Running Login Script Problems

[Guest]

Our current setup is WINNT Server and 2000 Professional workstations. We have one domain on a single broadcast domain. All the computers include the same image from a network deployment. Every computer also has the exact same hardware configuration.

This specific event will explain my question. I need to run a patch on all my computers (30) in a lab. On the PDC, I add a special account with admin rights and have it run a login script. I try to login all computers in the room with this new account and I get the following results: The first half of the computers login and run the script with no problems. The remaining computers in the room do not recognize the new account. After rebooting these computers, they will login but will not run the script. After rebooting another time, the script still does not run. All the computers include the same image from a network deployment. Every computer also has the exact same hardware configuration.

I have been dealing with this issue for some time now and need to find a resolution to make things easier for me. Please let me know if you have seen this or know what needs to be done to change this.

Thank you for your time.

MatthewL
Network Coordinator

 

[Oli Restorick [MVP]]

Have you replicated the login script to all your DCs' netlogon shares?

If the "special account" is a domain admin account, you're asking for
someone to place a trojan on one of the PCs to gain domain admin rights.

Oli

 

[Guest]

The PDC is the only server that has the script on it. I have not placed it on the BDC.

The special account I used is only when I run scripts. It is disabled as soon as I am done with the specific task in hand. I only use it when I am in the area and not for longer than I need it. I also make sure no one else is on the network when I perform these tasks.

Thank you for your response.
MatthewL

 

[Oli Restorick [MVP]]

Hi Matthew

You will need to place it on all domain controllers, as any domain
controller could be performing the login.

The trojan issue I was referring to is that others may plant some commands
on a workstation to run at login when a domain admin logs in to create
themselves a new domain admin account. It's trivially easy to do and
doesn't require anyone else to be on the network while you're logging in.
It depends on your environment as to whether you think this is a real risk.
If you're running a school or university network, then it's quite possible
that you'd be a victim of this sort of attack.

Oli

 

[Guest]

Thank you for the resolution on the scripts.
About the trojan:
I only create domain admin accounts from the server to use on the workstations. I understand what you are talking about. That's good information tho. Thank you for all you help.