[RESOLVED] NT logon script

[Note]

We just purchased a help desk package and loaded it on an NT server. I created a logon script on the PDC to start the audit application whenever anyone logs in.
start \\helpdesk\trackit\audit32.exe and saved it in winnt\system32\repl\import\scripts

I created a global group on the PDC (Trackit_users) and then a local group on the help desk server. I then gave the local group rights to the directory on the helpdesk server.

The problem is that whenever anyone with administrator rights logs in to the PDC, the audit application executes, but when any other user logs in, the PDC doesn't let them even log into the domain let alone execute the script. I went back and triple checked the rights on the share.

We've never had the need to use a logon script before so I think I am missing something. Any ideas? Thanks

[This message has been edited by Note (edited July 28, 2000).]

[Note]

Ok, this morning I thought I solved it. I realized that when I assigned permissions to the share, I had inserted the global group instead of the local group containing the global group. I removed the global group and inserted the local group and since none of my users are here today I created a couple of psuedo users and logged in. The first time, it seemed to work. Then I spotted a user and asked her to log in and she was unable to launch the application. I went back and tried again and I too could not launch it. Back to the drawing board. I removed the script from my psuedo user and logged in and found that I was able to go through the network neigbhorhood to my helpdesk server and access the share and even manually execute the program. I played around a bit with the settings on the helpdesk server, even reluctantly placing the local group containg the global group in the administrators group. That didn't work. I then figured that this was a problem with the logon to the PDC. The everyone group has a read permission to the NETLOGON share but increased it to full control, I knew it wouldn't work but wanted to rule it out. I took my psuedo user and placed him in the administrators group and when I logged him in the program executed from the helpdesk server. Not wanting to have my users in an administrative group, I experimented with the Account operators group and was successful again. I figure putting the users in this group won't cause too much damage since they have no access to my servers. We never needed to use logon scripts before and I'm not sure if there is a better, and more secure, way of doing this. Any ideas are appreciated. Thanks.


Note

[cordon]

Could it be a log on locally issue?

Both Account operators and administrators have the right to log on to a PDC. If your test user is given Server operators/print operators/Backup operators rights and can run the logon script then it would suggest that you need to log on locally to execute the program from the server. I have no idea why though.

Another test would be to assign the Trackit group the right to log on locally and see if that works. You could assign appropriate permissions for the group to prevent them doing any actual damage.

[Note]

I thought about that and even included the log on locally right to the trackit group. But, basically we logon to our PDC and when logging on this will run the script to execute the application on our helpdesk server. I have heard from others that "pushing" any type of software on NT would require admin rights, regardless. Thanks.


Note