Startup Script To Map Network Drive

[jvp]

Hey folks -

I've followed the various guides on how to get a batch file to run automatically upon Windows 2008 startup (vs. user login). The batch file I've written is really simple:

@echo off

net use z: \\server.fqdn\share_name passwd /user:username

It sort-of works. Once the machine boots, I open the Windows Explorer, and I see the drive mapped but "Disconnected" with a big red X next to it. If I click on the drive, I can see its contents. If I try to right-click and disconnect it, no luck. It tells me the path doesn't exist. I get a similar error if I try to remove it using "net delete".

So I'm doing something wrong, I'm just not sure where to look. The batch file? Permissions of some sort? ... Any other suggestions or ideas?

Thanks.

jas

 

[mmthomas]

Is the script running on the server and mapping a drive from itself? Does this behavior change if you use the IP address instead of the FQDN?

 

[jvp]

Is the script running on the server and mapping a drive from itself? Does this behavior change if you use the IP address instead of the FQDN?

The script is running on the server, trying to map a drive from a NAS. The behavior doesn't change w/IP vs. FQDN.

jas

 

[mmthomas]

How about if you add a line "net use z: /delete" before your other net use z: line?

 

[jvp]

How about if you add a line "net use z: /delete" before your other net use z: line?

Nope. Doesn't appear to. I actually directed the output of the script to a tmp file along with some echos before and after the commands were run. This is what shows:

Begin bane 
z: was deleted successfully.

The command completed successfully.

End bane

And yet I still see the issue.

jas

 

[mmthomas]

Are you running your script via a GPO? If so, from the computer section or user section? If computer, try changing to user section. You might also enable "Always Wait for the Network at Startup and Logon" under Computer\Admin Templates\System\Logon.

Perhaps also try net use /persistent:yes z: etc.

This kb may or may not apply as well.

 

[jvp]

Are you running your script via a GPO? If so, from the computer section or user section? If computer, try changing to user section. You might also enable "Always Wait for the Network at Startup and Logon" under Computer\Admin Templates\System\Logon.

I tried the "Always wait..." and that didn't make a difference. I specifically want it in the Computer section vs. the User one, because I want this to happen at boot time, not login time. As expected, putting it in the User section does work, but only when a user logs into the computer. It's not mounted pre-login. That doesn't help me out much. :-(

jas

 

[mmthomas]

Hmm, does it need to be a script? You could map a share through your GPO in Computer>Preferences>Windows Settings>Network Shares. If it's not something you have an OU, you could security filter the gpo for that one (or more) computer account (or a group).

 

[jvp]

Hmm, does it need to be a script? You could map a share through your GPO in Computer>Preferences>Windows Settings>Network Shares. If it's not something you have an OU, you could security filter the gpo for that one (or more) computer account (or a group).

I have to admit you've somewhat lost me there. In gpedit, what am I looking for? There's no "Preferences" section, but there is a "Windows Settings" under "Computer". However, no "Network Shares".

Are you saying I can add that using a security filter? Kinda clueless there...

jas

 

[mmthomas]

Gpedit opens just your local computer policy. If you use gpmc.msc, that opens your domain group policies -- assuming that you have a domain, which you may not. The domain policies add the preferences section, which contain a lot more settings.

Security filters are another gpmc addition. The local computer policy only applies to, well, the local computer. A domain group policy applies to whatever organization unit (OU) that you apply it to, but you can use a filter to restrict it even further. So, I might have all of my servers in an OU called "Internal Servers", but maybe I only want a policy to apply to print servers or a single server, so you can add a filter that is that one computer's account or a group which contains the computer accounts of all of your print servers. In affect, your saying that other computers/servers don't have permission to apply that policy.

So, if you're not using a domain, then that may be a lot of information that you can't use.

 

[jvp]

Gpedit opens just your local computer policy. If you use gpmc.msc, that opens your domain group policies -- assuming that you have a domain, which you may not. The domain policies add the preferences section, which contain a lot more settings.

OK, that makes sense. I do have a domain, but I don't really need other machines in the domain auto-mounting Z:. Just the domain server. So would you suggest I still go through gpmc instead?

Sorry for the clue-by questions; I'm a UNIX geek trying to learn Win2008 server. ;-)

jas

 

[mmthomas]

Yes, you could put this in the Default Domain Controller Policy if this is the only domain controller (assuming domain controller from "domain server") and no other machines will apply that policy. If it is not a domain controller, but just a member server in the domain, you can make a new policy and attach it at the domain level, but in the security filtering section add your server's computer account, and then it will still only be applied to that one server.

 

[jvp]

Yes, you could put this in the Default Domain Controller Policy if this is the only domain controller (assuming domain controller from "domain server") and no other machines will apply that policy.

So another dumb question: I found the "Network Share" section in the editor, but that appears to be about sharing a drive, not mounting an already-existing share. Or did I misread that?

jas

 

[mmthomas]

Carp! You're right. I was thinking of the Drive Maps option which is under the User Configuration which brings us back to the same problem. Hmm.

 

[mmthomas]

Ok. Different tack. In your net use command, are you using a domain username and password, or is that a NAS device username and password?

 

[jvp]

Ok. Different tack. In your net use command, are you using a domain username and password, or is that a NAS device username and password?

Happens to be both in this case. But the requirement is to use the NAS's authentication, since it's NOT part of the domain. I've just made the uname/passwd the same.

jas

 

[mmthomas]

Back in your gpedit local policy, what is your setting for Local Policies > Security Options > Network Security: LAN Manager authentication level ?
You may need to check your NAS documentation to see if it recommends changing that to: Send LM and NTLM - use NTLMv2 session security if negotiated. The QNAP NASes, for example, recommend this., though it may lower your security if that has to be set on a domain controller.

 

[jvp]

Back in your gpedit local policy, what is your setting for Local Policies > Security Options > Network Security: LAN Manager authentication level ?

Will have to check that when I get home later, since the server is there and I can't RDP into it (on purpose) remotely. Is there a way to ask Windows about that setting via the CLI? I can ssh into the machine...

You may need to check your NAS documentation to see if it recommends changing that to: Send LM and NTLM - use NTLMv2 session security if negotiated. The QNAP NASes, for example, recommend this., though it may lower your security if that has to be set on a domain controller.

The NAS is basically just a CentOS (RedHat) Linux server running SAMBA, NFS, AFP, etc. The drive mounts fine, once the machine is booted. If I disable the script in gpedit, reboot, and then run the script from the CLI, it works beautifully. But it requires me to log in to do that, obviously. Would changing those security settings (auth level) actually help here?

Thanks.

jas

 

[jvp]

Back in your gpedit local policy, what is your setting for Local Policies > Security Options > Network Security: LAN Manager authentication level ?

I just checked this and it's currently Undefined. By default that means "Send NTLMv2 response only" for Win 2008 Server, I believe.

Does that matter, though, since after I log in, I can run that script?

jas