GPO startup script not copying files

group-policystartup-scriptswindows 7windows-server-2008windows-xp

I created a GPO startup script to execute for computers in a specific AD container. The script takes a file from the AD netlogon share and places it on a directory on the computer. Given the right permissions (ie: myself) can execute the script just fine and the file copies. But it doesn't work on startup – the file does not copy over from the AD server.

The startup script should run as localsystem (am I right?). So the question is why do the files not copy on startup? Could it be because of:

  • Is it permissions of the local system user?
  • Reading the registry is problematic on startup?
  • Obtaining files from the AD netlogon folder is problematic on startup?
  • Am I missing it completely?

My test machine does have the registry key and local directories as described in the script. I myself have standard user permissions on the test machine. AD server is Windows 2008, test client is Windows XP SP3 (and soon to be Windows 7, which I assume permissions issues will be inevitable)


Dim wShell, fso, oraHome, tnsHome, key, srcDir
Set wShell = WScript.CreateObject("WScript.Shell")
Set fso = CreateObject("Scripting.FileSystemObject")
key = "HKLM\Software\Oracle\Oracle_Home"
On Error Resume Next
orahome = wShell.RegRead(key)
If err.Number = 0 Then
tnsHome = oraHome + "\" + "network\admin\"
srcDir = wShell.ExpandEnvironmentStrings("%logonserver%") + "\netlogon\UpdatedFiles\"
fso.CopyFile srcDir + "file1.ext", tnsHome, true
End If

Side note: To ensure that the script is properly deployed, I purposely put some errors in the script, and on the next startup the error message appeared. So I know the GPO is deployed properly.

Best Answer

Running under the local system account, the script will be connecting to the network using the AD computer account (i.e. COMPUTERNAME$).

However, the %logonserver% variable might not be valid in the context of the system account - after all the local system account authenticates with the local machine, not the domain. The %logonserver% variable may either be blank, or equal to the local machine name.

try using \\domain.name\NETLOGON instead. This will connnect to a domain controller (and since the NETLOGON share contains the same files on all DCs because it uses FRS, it doesn't matter which DC you're talking to.

Related Topic