Posted January 30, 201113 yr Hey folks - I've followed the various guides on how to get a batch file to run automatically upon Windows 2008 startup (vs. user login). The batch file I've written is really simple: @echo off net use z: \\server.fqdn\share_name passwd /user:username It sort-of works. Once the machine boots, I open the Windows Explorer, and I see the drive mapped but "Disconnected" with a big red X next to it. If I click on the drive, I can see its contents. If I try to right-click and disconnect it, no luck. It tells me the path doesn't exist. I get a similar error if I try to remove it using "net delete". So I'm doing something wrong, I'm just not sure where to look. The batch file? Permissions of some sort? ... Any other suggestions or ideas? Thanks. jas
January 31, 201113 yr Is the script running on the server and mapping a drive from itself? Does this behavior change if you use the IP address instead of the FQDN?
January 31, 201113 yr Author Is the script running on the server and mapping a drive from itself? Does this behavior change if you use the IP address instead of the FQDN? The script is running on the server, trying to map a drive from a NAS. The behavior doesn't change w/IP vs. FQDN. jas
January 31, 201113 yr How about if you add a line "net use z: /delete" before your other net use z: line?
January 31, 201113 yr Author How about if you add a line "net use z: /delete" before your other net use z: line? Nope. Doesn't appear to. I actually directed the output of the script to a tmp file along with some echos before and after the commands were run. This is what shows: Begin bane z: was deleted successfully. The command completed successfully. End bane And yet I still see the issue. jas
January 31, 201113 yr Are you running your script via a GPO? If so, from the computer section or user section? If computer, try changing to user section. You might also enable "Always Wait for the Network at Startup and Logon" under Computer\Admin Templates\System\Logon. Perhaps also try net use /persistent:yes z: etc. This kb may or may not apply as well.
January 31, 201113 yr Author Are you running your script via a GPO? If so, from the computer section or user section? If computer, try changing to user section. You might also enable "Always Wait for the Network at Startup and Logon" under Computer\Admin Templates\System\Logon. I tried the "Always wait..." and that didn't make a difference. I specifically want it in the Computer section vs. the User one, because I want this to happen at boot time, not login time. As expected, putting it in the User section does work, but only when a user logs into the computer. It's not mounted pre-login. That doesn't help me out much. :-( jas
February 1, 201113 yr Hmm, does it need to be a script? You could map a share through your GPO in Computer>Preferences>Windows Settings>Network Shares. If it's not something you have an OU, you could security filter the gpo for that one (or more) computer account (or a group).
February 1, 201113 yr Author Hmm, does it need to be a script? You could map a share through your GPO in Computer>Preferences>Windows Settings>Network Shares. If it's not something you have an OU, you could security filter the gpo for that one (or more) computer account (or a group). I have to admit you've somewhat lost me there. In gpedit, what am I looking for? There's no "Preferences" section, but there is a "Windows Settings" under "Computer". However, no "Network Shares". Are you saying I can add that using a security filter? Kinda clueless there... jas
February 1, 201113 yr Gpedit opens just your local computer policy. If you use gpmc.msc, that opens your domain group policies -- assuming that you have a domain, which you may not. The domain policies add the preferences section, which contain a lot more settings. Security filters are another gpmc addition. The local computer policy only applies to, well, the local computer. A domain group policy applies to whatever organization unit (OU) that you apply it to, but you can use a filter to restrict it even further. So, I might have all of my servers in an OU called "Internal Servers", but maybe I only want a policy to apply to print servers or a single server, so you can add a filter that is that one computer's account or a group which contains the computer accounts of all of your print servers. In affect, your saying that other computers/servers don't have permission to apply that policy. So, if you're not using a domain, then that may be a lot of information that you can't use.
February 1, 201113 yr Author Gpedit opens just your local computer policy. If you use gpmc.msc, that opens your domain group policies -- assuming that you have a domain, which you may not. The domain policies add the preferences section, which contain a lot more settings. OK, that makes sense. I do have a domain, but I don't really need other machines in the domain auto-mounting Z:. Just the domain server. So would you suggest I still go through gpmc instead? Sorry for the clue-by questions I'm a UNIX geek trying to learn Win2008 server. -) jas
February 1, 201113 yr Yes, you could put this in the Default Domain Controller Policy if this is the only domain controller (assuming domain controller from "domain server") and no other machines will apply that policy. If it is not a domain controller, but just a member server in the domain, you can make a new policy and attach it at the domain level, but in the security filtering section add your server's computer account, and then it will still only be applied to that one server.
February 1, 201113 yr Author Yes, you could put this in the Default Domain Controller Policy if this is the only domain controller (assuming domain controller from "domain server") and no other machines will apply that policy. So another dumb question: I found the "Network Share" section in the editor, but that appears to be about sharing a drive, not mounting an already-existing share. Or did I misread that? jas
February 1, 201113 yr Carp! You're right. I was thinking of the Drive Maps option which is under the User Configuration which brings us back to the same problem. Hmm.
February 1, 201113 yr Ok. Different tack. In your net use command, are you using a domain username and password, or is that a NAS device username and password?
February 1, 201113 yr Author Ok. Different tack. In your net use command, are you using a domain username and password, or is that a NAS device username and password? Happens to be both in this case. But the requirement is to use the NAS's authentication, since it's NOT part of the domain. I've just made the uname/passwd the same. jas
February 1, 201113 yr Back in your gpedit local policy, what is your setting for Local Policies > Security Options > Network Security: LAN Manager authentication level ? You may need to check your NAS documentation to see if it recommends changing that to: Send LM and NTLM - use NTLMv2 session security if negotiated. The QNAP NASes, for example, recommend this., though it may lower your security if that has to be set on a domain controller.
February 1, 201113 yr Author Back in your gpedit local policy, what is your setting for Local Policies > Security Options > Network Security: LAN Manager authentication level ? Will have to check that when I get home later, since the server is there and I can't RDP into it (on purpose) remotely. Is there a way to ask Windows about that setting via the CLI? I can ssh into the machine... You may need to check your NAS documentation to see if it recommends changing that to: Send LM and NTLM - use NTLMv2 session security if negotiated. The QNAP NASes, for example, recommend this., though it may lower your security if that has to be set on a domain controller. The NAS is basically just a CentOS (RedHat) Linux server running SAMBA, NFS, AFP, etc. The drive mounts fine, once the machine is booted. If I disable the script in gpedit, reboot, and then run the script from the CLI, it works beautifully. But it requires me to log in to do that, obviously. Would changing those security settings (auth level) actually help here? Thanks. jas
February 1, 201113 yr Author Back in your gpedit local policy, what is your setting for Local Policies > Security Options > Network Security: LAN Manager authentication level ? I just checked this and it's currently Undefined. By default that means "Send NTLMv2 response only" for Win 2008 Server, I believe. Does that matter, though, since after I log in, I can run that script? jas