How to execute the logon script when the network cable is connecte

[Guest]

Hi,
I have AD with different Server 2000 DC.
I'm using Group Policy logon script
My user (XP)logon on to domain with the network cable not connected, so
logon locally.
Then, the user attach the network cable and I want that now the logon script
runs (and also that the group policy get updated).
Is it possible? How?
Thanks

 

[Danny Sanders]

My user (XP)logon on to domain with the network cable not connected, so

logon locally.

Don't create them a local login. Have them log onto the domain even when not
connected to the wire.
When logging onto the domain with no connection they will log on with cached
credentials and all GP settings will stay intact.

hth
DDS W 2k MVP MCSE

 

[Torgeir Bakken \(MVP\)]

Hi,
I have AD with different Server 2000 DC.
I'm using Group Policy logon script
My user (XP)logon on to domain with the network cable not connected, so
logon locally.
Then, the user attach the network cable and I want that now the logon script
runs (and also that the group policy get updated).
Is it possible? How?
Thanks

Hi

If feasible, I suggest you disable cached logon on the computer.

Cached logon is controlled by the following registry value:

ValueName: CachedLogonsCount
Data Type: REG_SZ
Values: 0 - 50

under the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\

If the value does not exist, the system defaults to the value 10.

Setting it to 0 will stop it from saving the cached credentials.

Note that the CachedLogonsCount is a number indicating for how many
users the computer should remember cached credentials for, and not
how many times a user can log on with cached credentials in a row.

 

[Guest]

My previous post was a little confusing.
The user (xp) log on TO DOMAIN using cached crdentials with the network
cable not connected.
When I connect back the cable, the logon script (configured using GP)
doesn't run.
I want that the logon script runs as soon as the tnetwork cable is connected.
Hope now is clear

Thanks.


"Danny Sanders" ha scritto:

 

[Guest]

"Torgeir Bakken (MVP)" ha scritto:

Hi

If feasible, I suggest you disable cached logon on the computer.

Cached logon is controlled by the following registry value:

ValueName: CachedLogonsCount
Data Type: REG_SZ
Values: 0 - 50

under the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\

If the value does not exist, the system defaults to the value 10.

Setting it to 0 will stop it from saving the cached credentials.

Note that the CachedLogonsCount is a number indicating for how many
users the computer should remember cached credentials for, and not
how many times a user can log on with cached credentials in a row.

But if I set the value to 0 is the user able to logon to domain even if the
network cable is disconnected?
I need the user can logon as a "user domain" even if the cable is
disconnected because I don't want a double authentication when the cable is
connected back.

Thanks

 

[Torgeir Bakken \(MVP\)]

"Torgeir Bakken (MVP)" ha scritto:


But if I set the value to 0 is the user able to logon to domain even if the
network cable is disconnected?
I need the user can logon as a "user domain" even if the cable is
disconnected because I don't want a double authentication when the cable is
connected back.

Hi

With the value set to 0 and the cable disconnected, the user will not
be able able to log on at all with the domain user account. As long
as you don't create a local user account for the user, the user is
forced to have the network cable connected to be able to log on.

If this is a desktop computer, some can live with this setup. If it
is a laptop, you can of course forget this method.

So is this computer a desktop, and if so, can you live with this
configuration?

 

[Guest]

"Torgeir Bakken (MVP)" ha scritto:

Hi

With the value set to 0 and the cable disconnected, the user will not
be able able to log on at all with the domain user account. As long
as you don't create a local user account for the user, the user is
forced to have the network cable connected to be able to log on.

If this is a desktop computer, some can live with this setup. If it
is a laptop, you can of course forget this method.

So is this computer a desktop, and if so, can you live with this
configuration?

The computer is a laptop, so I cannot live with the suggested configuration.
My understandig is that gruop policies are "downloaded" to the client as
soon as the client detect the server (something called background update). Is
it true?
Is the logon script also updated (run)?

 

[Guest]

Have you tried adjusting the local group policy refresh intervals found here:
Local computer Policy -> Computer Configuration -> Administrative Templates
-> System -> Group Policy

Or perhaps also create a vbscript to check for network connection that loops
with a sleep statement, then once connected executes your desired logon
script then terminates itself.

 

[Guest]

Have you tried adjusting the local group policy refresh intervals found here:
Local computer Policy -> Computer Configuration -> Administrative Templates
-> System -> Group Policy

Or perhaps also create a vbscript to check for network connection that loops
with a sleep statement, then once connected executes your desired logon
script then terminates itself.

Ok, it could be an idea. I'm not familiar with vbscript, so I need to study
it.
Anyway, I have done some additional test using GPUPDATE command.
I was thinking that logon script in GP are at all part of the policy and
because of this, when the policy is update, also the logon script should be
re-run.
This is wrong. My test show that when I entered the command gpupdate /Force,
the policy got updated, but the script is not re-run.
My conlcusion is that the logon script (and other GP scritps) aren't like a
policy at all and so are not included in policy update.
Can anybody confirm this?
Thanks

 

[Torgeir Bakken \(MVP\)]

Ok, it could be an idea. I'm not familiar with vbscript, so I need to study
it.
Anyway, I have done some additional test using GPUPDATE command.
I was thinking that logon script in GP are at all part of the policy and
because of this, when the policy is update, also the logon script should be
re-run.
This is wrong. My test show that when I entered the command gpupdate /Force,
the policy got updated, but the script is not re-run.
My conlcusion is that the logon script (and other GP scritps) aren't like a
policy at all and so are not included in policy update.
Can anybody confirm this?

Hi

That is correct, you will not be able to run any scripts by refreshing
a policy with gpupdate.exe.


But you can run a script that will detect that you connect the cable,
and then let the script run the logon script.

This detection script could be set to start at logon by launching it
from e.g.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


This will kick inn for all network adaptors:

'--------------------8<----------------------
Set colMonitoredEvents = GetObject("winmgmts:root\wmi")._
ExecNotificationQuery("Select * from MSNdis_StatusMediaConnect")
Do
Set strLatestEvent = colMonitoredEvents.NextEvent
WScript.Echo "Connected! Do something here"

' exit after the first event.
Exit Do
Loop
'--------------------8<----------------------


If you want to check a specific adapter, use e.g. a select on the
InstanceName of the adapter:

'--------------------8<----------------------
Set colMonitoredEvents = GetObject("winmgmts:root\wmi")._
ExecNotificationQuery("Select * from MSNdis_StatusMediaConnect" _
& " WHERE InstanceName = '3Com 10/100 Mini PCI Ethernet Adapter'")
Do
Set strLatestEvent = colMonitoredEvents.NextEvent
WScript.Echo "Connected! Do something here"
' exit after the first event.
Exit Do
Loop
'--------------------8<----------------------

 

[Al Dunbar [MS-MVP]]

"Torgeir Bakken (MVP)" ha scritto:

The computer is a laptop, so I cannot live with the suggested configuration.
My understandig is that gruop policies are "downloaded" to the client as
soon as the client detect the server (something called background update). Is
it true?
Is the logon script also updated (run)?

When the user does this:

- disconnects network cable;
- logs on with cached credentials;
- reconnects network cable.

This does NOT cause the domain logon scripts to run. The domain logon script
is normally run as an integral part of logging on to the domain. Logging in
with cached credentials is logging in. Connecting the network cable
afterwards is not logging in because the user has already logged in (with
cached credentials).

I do not know how cached credential logons interact with group policy, but
what we do for remote access users is to allow cached credentials so they
can logon and initiate the VPN connection. We have a custom program running
as a service that will detect the change from "no network connectivity" to
"network connectivity", and then run the logon script for us. Again, I am
not aware of what interaction there is with group policies.

/Al

 

[Guest]

When the user does this:

- disconnects network cable;
- logs on with cached credentials;
- reconnects network cable.

This does NOT cause the domain logon scripts to run. The domain logon script
is normally run as an integral part of logging on to the domain. Logging in
with cached credentials is logging in. Connecting the network cable
afterwards is not logging in because the user has already logged in (with
cached credentials).

I do not know how cached credential logons interact with group policy, but
what we do for remote access users is to allow cached credentials so they
can logon and initiate the VPN connection. We have a custom program running
as a service that will detect the change from "no network connectivity" to
"network connectivity", and then run the logon script for us. Again, I am
not aware of what interaction there is with group policies.

/Al

Where can I find the program that you use?
"Custom" means tha you have written it?
Can you give me some details on how it works?

Thanks a lot.

 

[Guest]

Hi

That is correct, you will not be able to run any scripts by refreshing
a policy with gpupdate.exe.


But you can run a script that will detect that you connect the cable,
and then let the script run the logon script.

This detection script could be set to start at logon by launching it
from e.g.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


This will kick inn for all network adaptors:

'--------------------8<----------------------
Set colMonitoredEvents = GetObject("winmgmts:root\wmi")._
ExecNotificationQuery("Select * from MSNdis_StatusMediaConnect")
Do
Set strLatestEvent = colMonitoredEvents.NextEvent
WScript.Echo "Connected! Do something here"

' exit after the first event.
Exit Do
Loop
'--------------------8<----------------------


If you want to check a specific adapter, use e.g. a select on the
InstanceName of the adapter:

'--------------------8<----------------------
Set colMonitoredEvents = GetObject("winmgmts:root\wmi")._
ExecNotificationQuery("Select * from MSNdis_StatusMediaConnect" _
& " WHERE InstanceName = '3Com 10/100 Mini PCI Ethernet Adapter'")
Do
Set strLatestEvent = colMonitoredEvents.NextEvent
WScript.Echo "Connected! Do something here"
' exit after the first event.
Exit Do
Loop
'--------------------8<----------------------

Thanks for your reply.
I want to apply your suggestion to a wireless network using 802.1x
authentication, so:
1) The user power up the laptop and logon using cached credential (the
network card is not associated to any access point).
2) The 802.1x authentication take place (using the same username and
password used for logon) and now the client is associated to the access point
and receives an IP address from the DHCP server
3) The logon script runs. (This is the step I need)

How to obtain this?

 

[Al Dunbar [MS-MVP]]

Where can I find the program that you use?
"Custom" means tha you have written it?
Can you give me some details on how it works?

Alas, that program was written by a different group in my organization, so I
cannot answer your last question. I will ask if there is any way that it can
be published, or, at least, explained here, but I strongly suspect the
answer will be "no".

Logically, all it does is:

- wait until a network session has been established;
- run the standard logon script.

It probably suffices for most users, however, I sometimes cancel the script,
log out, and then log back in, at which time I get a logon process that is
identical to what I get on the LAN (but slower).

/Al

 

[Torgeir Bakken \(MVP\)]

Thanks for your reply.
I want to apply your suggestion to a wireless network using 802.1x
authentication, so:
1) The user power up the laptop and logon using cached credential (the
network card is not associated to any access point).
2) The 802.1x authentication take place (using the same username and
password used for logon) and now the client is associated to the access point
and receives an IP address from the DHCP server
3) The logon script runs. (This is the step I need)

How to obtain this?

Hi

Try this method instead:

'--------------------8<----------------------
Set oFSO = CreateObject("Scripting.FileSystemObject")
Set oShell = CreateObject("WScript.Shell")
Set oVolatileEnv = oShell.Environment("VOLATILE")

' An UNC path here that will be available when network connection is in place
sTestPath = "\\server\share"

' test on volatile environment variable to avoid running logon script
' if the user have already run the logon script.
If Not oVolatileEnv("LogonScript") = "Done" Then

Do Until oFSO.FolderExists(sTestPath)
' sleep 5 seconds
WScript.Sleep 5000
Loop

' share/folder available on server now, run logon script here
WScript.Echo "run logon script here"

End If
'--------------------8<----------------------

This script could be set to start at logon by launching it from e.g.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


In the original logon script, add this code:

'--------------------8<----------------------
Set oShell = CreateObject("WScript.Shell")
Set oVolatileEnv = oShell.Environment("VOLATILE")
oVolatileEnv("LogonScript") = "Done"
'--------------------8<----------------------

 

[Guest]

Thanks Torgeir,
your script is very usefull.
To make a real test I need to know the command to run a script from inside a
script, something like a call.
When the condition is true, I want to call another script.

Many thanks for your help!
Andrea

 

[Torgeir Bakken \(MVP\)]

Thanks Torgeir,
your script is very usefull.
To make a real test I need to know the command to run a script
from inside a script, something like a call.
When the condition is true, I want to call another script.

Hi

Just use the Run method to launch wscript.exe with the logon
script path as parameter:


sLogonScript = "path to logon script here"
oShell.Run "wscript.exe " & sLogonScript, 1, False

 

[Guest]

Thanks a lot!
You are great!!!!

Andrea.