Jump to content
CLOSING SOON! DfE Technology in Schools Survey for 2025 (England Only) - Closes 23rd of May!

Login issues with domain trusts

Stuart_C

By Stuart_C
in Windows

 Share

Recommended Posts

Stuart_C

Stuart_C

Posted
Posted

I have recently set up a trust between the two domains at our College.

It seems to be set up fine, the security seems to work and I can log onto either domain from any comptuer.

 

The problem I have is that when I log using an account in domain x from a machine in domain y my home folder correctly but the login scripts doesn't execute, thus I have no other network drives.

 

If I browse for the sysvol share and the login script I can execute it manually with no problem, I don't know why it doesn't execute manually.

 

Help.

FN-GM

FN-GM

Posted
Posted
I have recently set up a trust between the two domains at our College.

It seems to be set up fine, the security seems to work and I can log onto either domain from any comptuer.

 

The problem I have is that when I log using an account in domain x from a machine in domain y my home folder correctly but the login scripts doesn't execute, thus I have no other network drives.

 

If I browse for the sysvol share and the login script I can execute it manually with no problem, I don't know why it doesn't execute manually.

 

Help.

 

On the script use the full DNS name of the server instead of the short name if you haven't already.

 

instead of \\server\share

use \\server.domain.com\share

Stuart_C

Stuart_C

Posted
  • Author
Posted

Didn't work. It looks like the script is not executing rather than a problem with the script itself. As I said if I browse to the other sysvol folder I can see the script and execute it and ir runs fine. It just doesn't run automatically. The Home Folder maps in OK as I have set up DNS records for the servers in the oposing domains in each domain.

 

I did notice that I get the error 1109 detailed here. Whilst I get what it is on about I don't understand if this is the problem as the logon scrip isn't part of a GPO it's part of the users account. If it can map the home folder why can't it run the login script?

FN-GM

FN-GM

Posted
Posted
Didn't work. It looks like the script is not executing rather than a problem with the script itself. As I said if I browse to the other sysvol folder I can see the script and execute it and ir runs fine. It just doesn't run automatically. The Home Folder maps in OK as I have set up DNS records for the servers in the oposing domains in each domain.

 

I did notice that I get the error 1109 detailed here. Whilst I get what it is on about I don't understand if this is the problem as the logon scrip isn't part of a GPO it's part of the users account. If it can map the home folder why can't it run the login script?

 

Try putting it in the Group policy. When you do so use the full DNS name for the server.

Stuart_C

Stuart_C

Posted
  • Author
Posted

Might try that later as it's going to force me to impliment the cross forest processing of GPO's

 

Still don't see why it's not executing as part of the login!

Stuart_C

Stuart_C

Posted
  • Author
Posted

Tried that as well. No joy.

 

Actually I don't think that a GPO will work. All our business users are in the same OU yet I have about 5 different scripts for different people dependingon what they need to access.

jamesb

jamesb

Posted
Posted (edited)

Can you manually assign the network drives once you've logged on, while you're on the other domain?

 

When you manually run the script is it actually assigning the drives, or just running?

Edited by jamesb
DrPerceptron

DrPerceptron

Posted
Posted
Tried that as well. No joy.

 

Actually I don't think that a GPO will work. All our business users are in the same OU yet I have about 5 different scripts for different people dependingon what they need to access.

 

Multi GPO's filtered to security groups... or your VBS script can check against groups?

 

What happens if you run the logon script as a visible batch file?

Stuart_C

Stuart_C

Posted
  • Author
Posted

Kind of answering Jamesb and DrP...

If I log in to a machine in domain Y using a domain X usernmae I just get the standard desktop. My home drive appears (\\serverX\users\usernameX)

 

If I go to Start ==> Run ==> \\domainX\sysvol\domainX\scripts\scriptname.bat I can see it and run the script. The script runs fine and all my drives appear.

 

Now whislt I can manually run this for me (pain that it is) for normal people it's not really an option.

 

Also I've tried FQDN's for the script path and in the scripts themselves.

DrPerceptron

DrPerceptron

Posted
Posted

Sorry, I meant if you use GPO to turn logon scripts to visible to see what happens when it runs...

 

User Conf > Administrative Templates > System > Scripts

 

What about the path \\domainx\netlogon\scripty.bat ?

jamesb

jamesb

Posted
Posted
Just to check, have you got Administrative Templates\System\Group Policy\Allow Cross-Forest User Policy and Roaming User Profiles enabled?
Stuart_C

Stuart_C

Posted
  • Author
Posted

Sorry for the delay,

@sukh - ACL's are fine, at least "everyone" has read permmissions and file and share level.

 

@jamesb - No I have not (it's not configured which is the same as not). However the script is part of the users AD account NOT GP.

 

@DrPerceptron - I've get "Legacy Login Scripts" set to hide but not Login Scripts (for some reason). I have however got it set in the user settings and I know that they are not being appled becuase I have not enabled "Allow Cross-Forest User Policy and Roaming User Profiles".

 

I might wait until Friday (Our pupils leave Wednesady and Thursday's the Support Staff Christmas Lunch) and then enable the cross Forrest GPO Processing and see what happens.

jamesb

jamesb

Posted
Posted (edited)
Sorry for the delay,

@sukh - ACL's are fine, at least "everyone" has read permmissions and file and share level.

 

@jamesb - No I have not (it's not configured which is the same as not). However the script is part of the users AD account NOT GP.

 

@DrPerceptron - I've get "Legacy Login Scripts" set to hide but not Login Scripts (for some reason). I have however got it set in the user settings and I know that they are not being appled becuase I have not enabled "Allow Cross-Forest User Policy and Roaming User Profiles".

 

I might wait until Friday (Our pupils leave Wednesady and Thursday's the Support Staff Christmas Lunch) and then enable the cross Forrest GPO Processing and see what happens.

 

I'm just wondering, since it says that it also applies to roaming profiles. The home directory redirect, if I remember correctly, is part of the AD schema and so would carry across anywhere the object goes. I've just had a look at the schema and can't find anything similar for logon script.It may be there of course, I just took a glance at it so might've missed it.

 

Edit: I take it back, just found it in the schema. scriptPath attribute.

 

 

Edit v1.1: On the other hand I did just find this KB from Microsoft which might help: When you try to log on interactively to a Windows XP-based client computer, the user object logon script does not run

Edited by jamesb
sukh

sukh

Posted
Posted
I believe it's a name resolution issue. Can you try the KB and let us know. Also try to update either the host/lmhost6 file on A client machine and see if you ping the server(s) in the login script using netBIOS only. Before doing this tell me what happnes when you ping the server(s) in the login script before changing the host/lmhost files

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing


  • 33 When would you like EduGeek EDIT 2025 to be held?

    1. 1. Select a time period you can attend


      • I can make it in June\July
      • I can make it in August\Sept
      • Other time period. Comment below
      • Either time
×
×
  • Create New...