I'm running a Windows Server 2012 R2, and I've deployed a logon script for my domain, although I've configured the Logon Script Delay to ENABLED ("0" MINUTES), my script still taking the 5 minutes to run after my users log on to their machines!
So what am I missing here to get rid of the 5 minutes delay?
I just researched this. It appears that based on the most pertinent article I read (linked at the end of this answer), you are doing this correctly, based on this statement: "If you enter the time in minutes as zero (0), the setting is disabled, and the Group Policy client runs the logon scripts at user logon without any delay." That is exactly what you did. But your script is still waiting five minutes before executing.
The article does offer another statement presenting another way of achieving your goal: "If you want the logon scripts to run at user logon without any delay, you should configure the setting to Disabled:"
Computer Configuration\Administrative Templates\System\Group Policy:
Configure Logon Script Delay ==> Disabled
Also look into the fact that since this is a computer setting, ensure your computer resides within an OU to which the GPO is linked, that there is no security or WMI filtering at work excluding your computer, and that there is no other over-riding GPO to this policy, and that the GPO is not being blocked. You can run a command to see why the GPO setting may not be applying if this or something else is blocking it:
gpresult /H gporeport.html
Reference: Logon scripts do not run for five minutes after a user logs on to a Windows 8.1-based computer
Related
In a SQL server in my environment, couple of days after patch(Not immediately after), syspolicy purge job started failing at step 3 executing powershell. When I created a test job with a simple print statement that is not working as well. If i create a Proxy with my account and run the job it suceeds. The agent account is a domain account with both local admin and sysadmin permissions on SQL server. I'm not sure why it crashes with the below error message everytime it calls powershell.
Application popup error - SQLPS.exe The application was unable to start correctly (0xc0000142). Click OK to close the application.
Reboot it is!! Whew! There aint anything wrong with the Agent account. Something with the agent account was broke! Glad the issue is resolved.
Note:: The server was rebooted after the patch and there was no pending reboot. Also, after patching the job ran successfully 2 days. So just a weird failure! I'm unable to find what broke the account.
I design GUIs for clients on window based servers. These systems are on very powerful Dell power edge servers. Inside the GUI, the client is able to open a web-browser that automatically opens the report selected. Clients access the GUI remotely, and log off in-between visits.
The first time a user logs in and tries to access a report, it takes as long as 45 seconds to open the report to view data. Every report after that loads in less than 5 seconds. I have done some research and found that the Sql Server needs to pull all the report server configuration files before it can show the first report, which takes a long time.
The config files are stored only for 12 hours by default, and the max you can set this is a couple days, I believe, inside the report services config file. This still requires the 45 second load time every other day or so.
I have tried pulling the configuration files as soon as a user remotes into the server, but that did not seem to work.
The server is running 24/7 and only turns off during a power outage. Is there a way to keep the report server configuration files on a system service or some way to never have to load the files again?
According to this article
The reason behind is that we have to wait for the application pool to
spin up. During each start up, the SSRS 2005 web service reads and
decrypts the rsreportserver.config file, it has to physically open up
a socket connection between the two servers since the connection pool
is empty, log into the database instance, etc. Also the web service
has to make RPC calls into the Windows Service to get the encryption
keys. There is an idle timeout value which forces the application to
shut down after 20 minutes by default. We can tweak this timeout
setting to have the application always up and running.
Solution SSRS 2005
First start Internet Information Services Manager from Control Panel
-> Administrative Tools. Navigate to your server instance on the left side pane and expand it. You will find the Application Pools. Right
click on it and choose the Properties option from the menu.
Choose the Performance tab in the Application Pool Properties window
and you will see that the default setting Idle Timeout is 20 minutes.
There are two ways to disable the idle timeout:
uncheck the checkbox in front of the setting or
set it to 0.
Solution SSRS 2008
For SQL Server 2008 you can make a modification to the "RecycleTime"
parameter in your report server config file. It will be located in the
following folder:
drive:\ Program Files\Microsoft SQL Server\MSRS10.MSSQLRS\Reporting
Services\ReportServer\rsreportserver.config
the value is in minutes.
Another possible solution
Here is a possible workaround solution. It rests on the scheduler and execution of a PowerShell script, which stops and starts the SSRS service (which has the same effect as the application domain restart) and after the restart it makes a request to the report manager URL which forces the reporting services to load all the configurations etc. Then all the subsequent request to SSRS are immediate.
Stop-Service "SQL Server Reporting Services (MSSQLSERVER)"
Start-Service "SQL Server Reporting Services (MSSQLSERVER)"
$wc = New-Object system.net.webClient
$cred = [System.Net.CredentialCache]::DefaultNetworkCredentials
$wc.Credentials = $cred
$src = $wc.DownloadString("http://localhost/Reports/Pages/Folder.aspx")
You can create a scheduled task using the Scheduled Tasks GUI or execute the below command to create the scheduled task from within a command prompt. The command prompt needs to be running with elevated administrative privileges.
schtasks /create /tn "SSRS Recycle" /ru UserName /rl highest /np /sc daily /sd 08/01/2011 /st 02:00 /tr "powershell.exe -noprofile -executionpolicy RemoteSigned -file c:scriptsSSRSRecycle.ps1"
Is it possible to give a (non admin) user permissions to recycle a specific application pool? This is specifically for IIS 6.
I found a kind of round about way to get this done, as I couldn't find a simple way either. There may be some security concerns I've missed, so I would approach this with caution. My scenario involved a trusted, non-malicious user who requested less access.
I created a batch file with the command to reset the app pool in IIS. From there I created a single run scheduled task to run that batch file with an administrator user set up on the scheduled task. I then gave the required user read,write,and execute security permissions on that scheduled task.
I then gave the user read permission on c:\windows\tasks through the cacls command line utility. This then let that user access the scheduled tasks in control panel. From there, he could manually execute the scheduled task to reset the app pool. It works since the scheduled task is running under admin privileges.
You'll want to make sure that the user doesn't have access to modify the batch file, otherwise, you've basically given them an admin command prompt. If the scheduled task is modified, the password has to be reentered (at least on my server 2003 machine) so they can't just point the task to any executable.
How can I stop and then restart an IIS 7 application pool from an MSBuild script running inside TeamCity. I want to deploy our nightly builds to an IIS server for out testers to view.
I have tried using appcmd like so:
appcmd stop apppool /apppool.name:MYAPP-POOL
... but I have run into elevation issues in Windows 2008 that so far have stopped me from being able to run that command from my TeamCity build process because Windows 2008 requires elevation in order to run appcmd.
If I do not stop the application pool before I copy my files to the web server my MSBuild script is unable to copy the files to the server.
Has anybody else seen and solved this issue when deploying web sites to IIS from TeamCity?
This article describes using an htm file named App_offline.htm to take a site offline. Once the IIS detectes this file in the root of a web application directory,
ASP.NET 2.0 will shut-down the application, unload the application
domain from the server, and stop processing any new incoming requests
for that application.
In App_offline-htm, you can put a user-friendly message indicating that the site is currently under maintainance.
Jason Lee shows the MSDeploy calls you need to use (plus much more about integrating these steps in your build scripts!).
MSDeploy
-verb:sync
-source:contentPath="[absolute_path]App_offline-Template.htm"
-dest:contentPath="name_of_site/App_offline.htm",computerName="copmuter_name",
username=user_with_administrative priviliges,password=passwort
After deployment you can remove the App_offline.htm file using the following call:
MSDeploy
-verb:delete
-dest:contentPath="name_of_site/App_offline.htm",computerName="computer_name",
username=user_with_administrative_priviliges,password=passwort
The msbuild community tasks includes an AppPoolController that appears to do what you want (though as noted it is dated and at present only supports IIS6.) An example:
<AppPoolController ApplicationPoolName="MyAppPool" Action="Restart" />
Note that you can also provide a username and password if necessary.
Edit: Just noticed that the MSBuild Extension Pack has an Iis7AppPool task that is probably more appropriate.
this is the fairly hackey workaround I ended up using:
1) Set up a limited-access account for your service to run as. Since I'm running a CruiseControl.NET service, I'll call my user 'ccnet'. He does NOT have admin rights.
2) Make a new local user account, and assign to the Administrators group (I'll call him 'iis_helper' for this example). Give him some password, and set it to never expire.
3) Change iis_helper's access permissions to NOT allow local login or remote desktop login, and anything else you might want to do to lock down this account.
4) Log in (either locally or through remote desktop) as your non-admin user, 'ccnet' in this example.
5) Open a command terminal, and use the 'runas' command to execute whatever it is that needs to be run escalated. Use the /savecred option. Specify your new administrative user.
runas /savecred /user:MYMACHINE\iis_helper "C:\Windows\System32\inetsrv\appcmd.exe"
The first time it will prompt you for 'iis_helper's password. After that, it will be stored thanks to the /savecred option (this is why we're running it once from a real command prompt, so we can enter the password once).
6) Assuming that command executed OK, you can now log out. I then logged back in as a local admin and turned off the 'ccnet' user for local interactive login, and remote desktop. The account is only used to run a service, but no real logins. This isnt a mandatory step.
7) Set up your service to run as your user account ('ccnet').
8) Configure whatever service is running (CruiseControl.NET in my case) to execute the 'runas' command instead of 'appcmd.exe' directly, the same as before:
replace:
"C:\Windows\System32\inetsrv\appcmd.exe" start site "My Super Site"
with:
runas /savecred /user:MYMACHINE\iis_helper "\"C:\Windows\System32\inetsrv\appcmd.exe\" start site \"My Super Site\""
The thing to note there is that the command should be in one set of quotes, with all the inner quotes escaped (slash-quote).
9) Test, call it a day, hit the local pub.
Edit: I apparently did #9 in the wrong order and had a few too many before testing...
This method also doesn't completely work. It does attempt to run as the administrative account, however it still runs as a non-escalated process under the administrative user, so still no admin permissions. I didn't initially catch the failure because the 'runas' command spawns a separate cmd window then closes right away, so I wasn't seeing the failure output.
Its starting to seem like the only real possibility might be writing a windows service that will run as admin, and its only purpose is to run appcmd.exe, then somehow call that service to start/stop IIS.
Isn't it great how UAC is there to secure things, but in actuality just unsecures more servers, because anything you want to do you have to do as admin, so its easier to just always run everything as admin and forget it?
You can try changing the Build Agent Service settings to log-on as a normal user account instead of SYSTEM (the default), this can be done from the services control panel (Start | Run | services.msc).
If it doesn't help, you can also try configuring the appcmd to always run elevated, refer to this document for details.
In case such option is not available for appcmd or it still doesn't work, you can disable UAC completely for this user.
Here you go. You can use this from CC.NET with NAnt or just with NAnt:
http://nantcontrib.sourceforge.net/release/latest/help/tasks/iisapppool.html
Using Windows 2003, I'm look for a way to create a "logoff script" that will continue with the current logoff then immediately login another user. So, "UserA" logs off. Script fires to login "UserB".
This is part of an application upgrade for a computer where we have written the 'shell'; similar to a kiosk application. For the upgrade we need to logon as 'Adminstrator' then, when the upgrade has completed, logoff 'Administrator' and logon as 'sample_user'. We would like to accomplish this WITHOUT rebooting.
Note, I do not want a script that will initiate the logoff (i.e. "shutdown"). I'm looking for a script that will run upon the user logging off (set via Group Policies). As above, the script should log a different user on.
Thanks.
Don't think it's possible in the stated way (script at logoff).
You'd have to set the machine to logon automatically as a specified account and then log off (having it log on automatically for you) and then you'd have to disable that feature again afterwards, by placing a temporary logon script... generally sounds messy.
The actual setting can be made using tools like Microsofts Shared Computer Toolkit or similar (not so sure how the "normal" registry auto-login behaves at manual logout but I've had an XP kiosk that would automatically log on instantly, even if you logged out manually - you had to override it using some key like shift+logoff to be able to manually specify the login again, so somehow it can be made).
The "easiest" way might be to replace msgina.dll with someone of your own making...
But why are you doing this? Just use runas and start whatever you need to do as that other user without logging off the console user - it's a multi-user system afterall? The desktop is just fluff ^^
(This will anyhow require that the user credentials are available to your script, which kind of makes it redundant as you compromise the security of that account - defying the purpose of having that second account in the first place, for whatever purpose it exists?)
I would try setting the registry to autologon with the user you want, and then simply logging off the admin user. That should log your kiosk-user right back on.
Not sure how to login another user once the current user logs off (not sure if windows would let you...)
But you can use shutdown to logoff:
shutdown /?
Here's some ideas that probaly fall into the "cheap hack" category:
How about logging in at UserB in the first place, and then using runas /user:userA <cmd> to run the first part of the install process?
If that's unacceptable, I know there's a way to make Windows workstations (those that aren't part of a Domain) automatically log in into a certain user account after a restart. Perhaps if you looked into which Registry changes happen, and duplicated them, a reboot would automatically log in that user. (Of course, as a final stage, after userB logs in, you would have to revert those changes :-)
It also occurs to me to wonder if perhaps there's a way for a service to force an open "login screen" to log in as a certain user. Maybe using some method like the way the Remote Desktop does it remotely... If that's possible, then you could create a service that you install before logoff of userA, that would trigger the login of userB.
You can script it with VNC (there are many free versions, take your pick). Set up a VNC server process on the machine to listen on localhost. When the user logs off, your logoff script will connect to the machine using VNC and send the keystrokes necessary to log on the next user. VNC uses the RFB (remote framebuffer) protocol; there are libraries for most popular languages, so you should be able to get something working quickly. Or there are related tools that might help.
If you were to run something like this as a normal script in a given language, it would most likely not work as when you log out of your account, all processes should be killed along with your running script.
You might be able to create some sort of 'service' that would run on a service account (i.e. always active) that would automatically do this user switching for you.
My bets are on Windows Powershell, although I'm not entirely sure what functionality it has as far as actually creating a service.
A quick search brings up the following (The second link is to a forum but it mentions running Powershell as a service and sending that service a parameter which would be the path to your user switching script)
How to Create a Windows Service using Powershel
Powershell Script as a Windows Service
I don't have a Windows 2003 server or a system with a "Group Policies" setup to test my hunch but you could take a look at SU ("switch user") for Windows. Originally part of the Resource Toolkit this has been extended to a new SUperior SU. Do post the results/script if this works.
You could approach this from the perspective of building a remote control utility (like VNC, etc). The big thing here is that if you want access to the Logon screen (i.e. the CTRL + ALT + DEL / username/password) part, the only kicker is that a Windows Service is the only component that can access this, so you'd have to create one.
The only problem I see with this technique as a whole is that even if you spent a great deal of effort getting it to work (and it would be a pretty big effort), the chances of this working successfully with the whole thing originating from a logoff script (i.e. when stuff is shutting down) are low even due to the number of things that can go wrong when logging back on as Administrator.
Just remember that for anything you need to run as an Administrator, there are easier ways in Windows to make that happen (such as Run As, changing the user permissions on the items that need to update, etc).