify logon scripts

    Hi folks,

    I've created a couple of simple logon scripts but I don't seem to make any changes to the sysvol\domain\scripts folder - including editing logon.bat or copying another .bat file into the folder.

    I've logged on using an admin account but keep getting 'access denied'. Does anyone know what I'm doing wrong?

    Also, in the Sysvol folder we have Domain and Sysvol folders, Sysvol being shared but both having similar, un-editable contents.

    Many thanks,

    Nimble.
    Last edited by nimblegimble; 10-11-2006 at 02:53 PM.

  2. #2
    Fried Chip Extremist alsenior's Avatar
    Join Date
    Nov 2005
    Location
    Stafford
    Posts
    2,949
    Thanks
    103
    Thanked
    191 times in 145 posts
    • alsenior's system
      • Motherboard:
      • DFI Lanparty Jr x58-T3H6
      • CPU:
      • Core i7 920
      • Memory:
      • 6 x 2GB ocz Gold
      • Storage:
      • 1 TB Samsung F3
      • Graphics card(s):
      • 1gb 4890 vapor-x xfire
      • PSU:
      • xfx 850W
      • Case:
      • Lian-li Pc7
      • Operating System:
      • Windows 7 X64
      • Monitor(s):
      • Dell 2208WFP
      • Internet:
      • 30mb Virgin media
    Check the admin's account privalages. it may sound stupid but you would be suprised what windows will do. also you dont mention what version of windows server you are using
    Quote Originally Posted by Jay View Post
    What kind of emergency would need Windows 95? I think you are already in a bad state of emergency when your backup plan is Windows 95.
    Beginners guide to raid Beginners guide to raid post edition Hexus.Social - FAQ

  3. #3
    Member
    Join Date
    May 2006
    Location
    Stoke-On-Trent
    Posts
    122
    Thanks
    0
    Thanked
    0 times in 0 posts
    oop, sorry, it's 2000 Server... from what I can gather the admin account has full privileges.

  4. #4
    Splash
    Guest
    Are you logging directly onto the DC with the administrator account or are you using a mapped drive?

  5. #5
    Member
    Join Date
    May 2006
    Location
    Stoke-On-Trent
    Posts
    122
    Thanks
    0
    Thanked
    0 times in 0 posts
    directly onto the DC

  6. #6
    Splash
    Guest
    Hmmm - how strange. Whenever I make changes through GP I do it from a workstation with the GP Editor installed - are you able to change them scripts like that?

  7. #7
    Member
    Join Date
    May 2006
    Location
    Stoke-On-Trent
    Posts
    122
    Thanks
    0
    Thanked
    0 times in 0 posts
    hi, you'll have to forgive my noobiness but I'm fairly new to the networking malarky and the acronyms and abbreviations fly straight over my head. So, in my most embarressed voice might I ask - GP?

    All I've tried to do is logon as admin, open Notepad, write my little script and then both save and/or copy the file to the scripts folder.
    Last edited by nimblegimble; 10-11-2006 at 03:52 PM.

  8. #8
    Splash
    Guest
    Group Policy - you are setting the scripts through GP, right?

  9. #9
    Old Fool!
    Join Date
    Oct 2003
    Location
    Cambridgeshire
    Posts
    1,031
    Thanks
    11
    Thanked
    37 times in 31 posts
    • EtheAv8r's system
      • Motherboard:
      • ASUS Maximus V Gene
      • CPU:
      • i5 3570K @ 4500 Mhz
      • Memory:
      • 16Gb
      • Storage:
      • 2 x Samsung EVO 850 SSD; 1 x Samsung 2TB HD
      • Graphics card(s):
      • nVidia GeForce GTX 970
      • PSU:
      • Seasonic S-12 650 Energy+
      • Case:
      • Corsair Carbide
      • Operating System:
      • Windows 10 Home 64
      • Monitor(s):
      • Dell U2713H
      • Internet:
      • BT Infinity II
    You should check the ACLs (security permissions) on the scripts folder that contains the logon scripts that you get access denied for. Just because you are an Administrator (what kind - is it a Domain Administrator, a member of domain local group Administrators - if you have local admins on other boxes it won't count on a DC) - does not necessarily mean you can access the data.

    For instance we remove Domain Admins from the local group Administrators on all our Member servers, and grant admin rights to those who actually need it via other groups dropped into the local Administrators group, and Domain Admins have NO access to any Business data - DAs are there to manage the infrastructure, not have access to business data... Sure they can take ownership, but this will be immediatly reported and dealt with!

    I think you may find it is a simple permissions issue - or you are not an Admin!

    Don't worry about the GP stuff, logon scripts are .bat files and can quite happily be created and edited with notepad - GP Editor is not required.

    Path for logon scripts is \\servername\SYSVOL\Domain\scripts\...
    Last edited by EtheAv8r; 10-11-2006 at 04:29 PM. Reason: add path.....
    Try to make each and every day the best it can be.

  10. #10
    Member
    Join Date
    May 2006
    Location
    Stoke-On-Trent
    Posts
    122
    Thanks
    0
    Thanked
    0 times in 0 posts
    I agree, I'm not an admin But Splash's suggestion has led me to the solution - thanks again guys

  11. #11
    Splash
    Guest
    Quote Originally Posted by EtheAv8r View Post
    and Domain Admins have NO access to any Business data - DAs are there to manage the infrastructure, not have access to business data... Sure they can take ownership, but this will be immediatly reported and dealt with!
    In my humble and limited experience Domain Admins have far better things to do than trawl through business reports etc....

  12. #12
    Old Fool!
    Join Date
    Oct 2003
    Location
    Cambridgeshire
    Posts
    1,031
    Thanks
    11
    Thanked
    37 times in 31 posts
    • EtheAv8r's system
      • Motherboard:
      • ASUS Maximus V Gene
      • CPU:
      • i5 3570K @ 4500 Mhz
      • Memory:
      • 16Gb
      • Storage:
      • 2 x Samsung EVO 850 SSD; 1 x Samsung 2TB HD
      • Graphics card(s):
      • nVidia GeForce GTX 970
      • PSU:
      • Seasonic S-12 650 Energy+
      • Case:
      • Corsair Carbide
      • Operating System:
      • Windows 10 Home 64
      • Monitor(s):
      • Dell U2713H
      • Internet:
      • BT Infinity II
    Quote Originally Posted by Splash View Post
    In my humble and limited experience Domain Admins have far better things to do than trawl through business reports etc....
    ... then I expect you don't work in a high security, price sensitive environment, ... with internal (infernal) auditors crawling about everywhere and an independant IT Security team, and Regulators....

    Because in such an environment, whether the Domain Admins have the time or not, they are configured out. Indeed only 4 people in our entire organisation have Doman Admins (3000 people in 18 countries) - all normal working Admins rights are delegated via an third party AD management tool (AD native delegation is not granular enough nor it it effectively auditable).
    Try to make each and every day the best it can be.

  13. #13
    Administrator Moby-Dick's Avatar
    Join Date
    Jul 2003
    Location
    There's no place like ::1 (IPv6 version)
    Posts
    10,665
    Thanks
    53
    Thanked
    384 times in 313 posts
    Quote Originally Posted by EtheAv8r View Post
    ... then I expect you don't work in a high security, price sensitive environment, ... with internal (infernal) auditors crawling about everywhere and an independant IT Security team, and Regulators....

    Because in such an environment, whether the Domain Admins have the time or not, they are configured out. Indeed only 4 people in our entire organisation have Doman Admins (3000 people in 18 countries) - all normal working Admins rights are delegated via an third party AD management tool (AD native delegation is not granular enough nor it it effectively auditable).
    You are right - High Security Environments do tend to have very different ideas about Access control ( eg. Government/Financial stuff)

    The role I'm just finishing is of a similar sized company ( fewer countries but possible more sites , about the same level of people ) , Theres not that many domain admins but the security infrastructure is probably more relaxed / less frequently reviewed
    my Virtualisation Blog http://jfvi.co.uk Virtualisation Podcast http://vsoup.net

  14. #14
    Splash
    Guest
    Hence the "humble and limited experience". That said, in such an environment I should imagine that the DAs are also security cleared, right?

    Not disagreeing with you in any way, merely pointing out that the DA is in a position of pretty high trust and authority on a domain.


    Anyways, glad we managed to help the OP

  15. #15
    Administrator Moby-Dick's Avatar
    Join Date
    Jul 2003
    Location
    There's no place like ::1 (IPv6 version)
    Posts
    10,665
    Thanks
    53
    Thanked
    384 times in 313 posts
    There are different levels of clearance

    Even in small environments , its potentially unwise to let the DA ( who is usually relatively low down on the ladder ) have carte blanche over all the data. For example salary scales , staff reviews etc.

    but I digress , in terms of the topic , the Domain admins should have pretty full control over the infrastructure part (the c: drive in a standard deployment
    my Virtualisation Blog http://jfvi.co.uk Virtualisation Podcast http://vsoup.net

  16. #16
    Member
    Join Date
    May 2006
    Location
    Stoke-On-Trent
    Posts
    122
    Thanks
    0
    Thanked
    0 times in 0 posts
    Cheers guys! As always, although the discussion ended up completely confusing me, you've put me on the right track and I now know what it is I have to do...

    Thanks again, this is easily THE BEST forum and the most help I've received EVER!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Please help - Unable to connect to website
    By jonnylew in forum Help! Quick Relief From Tech Headaches
    Replies: 11
    Last Post: 03-10-2006, 05:09 PM
  2. Replies: 6
    Last Post: 01-04-2006, 11:47 PM
  3. Replies: 30
    Last Post: 09-06-2005, 03:42 PM
  4. where are the logon scripts!
    By Crazy Fool in forum Help! Quick Relief From Tech Headaches
    Replies: 1
    Last Post: 17-01-2005, 07:13 PM
  5. Decent scripts
    By Kezzer in forum Software
    Replies: 0
    Last Post: 23-09-2004, 09:48 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •