VBS Script error in Logon Script with AD change

Discussion in 'Active Directory' started by Webspeedway, Nov 6, 2006.

  1. Webspeedway

    Webspeedway Guest

    Hello All,

    I have been developing a very in depth login script that we use for all our
    customers to do many things. I have found a addition that I would like to
    include but for some reason not able to make this thing work. What the script
    does is write the current user and time to the Active Directory Computer
    Description and User Account Description field. So when my techs log in it is
    much easier to locate a system that the user is working on. JSI has provided
    a great script that has been developed a little further and is based on one
    of "Microsoft Scripting Guy" script.s The problem is this:

    When we run the script as a Admin user it works fine, but if it is ran as a
    regular user it fails with General Access Error , Active Directory 80070005.
    I have tried making this part of a GPO login to see if it uses a system
    account that would have permissions with no luck also. I have attached the
    link to the JSI site with the script, currently we are trying just the logon
    option. Any ideas would be much appreciated.

    http://www.jsifaq.com/SF/Tips/Tip.aspx?id=10492

    http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0429.mspx

    Nathan Sanders
     
    Webspeedway, Nov 6, 2006
    #1
    1. Advertisements

  2. Hi,

    First, logon scripts run with the credentials of the user. Startup scripts
    run with system privileges on the local machine, and with the credentials of
    the computer object in the domain.

    Next, you can grant permissions to modify attributes on the Security tab of
    an object. For example, you can grant a user (or better yet a group)
    permission to "Write Description" on a user or computer object. Right click
    the object, select properties, select the "Security" tab (you may need to
    select "Advanced Features" on the View pull down menu to get the Security
    tab), click the "Advanced" button, select the user or group you want to
    grant permssions to in the "Permission Entries" box (you may need to add the
    user or group), then click the "View/Edit" button, and find the permission
    you want to grant on the "Properties" tab. One of the permissions you can
    grant is "Write Description".

    Finally, I don't recommend modifying attributes on a short term basis this
    way. It can be done, but AD was not designed to have attribute values change
    every time a user logs on. The replication traffic is a concern. That's why
    the lastLogon attribute is not replicated, why the lastLogoff attribute is
    never used, and why AD does not keep track of which computer users log into.
    Most times when a user logs on only the lastLogon attribute is updated, and
    that is not replicated.

    I would suggest using a logon script to log information to a text file. I
    did this for years. I have a sample logon script that logs date/time, user
    name, computer name, and IP Address linked here:

    http://www.rlmueller.net/Logon5.htm

    A line is appended to a log file every time a user logs on. All users need
    write access to the log file. The file can be imported into a spreadsheet
    for analysis. You could also have a logoff script log when the user logs
    off.
     
    Richard Mueller, Nov 7, 2006
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.