netlogon location

[opoplawski]

Just getting started with using this - thanks for providing a very interesting project.

I see that it has produced a warning for our AD logon scripts as expected for \\DOMAIN\netlogon\*, but I'm seeing an audit warning for trying to exec a login script from a particular AD server. Something like \\SERVER\NETLOGON\USER.BAT with SERVER being a short (non-FQDN) name. Is that a configuration setting somewhere? The scriptPath setting in ldap is simply USER.bat.

[AaronMargosis]

I think when something like that has come up before, the issue was that a logon script on the DC called something else, and the way it got invoked, the full path became rendered with the specific server name rather than the domain name. I don't know what the best way is to resolve that, or whether any of these are feasible:

• find a way to keep everything within one script so it doesn't invoke other things on the DC;
• alter the scripts so that it explicitly specifies the domain's FQDN when invoking other things;
• add corresponding path rules for every DC (if there aren't too many);
• move away from using logon scripts to initialize user session configuration. Hope this helps!

[opoplawski]

Thanks for the response. I think the issue is with the logon script itself. The logon scripts do make use of scripts in another share that they mount explicitly with net use \DOMAIN\SYSVOL.... and those scripts are allowed via the aaronlocker policy. So it seems like something in the logon script setup is using the domain controller name directly. I wonder if our use of sites has anything to do with it. I having trouble finding documentation of the process though.

We might be able to add all the domain controllers - there aren't too many (~7).

I'm not sure what would replace logon scripts. Any suggestions?

[aaronparker]

Replace logon scripts with Group Policy Preferences or a signed PowerShell script.