Windows 7 - run logon scripts synchronously problem
Hey Guys, iam having a problem.
We`re ready to deploy win7.
Our loginscript works like a charm with the wsf solution from MS , it runs when login to the computer and mappings are made, printers installed etc.
Our problem is our Group Policy`s.
We use the computer policy "run logon scripts synchronously" and "Always wait for the network at computer startup and logon"
On our XP machines both policy`s work perfect but on our windows 7 machines the computer shows the desktop and then starts the loginscript.
What we want is finish the loginscript before the desktop is shown, like it works wth XP.
We use windows 7 pro with UAC enabled, with UAC disabled the group policy`s work perfect and the desktop pops up when the loginscript is finished.
Do u guys have any feedback on this, i`ve been searching everything but can`t find the solution (except for disabable UAC what we don`t want to do)
Additional info:
* w2k3 sp1 server pre-2000 mode
* windows 7 pro
November 4th, 2010 6:21pm
Hey Ted,
we`re testing on a test machine on wich i disabled it by hand.
we`re testing it before we deploy it to our users.
Ive been searching for ages now and no solution, yes disabling uac helps but thats not an option.
Some users are already using uac and there getting into trouble with there virtual folders if we disable uac.
Strange that nobody else has this problem.....
As for additional information, we have a w2k3 sp1 server BUT it runs in pre-2000 mode so it could be that this one of our problems....?
Ted in which country did open the ticktet?
Iam thinking of opening an ticket at microsoft to see if they have any solution....
Free Windows Admin Tool Kit Click here and download it now
November 8th, 2010 9:50am
I, too, think it's strange that nobody else seems to be running into this problem. Possible not many organizations use the options for running scripts synchronously, maybe that's why MS changed the default behavior to Asynch, but doubtful on that. Ticket
is open in the US.
Be nice if a forum moderator would provide some feedback or possibly be able to test and verify the functionality of this feature in a similar AD environment.
If you ever stumble upon a resolution or workaround, please update this thread if you don't mind. Thanks again.
November 8th, 2010 4:46pm
No problem, iam opening the ticket here in holland.
Strange thing is the script runs so that policy works, but some specific policy`s dont work.....
Free Windows Admin Tool Kit Click here and download it now
November 9th, 2010 3:17am
I've found that certain policies have been deprecated in Windows 7. May or may not be the case with certain policies you're using. In case you haven't seen it,
here's a link to an Excel spreadsheet of the GPO settings reference for Windows 7.
November 9th, 2010 9:03am
Hey Ted,
My colleague had a VERY bright idea that explaines the problem
The problem is the policy`s work BUT in windows 7 and UAC you trigger the wsf to run your script so this is what happens.
your policy triggers the wsf so windows thinks that the wsf is your "logonscript" from here the wsf makes a scheduled task with your vbs/powershell loginscript.
The problem is that windows sees the wsf as logonscript and waits untill this is done, because its very small it fly`s and you don`t notice it.
The real logonscript (thats being triggered from the wsf) is made into a scheduled task so windows doesnt see this as a logonscript, it shows the desktop and runs the scheduled task where the loginscript is in......
When i put a msgbox in the WSF it stops loading the desktop, shows the msgbox and until i click "ok" it will continu to the desktop.
This is the problem but how to solve it is the next problem...... :(
Another problem is that windows 7 doesnt show gpresult under "normal" credentials, if u run it as admin you will see your policy`s, the next thing is to figur out how to show the gpresult as user :) (solved this is normal, user stays the same :))
Free Windows Admin Tool Kit Click here and download it now
November 10th, 2010 3:02am
Hey Ted,
My colleague had a VERY bright idea that explaines the problem
The problem is the policy`s work BUT in windows 7 and UAC you trigger the wsf to run your script so this is what happens.
your policy triggers the wsf so windows thinks that the wsf is your "logonscript" from here the wsf makes a scheduled task with your vbs/powershell loginscript.
The problem is that windows sees the wsf as logonscript and waits untill this is done, because its very small it fly`s and you don`t notice it.
The real logonscript (thats being triggered from the wsf) is made into a scheduled task so windows doesnt see this as a logonscript, it shows the desktop and runs the scheduled task where the loginscript is in......
When i put a msgbox in the WSF it stops loading the desktop, shows the msgbox and until i click "ok" it will continu to the desktop.
This is the problem but how to solve it is the next problem...... :(
Another problem is that windows 7 doesnt show gpresult under "normal" credentials, if u run it as admin you will see your policy`s, the next thing is to figur out how to show the gpresult as user :)
November 10th, 2010 3:03am
We seem to be experiencing the same problem with a vbs loginscript in combination with windows 7 enterprise.
When a new user logs on for the first time, the desktop is loaded at the same time that the logonscript run, even though the synchronous policy is set.
Can you tell me what manual actions you did to disable UAC?
Free Windows Admin Tool Kit Click here and download it now
December 3rd, 2010 7:45am
we didnt disabled uac, just use de wsf to trigger de loginscript with the right elevated rights.
This is a bug, or a way of working microsoft used to make the loginscript work with the right evelated rights!
December 6th, 2010 10:29am
Apparently this is a known bug by Microsoft. We received this message from MS the first week in December via the case with opened using our Premier Support; sorry for the late post but I hope it helps someone out or at least quells your frustrations by preventing
you from troubleshooting further. We have submitted a Design Change Request and it has been submitted to the coding engineers for evaluation. Guess we'll see whether they take any action as the Design Team has already turned down the request once!
FYI, we have always had UAC disabled and this does not help our situation.
Notes from Premier Support contact:
"The behavior we’re seeing is documented as a bug in our database and unfortunately is coded as won’t fix against the Windows 7 code base. What this means is we discovered the bug, triaged it, and performed
a cost versus benefit analysis of the code change before concluding most if not all workarounds are easy to implement. Here is the problem description of the existing bug in our database:
Problem Description: RunLogonScriptsSync no longer enforces GP defined logon scripts to run synchronously in Vista and later OSes. This is due to the architectural change to move Group Policy execution out of Winlogon
and into its own service. Userinit.exe is the process that enforces RunLogonScriptsSync and prior to Vista it was also the process responsible for launching GP scripts. Now GP scripts are launched by gpscript.exe and due to this change RunLogonScriptsSync
is not enforced.
So even though we’ve made the changes via group policy and in the registry our code blithely ignores it. A little background on this: We’ve pulled the processing of Group Policy out of the Winlogon.exe
process in order to secure Winlogon and Group Policy now runs under its own service. The net result is the product is much more secure but does not behave as earlier products do even though the verbiage in the group policy editor insists it does."
Free Windows Admin Tool Kit Click here and download it now
January 21st, 2011 1:20pm
Hey Ted,
The problem with the loginscript is done, we made a html popup wich is fullscreen so users can`t use there computer it isnt the way is was ment to be but it works.
Iam still having problems with the computer startupscript some users work but some users don`t work. somehow the pc have to wait for 60sec before network is ready.
The policy "wait for network" isn`t working in w7 :(
http://social.technet.microsoft.com/Forums/en-US/w7itpronetworking/thread/393e6042-dea0-4285-9aeb-2ddf50434f6b
January 26th, 2011 9:35am
Have either of you tested the group policy setting "Startup policy processing time" in Computer Configuration>Policies>Administrative Templates>System>Group Policy? We too are having some issues with login scripts still running
after the desktop has appeared for some users in our classrooms. Consequently, there are times when network drive(s) do not map and/or printers don't appear at all or appear 15-90 seconds after the desktop has been presented to the user.
Free Windows Admin Tool Kit Click here and download it now
January 28th, 2011 11:58am
Yup ive tested this because the computerscript fail if we don`t use it.
Still its a problem of windows 7 and personally i dont think expanding the boot time is a nice solution!
February 1st, 2011 4:01am