Home > IT Answers > Microsoft Windows > General Access Error using Script on Domain P...
Help

Question

  Asked: Mar 13 2008   7:38 PM GMT
  Asked by: Lonewolfbw

General Access Error using Script on Domain PCs


Active Directory, Group Policy, VBScript, changing local admin password, GPO, OU

I am running a VBscript through a GPO to change the Local Administrator password on all workstations in my domain. In order to test this, I did the following:

I created a Test OU, and applied the GPO solely to that. I took a test box and moved it into the Test OU. Then I had the GPO in question run the following Startup Script:

Set objOU = GetObject("LDAP://OU=test, DC=mydomain, DC=com")
objOU.Filter = Array("Computer")

For Each objItem in objOU
strComputer = objItem.CN
Set objUser = GetObject("WinNT://" & strComputer & "/Administrator")
objUser.SetPassword("TestPasswordHere")
Next


I rebooted the test machine, and it was successful, the local admin password had been changed to TestPasswordHere.

Now, I then took an existing user's PC and moved it into the same OU. I had him reboot, and the following error came up when he got to the startup point.

Windows Scripting Host
Script = (and it lists the full location of the VBscript)
Line 7
Char 5
General Access Denied Error
Code 80070005
Source: Active Directory

From what I can see, there is no reason this should be happening, I moved both his PC and the test PC's Computer Object out of their current OU into the test one. I can't find any reference as to why it would work flawlessly on the first box and give me the above error on the user's machine? The only difference I am sure of is that the test box was a server running WIndows 2003 Server Standard, and he is using a PC running Windows XP Pro.

Subscribe to Alerts! Get questions and answers delivered to your Inbox.


E-mail me updates on this question



   SUBSCRIBE

hidden modal window
Help

Answer Wiki (Improve, edit or add to this answer)

IMPROVE THIS ANSWER
View History
 RATE THIS ANSWER
0
Click to Vote:
  •   0
  •  0
Last Answered: Mar 14 2008  7:48 PM GMT  by KarlG




I ran into the exact same issue. Who did you log into the workstation as when it worked? A domain administrator someone with permission to move a object? That was what our issue was the script needed to be run as an administrator and more often than not the machine was being logged into as a normal user. We fixed it by creating a shortcut that "ran as" an appropriate user.

Now we use the same script to introduce new machines from the test ou. The script changes the local admin password, installs software packages, deploys AV configure services and copies over certain files and settings. Then it moves the machine out of the test ou!

A very gratifying feeling after I got it working!
  • AddThis Social Bookmark Button

Browse more Questions and Answers on Microsoft Windows and Development.

Looking for relevant Microsoft Windows Whitepapers? Visit the SearchWinIT.com Research Library.


RSS - Discussions Help

Discuss This Answer


You must be logged-in to discuss a question. Log-in/Register

Lonewolfbw  |   Mar 15 2008  5:13AM GMT

Karl,

I may just be confused, but it’s not actually ‘running’ as anyone. As myself (I am a Domain Admin), I went into Group Policy Management (on my own computer), and there I configured a Group Policy object that is set to run a startup script, the one you see listed in the question. I then moved the computer’s Computer Object into an OU, linked that OU to the new Group Policy, and I rebooted the computer.

This error occurs before you actually log anyone into the computer - the script is being applied *by* Group Policy, and the error pops up right as the standard Windows login screen appears. There’s no user involved, on the computer in question. So I can’t see how it could be a permissions question issue, when no one is actually logging into the machine yet at that point.

Brian