One of the guys on MR&D, Michael Pietrzak, reported a problem with previously existing logon scripts in his domain that were not running correctly on Windows Vista domain members. It appeared that running "Net Use" commands to map a drive failed to work. After some experimentation, Mike found that UAC (the new infamous security feature in Vista) was the cause of the problem. Disabling UAC resolved the issue. UAC is a nice idea because it is intended to prevent malicious software from installing on or configuring your machine without your consent.
I had been reading the thread on the forum with interest. I upgraded my PC at home last week and I soon realised I was encountering the exact same issue.
WOrld renowned GPO whiz, Darren Mar-Elia, joined Mike in looking into this issue. Darren’s contacts in Microsoft were able to give him a link to a "solution". If you browse to near the bottom of that page you’ll find a section called "Group Policy Scripts can fail due to User Account Control". What happens is that UAC prevents a logon script from mapping a network drive. The solution? You have to run a provided script (on the MS website in Appendix A) to delay the execution of the logon script:
- You place this WSF script in your NETLOGON folder.
- You alter your logon script configuration to run the WSF file with the actual logon script as a paramter.
There’s a few bugs in MS’s documentation and script:
- Syntax Error In Script: Line 114 (open Notepad, press <CTRL> + <G>, enter 114 and press <RETURN>) is broken up into multiple lines using "_". This appears to break the script. I modified line 114 to read as:
call rootFolder.RegisterTaskDefinition(strTaskName, taskDefinition, FlagTaskCreate,,, LogonTypeInteractive)
- GPO settings: They don’t put in UNC paths for the WSF file. Use a full path, e.g. \domain.nameNETLOGONLaunchapp.wsf.
- GPO settings: They don’t put in UNC paths for the parameter, i.e. the logon script. Use a full path, e.g. \domain.nameNETLOGONlogon.bat.
I also commented out two lines using a " ‘ " (below). I don’t want users (or me) to have to click boxes every time I log in.
- WScript.Echo "Task definition created. About to submit the task…"
- WScript.Echo "Task submitted."
So what is the fix doing? It delays the execution of the actual logon script until after your logon is considered as "complete". In reality, I’ve found that I’ve been logged in for 10 or more seconds before the real logon script runs. This means there is a window where network drives are not mapped and users can attempt to launch programs or open files that they have no access to yet. I cannot imagine how many helpdesk calls will be opened because of this.
This, in my opinion, if a cludge fix, i.e. duct tape and bailing twine, a McGuyver-ism if you will. The fact that this functionality, which you will find in probably 75% of corporate networks if not more, does not work out of the box is shocking. I’ve liked Vista so far but this is disappointing. It’s certainly giving ammo to the ney-sayers and Linux nuts.
This problem also going to lead to more people disabling UAC… heck, helpdesk managers will demand it. There was already a growing feeling if contempt for this security feature that MS has invested a lot of time and effort in. It’s had lots of negative commentary. The fact that is breaks something as important is crazy. MS should really get a real fix for this out the door ASAP so that an important security feature such as UAC will not be dumped by the general public.