logon.bat question using PDC [SOLVED]

[greavette]

Hello,

I've installed Zentyal (2.0.22) in Ubuntu Server 10.04.  I've installed the modules to use a PDC so my Windows XP workstations can connect.  Now I'm testing the logon.bat in /home/samba/netlogon.  I've created a logon.bat and logon.vbs created from this post:  http://forum.zentyal.org/index.php?topic=2019.0.  My question is, do I need to name the .bat file that will be executed on each workstation logon.bat or do I need to rename it to zentyal-logon.bat like the file that was there when zentyal was installed? 

Thanks,

Charles.

[jsalamero]

I think you will have to customized smb.conf.mas to run a logon script per machine basis.

[robb]

Why not dive into kixtart or something like that? With that you can create custom logonscripts so you can give on account and/or pc base all the options you need.

[Lueghi]

you can also create a computername.bat for each machine in the same directory and in the logon.bat you only need to add the following line:

Code: [Select]

call %computername%.bat
So when the users login first the common logonfile will be executed and then the machine specific logon will work.

[robb]

What I would like to know is why you want to make _machine_ depending logon scripts? What if another user uses that machine?

[greavette]

Hello Robb,

Good point.  What I need instead is User dependent logon script.  I've Lueghi's suggestion but I'm using username instead.  Each username has their own logon script to open shares etc.  Works Great!

I've not heard of kixtart before...I'll have to look into this further.

Thanks very much for all your suggestions.

[DWAM]

Hi Greavette!

I'm having problems with the logon script not being executed for simple users. In here, it only works for users with admin privileges.

May I ask you if your users have administrator rights or not ?

TIA

[greavette]

Hello DWAM,

I'm currently using the logon.bat file for select employees that do have either power user or administrative privileges on their PC's.  But I'm fairly sure I did testing using limited users as well.

A bit of background for you on my setup:

We only have Windows XP workstations in our office.  We are talking of a move to a new version of Windows (probably 7) but we have not started testing our applications yet. 
The logon.bat script I run so far only has net use commands to open shares for each employee.  I've added the user and password directly in the .bat file that executes.  I do not have my servers on our domain yet so these new userid's I've created in our Zentyal Domain Controller are not known to our servers. 

I will setup a limited user tonight and create a similar .bat logon script and let you know my results.

What is being executed in your logon scripts?

[robb]

I've thought a lot about how a logonscript should work. What kind of protocol is needed to create a good script.
There are several situations where a pc-based solution as mentioned by Lueghi by creating a %machinename%.bat might be sufficient. For instance, when everybody in your organisation always uses the same pc.

If there IS some change in pc's that are used by people, for instance when there are desktops that can be randomly used by anyone, a %username%.bat can solve the problem.

But IMO those solutions are not the way to approach this issue.
I think a better way is to give resources and permissions by identifying the needs a function someone has in a company. For each resource and/or permission you create a group that has gives the rights to that resource or permission. In the login.bat you give those resources based on the function of the account, rather than the account name itself. When someone changes his or her function, it is a lot easier to change the necessary resources and permissions.

For printers you could think of location dependent assignment. Especially when the company has a large building or has different locations. Based on subnet/VLAN you can assign printers closest to the location where the user logs in.

[DWAM]

Thanks for your reply.

The logon script I'm using is very basic (so far) : adding shares and sync time. The very base for a PDC...

I'm trying to replace an old (but functioning) PDC, based on Samba on a CentOS 4 server, by Zentyal 2 64 Bits. Giving admin rights to all my users is NOT an option for me (nor should be for an SMB server). My XP machines have properly joined the domain and users can't open a session locally : they must validate their credentials against the PDC. No roaming profiles so far, as long as the logon script won't work.

I'd be glad if you could tell me the result of your testing.

Thanks again

[greavette]

I agree with you Robb.  Our Groupware server (Simple Groupware) works this way.  I've created groups by job function and add or remove employees from the group as required.  I would prefer to setup logon scripts by group for our Zentyal Domain Controller.  Do you know how to check by group before running the script?

Thanks.

[DWAM]

To check by group, you need "ifmember.exe", an executable from the NT Resource Kit which is also available on the internet.

If you search "ifmember" in the forum or google it, you'll find many examples.

IMO, logon scripts must take into account :
- the specific user
- the groups this user belongs to
- the workstation used to log in (some PCs might have special requirements or extra features based on specific hardware or software)

[greavette]

I've seen reference to ifmember in other forum posts but didn't know where it came from...thanks very much DWAM for the useful information!

[greavette]

Hello DWAM,

I've tested my logon.bat script using a limited user (only the USER group) and the script worked without error.  I used the same script as my Admin users in our office, net use statements to connect to shares.

What error are you getting when you run your logon.bat script for your limited users?  Add some pause statements to your .bat file and test running the script directly in windows (not using the script in home/samba/netlogon in Zentyal when the computer starts) and see if there are any errors.

[ichat]

greavette  - good tips..