UAC Sporadic Logon Script issues
This question seems to be posted a number of times with no clear solution. So here we go again. I have been having some issues with logon script batch files running successfully on Server 2008 R2/Windows 7 PC's. I have found where the problem lies -- is User Account Control somewhere. When I expirience the issue, I go into User Account Control set to slider up one and select OK. I then go back in and set the slider all the way at the bottom to disable user account control, and it prompts me to restart to apply changes. Once I restart it maps all of the drives as it should. After a period of restarts/logins the same issue happens again. I have the following set in Active Directory Group Policy. Policy Setting User Account Control: Admin Approval Mode for the Built-in Administrator Disabled User Account Control: Allow UIAccess applications to prompt for elevation Enabled User Account Control: Behavior of the elevation prompt for administrators in Elevate without prompting User Account Control: Detect application installations and prompt for Disabled User Account Control: Only elevate executables that are signed and Disabled User Account Control: Only elevate UIAccess applications that are installed Disabled User Account Control: Run all administrators in Admin Approval Mode Disabled User Account Control: Switch to the secure desktop when prompting for Disabled Also, another weird issue is that a reboot isn't necessarily required for the drive mappings to stop working. We have a XenApp server with the desktop shared, and after a certain number of logins, the drive mappings begin failing and I have to go through the above process to turn the UAC on and off and restart the Server/Windows 7 PC's. The weird thing is when I try to manually run the logon.bat after logged in, it works without an issue.
March 2nd, 2012 3:14pm

Hi, When the administrative user logs on, Windows processes the logon scripts using the elevated token. The script actually works and maps the drive. However, Windows blocks the view of the mapped network drives because the desktop uses the limited token while the drives were mapped using the elevated token. To get around this issue, administrative users should map network drives under the limited user token. This mapping is accomplished by using the launchapp.wsf script shown in Appendix A, which works by scheduling the commands using the task scheduler. The task scheduler launches the script under the administrative full token, thereby allowing Windows Explorer, other limited token processes, and the elevated token process to view the mapped network drives. To configure launchapp.wsf to postpone the execution of a logon script Copy the logon script and the launchapp.wsf script to a network share.Start the GPMC. In the GPMC, right-click the GPO you want to modify, and then click Edit.In the User Configuration node, expand Windows Settings, and then click Scripts.Right-click Logon, and then click Properties.In the Logon Properties dialog box, click Add.In the Script Name box, type launchapp.wsfIn the Script Parameters box, type the full path and name to logon.batWilliam Tan TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
March 7th, 2012 9:39pm

Hi, When the administrative user logs on, Windows processes the logon scripts using the elevated token. The script actually works and maps the drive. However, Windows blocks the view of the mapped network drives because the desktop uses the limited token while the drives were mapped using the elevated token. To get around this issue, administrative users should map network drives under the limited user token. This mapping is accomplished by using the launchapp.wsf script shown in Appendix A, which works by scheduling the commands using the task scheduler. The task scheduler launches the script under the administrative full token, thereby allowing Windows Explorer, other limited token processes, and the elevated token process to view the mapped network drives. To configure launchapp.wsf to postpone the execution of a logon script Copy the logon script and the launchapp.wsf script to a network share.Start the GPMC. In the GPMC, right-click the GPO you want to modify, and then click Edit.In the User Configuration node, expand Windows Settings, and then click Scripts.Right-click Logon, and then click Properties.In the Logon Properties dialog box, click Add.In the Script Name box, type launchapp.wsfIn the Script Parameters box, type the full path and name to logon.batWilliam Tan TechNet Community Support
March 8th, 2012 5:33am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics