General Access Error using Script on Domain PCs

525 pts.
Active Directory
Group Policy
I am running a VBscript through a GPO to change the Local Administrator password on all workstations in my domain. In order to test this, I did the following: I created a Test OU, and applied the GPO solely to that. I took a test box and moved it into the Test OU. Then I had the GPO in question run the following Startup Script: Set objOU = GetObject("LDAP://OU=test, DC=mydomain, DC=com") objOU.Filter = Array("Computer") For Each objItem in objOU strComputer = objItem.CN Set objUser = GetObject("WinNT://" & strComputer & "/Administrator") objUser.SetPassword("TestPasswordHere") Next I rebooted the test machine, and it was successful, the local admin password had been changed to TestPasswordHere. Now, I then took an existing user's PC and moved it into the same OU. I had him reboot, and the following error came up when he got to the startup point. Windows Scripting Host Script = (and it lists the full location of the VBscript) Line 7 Char 5 General Access Denied Error Code 80070005 Source: Active Directory From what I can see, there is no reason this should be happening, I moved both his PC and the test PC's Computer Object out of their current OU into the test one. I can't find any reference as to why it would work flawlessly on the first box and give me the above error on the user's machine? The only difference I am sure of is that the test box was a server running WIndows 2003 Server Standard, and he is using a PC running Windows XP Pro.

Answer Wiki

Thanks. We'll let you know when a new response is added.

I ran into the exact same issue. Who did you log into the workstation as when it worked? A domain administrator someone with permission to move a object? That was what our issue was the script needed to be run as an administrator and more often than not the machine was being logged into as a normal user. We fixed it by creating a shortcut that “ran as” an appropriate user.

Now we use the same script to introduce new machines from the test ou. The script changes the local admin password, installs software packages, deploys AV configure services and copies over certain files and settings. Then it moves the machine out of the test ou!

A very gratifying feeling after I got it working!

Discuss This Question: 4  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Lonewolfbw
    Karl, I may just be confused, but it's not actually 'running' as anyone. As myself (I am a Domain Admin), I went into Group Policy Management (on my own computer), and there I configured a Group Policy object that is set to run a startup script, the one you see listed in the question. I then moved the computer's Computer Object into an OU, linked that OU to the new Group Policy, and I rebooted the computer. This error occurs before you actually log anyone into the computer - the script is being applied *by* Group Policy, and the error pops up right as the standard Windows login screen appears. There's no user involved, on the computer in question. So I can't see how it could be a permissions question issue, when no one is actually logging into the machine yet at that point. Brian
    525 pointsBadges:
  • EAleman
    Lone, Just to better understand how you have everything configured, which part of the GPO do you have the startup script running under i.e. Computer Configuration or User configuration? Where the script is placed will have different effects. It looks like you are using the script from the Microsoft Scripting Guys, I actually have a different variant that I use in the GPO that appends to a log file and provides diagnostic information if the script should fail to bind to the local admin account or change the password.
    10 pointsBadges:
  • Escribano1976
    Hi i get the exact same error with the same script But it didn't work for me in my test OU at all. If I run the script with my domain admin account it works fine the problem is that many people are away on business trips, so I need a start up script so the password gets reset next time they are in the office. If i just run the script from my account then some computers will not update the passwd as they are not connected. Can you help? Thanks
    15 pointsBadges:
  • Dwiebesick
    Have you looked at using a great tool from Netwrix that allows you to reset the local administrator's account?
    2,235 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: