JSI Tip 7592. Logon scripts no longer run when you install Windows 2000 SP4 on a client computer?

When you install SP4 on a client computer, domain logon scripts no longer run. If you remove SP4, the logon scripts run. The Userenv.log file may contain:

USERENV(1418.15b8) time CheckXForestLogon: checking x-forest logon, user handle = 124
USERENV(1418.15b8) time CheckXForestLogon: policy set to disable XForest check

This behavior will occur if the logon script is configured in a user policy from a trusted Windows 2000 forest AND the new Allow Cross-Forest User Policy and Roaming User Profiles policy has NOT been Enabled.

NOTE: SP4 includes this new functionality to increase security between Windows 2000 forests.

To resolve this problem:

1. Log onto the client with local Administrator rights.

2. Start / Run / gpedit.msc / OK.

3. Navigate through Computer Configuration / Administrative Templates / System / Group Policy.

4. Double-click Allow Cross-Forest User Policy and Roaming User Profiles.

5. Select Enabled.

6. Press Apply and OK.

7. Exit the Group Policy tool.

8. Open and CMD.exe prompt.

9. Type secedit /refreshpolicy machine_policy and press Enter.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.