0

I'm having a weird issue with creating Group Policy on an inherited Domain Controller. This thing was never set up properly, and I'm not well versed in working with Group Policy.

We are running Active Directory 10.0.14393.2608 on a single Domain Controller which is running Windows Server 2016 Standard.

My goal is to log users with a simple script run at logon and logoff.

I currently have the following batch file saved in the NETLOGON folder:

if exist \\SERVER\LogData\%Computername% goto next
mkdir \\SERVER\LogData\%Computername%
:next
Echo %Computername%,%Username%,%Date%,%Time% >> \\SERVER\LogData\%Computername%\Logon.csv

It is applied to a GPO under User Configuration->Policies->Windows Settings->Scripts->Logon Properties

The GPO is linked within an OU that contains several users and computers in sub OUs.

I can run the script by navigating out to it from a test computer, and it will fire correctly, but nothing happens when I logoff and back on after running gpupdate.

GW_IT
  • 11
  • 1
  • 2
  • Questions seeking installation, configuration or diagnostic help must include the desired end state, the specific problem or error, sufficient information about the configuration and environment to reproduce it, and attempted solutions. Questions without a clear problem statement are not useful to other readers and are unlikely to get good answers. – djdomi Jun 28 '22 at 17:24
  • I tried to add details and focus my question, is that better? – GW_IT Jun 28 '22 at 18:38
  • your solution is imho not a professional business one. this data already exists in the domain, you only need to enable auditing. check the eventviewer, for failure i. e you can use [this](https://github.com/djdomi/Powershell-Scripts/blob/main/powershell_announce_failed_logins.ps1) – djdomi Jun 28 '22 at 19:36
  • I did enable auditing, but I have one user that authenticates just about once a second, making the Event Viewer nearly impossible to sift through. – GW_IT Jun 28 '22 at 19:51
  • Use the Group Policy Modeling and Results tools in the GPMC as a first step to troubleshooting this. The Modeling tool will tell you if the policy should be applied ad the Results tool will tell you if it is being applied... or not. – joeqwerty Jun 28 '22 at 19:52
  • You have one user that authenticates about once a second? What's that about? Also, logon scripts run when the user logs onto their domain joined computer, not when thy authenticate to whatever it is they're authenticating to every second. – joeqwerty Jun 28 '22 at 19:53
  • When I run the modeling tool it claims to be applied to the user, I'm getting an permission error when I try to run the results tool, so I'm trying to figure that out. As for the Authentication, the only Event ID I've found that actually lists both user and workstation is 4776, and I had to turn auditing off because I was getting hundreds of logs a day from one user. I don't know why. If I try to use 4624 I either get the workstation with ANONYMOUS LOGON as the ID or I get either the Computer Name or the User name as the security ID with the Workstation dashed out. – GW_IT Jun 28 '22 at 20:19
  • This is not a practice suitable for audit logging as the users are able to modify the logs. – Esa Jokinen Jun 28 '22 at 20:31
  • 1
    It's not a long term solution, just a quick and dirty way to get a handle on the network so I can reorganize everything in a more meaningful way. I'm more concerned that I can't run the scripts than what the scripts themselves are. Moving forward I shouldn't actually need to audit users, but I may need to be able to run scripts. – GW_IT Jun 28 '22 at 20:55
  • @GW_IT I'm sorry you got singled out by a needlessly pedantic serverfaulter. Bumped your question out of the negatives. This is a good question. – Brien Malone Aug 11 '23 at 14:17

1 Answers1

0

User logon scripts are by default delayed by 5 minutes! Configure the delay, see here: https://docs.microsoft.com/en-us/troubleshoot/windows-client/group-policy/logon-scripts-not-run-for-long-time

More importantly: your DC is terribly outdated. That update level is from 2018!

Bernd Schwanenmeister
  • 482
  • 2
  • 5
  • I disabled the delay a couple days ago and the script still isn't running. Could it be the age of my DC? – GW_IT Jul 07 '22 at 17:41
  • Where did you disable the delay? It needs to be done inside a GPO that is linked to an OU that holds all the computer objects. DC age does not matter. – Bernd Schwanenmeister Jul 08 '22 at 07:25
  • I disabled it within the same GPO as the scripts. I am testing it within an OU that contains one test computer at the moment. There are other computer in my AD, but I'm trying to start small. – GW_IT Jul 08 '22 at 13:41
  • Use gpresult /h output.html at the client to find out if the settings applied as expected. – Bernd Schwanenmeister Jul 10 '22 at 18:42
  • I did that and every GPO shows up as though they ran, but nothing has actually been applied. The winning GPO is the one I set the script in and it shows the logon.bat under "Items to run at logon" but no log is actually being written. By the same token, the drive maps are showing up in the results as being applied, but the maps do not exist. – GW_IT Jul 12 '22 at 16:41