Issue:
You have configured a Computer Startup Script via a GPO. In that script you redirect output of a command, batch file, executable, vbscript, etc. to a text file on a network share.
One or more of the following issues may occur.
1) The command or commands in the startup script may not run at all
2) The output file is not created.
Example ComputerStartup.bat
@echo Off
REM **********************************************************
REM * Author: NetworkAdminKB.com
REM * Created: 2008-08-24
REM *
REM * Purpose: Sample Computer Startup Script
REM *
REM * Notes:
REM * Run from a GPO configured in
REM * Computer Config\Windows Settings\Scripts\Startup
REM * Setting: ComputerStartup.bat
REM *
REM * Changes:
REM **********************************************************
REM Using ( ) allows multiple commands to be executed with their output redirected
REM with a single redirection.
(
Echo Simple batch command output
Set
Echo Executable output
Cacls c:\
) > \\Servername\Sharename\folder\output.txt
Cause:
The issue is caused because the computer account does not have access to the specified Sharename and/or permissions to the Folder that the output is being redirected to.
By default the computer startup script executes under the SYSTEM account on the local computer. This means that when accessing shares remotely the computer account (computername$) is used. This can be verified by enabling auditing on the target folder and checking the audit log for write failures.
Solution:
Choose one of the following methods based on your company needs and desired security. Generally speaking, writing a log file (which is what redirection of output really is) is considered a low security risk. Therefore, method 1 is highly recommended and will allow for less maintenance over time. However, good practice dictates that the log file share and directory should be separate from all other items that may require more security. Method 2 is more appropriate for higher security implementations.
Method 1
1) Modify the Permissions on the Share
a. Allow Everyone – Change
2) Modify NTFS permissions on the folder and parent folders
a. On the parent folders
i. Allow Everyone Read
b. On the destination folder
i. Allow Everyone Read and Write
Method 2
1) Create a group in the domain
a. Examples of group names
i. “Computers with StartScript”
ii. “Domain Computers”
iii. “Domain Servers”
2) Place the appropriate computer accounts in the specified group
3) Modify the Permissions on the Share
c. Allow ComputerGroup – Change
4) Modify NTFS permissions on the folder and parent folders
d. On the parent folders
i. Allow ComputerGroup - Read
e. On the destination folder
i. Allow ComputerGroup - Read and Write