We are running a Windows 2003 native active directory domain with two
Windows Server 2003 Ent. Ed. DCs. We have setup GPOs which call logon scripts
from User Configuration portion of GPO. The logon scripts are VBS. One of the
scripts is for drive mapping. We have recently noticed that unless a user is
a member of at least 3 groups, the drives will not map. We've run group
policy results wizard for a test user with no reported errors and all
relavent GPOs are run successfully. No errors are reported in event logs
except for EventID: 3019 MRxSmb errors in System log (which we have always
had). Has anyone else ever run into this problem? It has us flumoxed.
Adam

Hi
- 3 security groups, or one of them is the correct one that gives you access
to the share?
- And if you run the script after logon, I mean, logon, disconnect the
drives and manually run the script. Same result?

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services
"Adam" <Adam@discussions.microsoft.com> wrote in message
news:CA3988F2-4DBA-4FBC-B544-928AC95684D0@microsoft.com...

Quote:

We are running a Windows 2003 native active directory domain with two Windows Server 2003 Ent. Ed. DCs. We have setup GPOs which call logon scripts from User Configuration portion of GPO. The logon scripts are VBS. One of the scripts is for drive mapping. We have recently noticed that unless a user is a member of at least 3 groups, the drives will not map. We've run group policy results wizard for a test user with no reported errors and all relavent GPOs are run successfully. No errors are reported in event logs except for EventID: 3019 MRxSmb errors in System log (which we have always had). Has anyone else ever run into this problem? It has us flumoxed. Adam

Hello Adam,

Check the script code which security group are used. Also check the GPO security
settings to which users/groups it is set to a pply policy.

For even tid 3019 see:
http://support.microsoft.com/kb/315244

http://www.eventid.net/display.asp?eventid=3019&eventno=149&source=MRxSmb&phase=1

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Quote:

We are running a Windows 2003 native active directory domain with two Windows Server 2003 Ent. Ed. DCs. We have setup GPOs which call logon scripts from User Configuration portion of GPO. The logon scripts are VBS. One of the scripts is for drive mapping. We have recently noticed that unless a user is a member of at least 3 groups, the drives will not map. We've run group policy results wizard for a test user with no reported errors and all relavent GPOs are run successfully. No errors are reported in event logs except for EventID: 3019 MRxSmb errors in System log (which we have always had). Has anyone else ever run into this problem? It has us flumoxed. Adam

"Adam" <Adam@discussions.microsoft.com> wrote in message
news:CA3988F2-4DBA-4FBC-B544-928AC95684D0@microsoft.com...

Quote:

We are running a Windows 2003 native active directory domain with two Windows Server 2003 Ent. Ed. DCs. We have setup GPOs which call logon scripts from User Configuration portion of GPO. The logon scripts are VBS. One of the scripts is for drive mapping. We have recently noticed that unless a user is a member of at least 3 groups, the drives will not map. We've run group policy results wizard for a test user with no reported errors and all relavent GPOs are run successfully. No errors are reported in event logs except for EventID: 3019 MRxSmb errors in System log (which we have always had). Has anyone else ever run into this problem? It has us flumoxed. Adam

The logon script is flawed. For example, one method sometimes used in
VBScript programs is similar to:
=========
Set objSysinfo = CreateObject("ADSystemInfo")
Set objUser = GetObject("LDAP://" & objSysInfo.UserName

For Each strGroup In objUser.memberOf
If (InStr(LCase(strGroup), "cn=testgroup") > 0) Then
' User is a member of the group "cn=testgroup".
' Do something...
End If
Next
========
But an error is raised on the "For Each" statement unless the user is a
member of at least three groups. The "For Each" statement requires that
objUser.memberOf be an array, which means that the memberOf attribute must
have at least two values. However, the memberOf attribute never includes the
"primary" group of the user (usually the group "Domain Users"), so the user
must be a member of at least three groups to avoid the error. See this link
for details, and suggested alternatives:

http://www.rlmueller.net/MemberOf.htm

Note that if the logon script uses "On Error Resume Next", all errors, such
as the above, are ignored. I recommend never using "On Error Resume Next" in
a logon script. It makes troubleshooting nearly impossible. Hiding problems
is never the fix.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

Hello Jorge, thanks for the swift response. What we've done is to create the
share on a file server for a particular group. We give the group both share
and NTFS permissions for the share and the folder. We add the user to that
group and log the account on. No errors and no drive mapped. We add another
random group to the user and same result. We then add a third random group
and the drive then maps. We also tried this experiment with two groups that
we created just for testing. We start out making sure that the group that has
the permissions for the share is the first group added to the user's account.
We then log the account on and get no drive mapped. We then add the first
test group with same results. We then add the second test group (for a total
of three groups) and the drive maps. The last two groups were not part of
either the share or NTFS permissions on that share.

"Jorge Silva" wrote:

Quote:

Hi - 3 security groups, or one of them is the correct one that gives you access to the share? - And if you run the script after logon, I mean, logon, disconnect the drives and manually run the script. Same result? -- I hope that the information above helps you. Have a Nice day. Jorge Silva MVP Directory Services "Adam" <Adam@discussions.microsoft.com> wrote in message news:CA3988F2-4DBA-4FBC-B544-928AC95684D0@microsoft.com... We are running a Windows 2003 native active directory domain with two Windows Server 2003 Ent. Ed. DCs. We have setup GPOs which call logon scripts from User Configuration portion of GPO. The logon scripts are VBS. One of the scripts is for drive mapping. We have recently noticed that unless a user is a member of at least 3 groups, the drives will not map. We've run group policy results wizard for a test user with no reported errors and all relavent GPOs are run successfully. No errors are reported in event logs except for EventID: 3019 MRxSmb errors in System log (which we have always had). Has anyone else ever run into this problem? It has us flumoxed. Adam

Richard,
Here is a sample of our script:

Dim objNetwork, objUser, CurrentUser
Dim strGroup
'Defines a list for the variable values
Const some_group_name = "cn=somegroup"
Set objNetwork = CreateObject("WScript.Network")
Set objUser = CreateObject("ADSystemInfo")
Set CurrentUser = GetObject("LDAP://" & objUser.UserName)
strGroup = LCase(Join(CurrentUser.MemberOf))
If InStr(strGroup, some_group_name)
objNetwork.MapNetworkDrive "t:", "\\fileserver\share_name$"
End If

As you can see, we are not using a "For Each" statement so I'm not convinced
it is looking for an array. Bear in mind that I am not a wizard at VBS by any
means.
Thanks,
Adam

"Richard Mueller [MVP]" wrote:

Quote:

"Adam" <Adam@discussions.microsoft.com> wrote in message news:CA3988F2-4DBA-4FBC-B544-928AC95684D0@microsoft.com... We are running a Windows 2003 native active directory domain with two Windows Server 2003 Ent. Ed. DCs. We have setup GPOs which call logon scripts from User Configuration portion of GPO. The logon scripts are VBS. One of the scripts is for drive mapping. We have recently noticed that unless a user is a member of at least 3 groups, the drives will not map. We've run group policy results wizard for a test user with no reported errors and all relavent GPOs are run successfully. No errors are reported in event logs except for EventID: 3019 MRxSmb errors in System log (which we have always had). Has anyone else ever run into this problem? It has us flumoxed. Adam The logon script is flawed. For example, one method sometimes used in VBScript programs is similar to: ========= Set objSysinfo = CreateObject("ADSystemInfo") Set objUser = GetObject("LDAP://" & objSysInfo.UserName For Each strGroup In objUser.memberOf If (InStr(LCase(strGroup), "cn=testgroup") > 0) Then ' User is a member of the group "cn=testgroup". ' Do something... End If Next ======== But an error is raised on the "For Each" statement unless the user is a member of at least three groups. The "For Each" statement requires that objUser.memberOf be an array, which means that the memberOf attribute must have at least two values. However, the memberOf attribute never includes the "primary" group of the user (usually the group "Domain Users"), so the user must be a member of at least three groups to avoid the error. See this link for details, and suggested alternatives: http://www.rlmueller.net/MemberOf.htm Note that if the logon script uses "On Error Resume Next", all errors, such as the above, are ignored. I recommend never using "On Error Resume Next" in a logon script. It makes troubleshooting nearly impossible. Hiding problems is never the fix. -- Richard Mueller MVP Directory Services Hilltop Lab - http://www.rlmueller.net --

The Join function requires an array. If CurrentUser.memberOf is Empty, that
means the user is a member of just one one group (their "primary" group,
which is never included in this attribute). The Join function raises an
error if the parameter is Empty. If the user is a member of one other group
(besides their "primary"), then CurrentUser.memberOf is a String and Join
still raises an error.

The link I included before included this situation (using the Join
function). The solution I suggest in the link would be:
============
Dim objNetwork, objUser, CurrentUser
Dim strGroup, arrGroups
'Defines a list for the variable values
Const some_group_name = "cn=somegroup"

Set objNetwork = CreateObject("WScript.Network")
Set objUser = CreateObject("ADSystemInfo")
Set CurrentUser = GetObject("LDAP://" & objUser.UserName)

On Error Resume Next
arrGroups = CurrentUser.memberOf
If (Err.Number <> 0) Then
On Error GoTo 0
strGroups = ""
Else
On Error GoTo 0
strGroup = LCase(Join(arrGroups))
End If

If InStr(strGroup, some_group_name)
objNetwork.MapNetworkDrive "t:", "\\fileserver\share_name$"
End If
=============
Note that I use "On Error Resume Next" just for the statement expected to
possibly raise an error, then I restore normal error handling with "On Error
GoTo 0".

I would also caution that the InStr function can return a positive value
(interpreted as True) even when the user is not a member of the intended
group, if you are not careful. For example, if some_group_name is "sales",
then the membership in any of the following groups will result in True:

cn=Salesmen,ou=West,dc=MyDomain,dc=com
cn=Engineering,ou=Sales,dc=MyDomain,dc=com
cn=West Sales,ou=Engr,dc=MyDomain,dc=com
cn=Sales Training,ou=West,dc=MyDomain,dc=com

You can improve the situation by assigning the value "cn=sales,". Better yet
would be to use the full Distinguished Name of the group. Their could be
several groups with Common Name "Sales" as long as they are in different
OU's or containers.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

"Adam" <Adam@discussions.microsoft.com> wrote in message
news:9DDFA022-EEE9-48A4-8959-E14C2C7C05A3@microsoft.com...

Quote:

Richard, Here is a sample of our script: Dim objNetwork, objUser, CurrentUser Dim strGroup 'Defines a list for the variable values Const some_group_name = "cn=somegroup" Set objNetwork = CreateObject("WScript.Network") Set objUser = CreateObject("ADSystemInfo") Set CurrentUser = GetObject("LDAP://" & objUser.UserName) strGroup = LCase(Join(CurrentUser.MemberOf)) If InStr(strGroup, some_group_name) objNetwork.MapNetworkDrive "t:", "\\fileserver\share_name$" End If As you can see, we are not using a "For Each" statement so I'm not convinced it is looking for an array. Bear in mind that I am not a wizard at VBS by any means. Thanks, Adam "Richard Mueller [MVP]" wrote: "Adam" <Adam@discussions.microsoft.com> wrote in message news:CA3988F2-4DBA-4FBC-B544-928AC95684D0@microsoft.com... We are running a Windows 2003 native active directory domain with two Windows Server 2003 Ent. Ed. DCs. We have setup GPOs which call logon scripts from User Configuration portion of GPO. The logon scripts are VBS. One of the scripts is for drive mapping. We have recently noticed that unless a user is a member of at least 3 groups, the drives will not map. We've run group policy results wizard for a test user with no reported errors and all relavent GPOs are run successfully. No errors are reported in event logs except for EventID: 3019 MRxSmb errors in System log (which we have always had). Has anyone else ever run into this problem? It has us flumoxed. Adam The logon script is flawed. For example, one method sometimes used in VBScript programs is similar to: ========= Set objSysinfo = CreateObject("ADSystemInfo") Set objUser = GetObject("LDAP://" & objSysInfo.UserName For Each strGroup In objUser.memberOf If (InStr(LCase(strGroup), "cn=testgroup") > 0) Then ' User is a member of the group "cn=testgroup". ' Do something... End If Next ======== But an error is raised on the "For Each" statement unless the user is a member of at least three groups. The "For Each" statement requires that objUser.memberOf be an array, which means that the memberOf attribute must have at least two values. However, the memberOf attribute never includes the "primary" group of the user (usually the group "Domain Users"), so the user must be a member of at least three groups to avoid the error. See this link for details, and suggested alternatives: http://www.rlmueller.net/MemberOf.htm Note that if the logon script uses "On Error Resume Next", all errors, such as the above, are ignored. I recommend never using "On Error Resume Next" in a logon script. It makes troubleshooting nearly impossible. Hiding problems is never the fix. -- Richard Mueller MVP Directory Services Hilltop Lab - http://www.rlmueller.net --