VBScript Error "Permission Denied" But Works Anyway

Question

I have a VBScript setup as a logon script in my GPO. I'm having an issue where every time it runs at logon, I get Permission Denied on the line:

set lf = fso.opentextfile(lfp, 2, true)

Points of interest:

• Despite the error, the script completes successfully.
• The script executes without error if I run it manually.
• The lfp variable points to c:\folder\folder\file.log. The file is created (when necessary) and populated appropriately (overwritten, as expected when it does exist).
• If the file is created, the fso is closed before trying to opentextfile.
• The user logging in does have modify permission to the path and to the file being replaced when it exists via inherited Authenticated Users permission (from c:\folder1 - see below).
• If I throw in a wscript.sleep 30000 just before that line, it just waits 30 seconds to throw permissions denied.
• If user is a member of local administrators group on PC, I get no errors. Again, when user is not local admin, it errors, but completes successfully.
• I see the same behavior under both Windows 7 and 10.

I'm at a loss here. Here's the pertinent section of code (please excuse any poor coding practice):

'notify robocopy log file location
function seelog(log)
  lf.writeline "[" & now & "]  " & "See log file for details: " & log
end function

'process robocopy exit codes and write log
function writeerrors(items)
  docs = items(0)
  retcode = items(1)
  logfile = items(2)
  if docs = "c" then
    name = "some stuff"
  else
    name = "some other stuff"
  end if
  If retcode = 0 Then
    lf.writeline "[" & now & "]  " & name & " folder was already up to date."
  elseif retcode = 1 then
    lf.writeline "[" & now & "]  " & name & " folder was updated."
    seelog(logfile)
  else
    lf.writeline "[" & now & "]  " & name & " folder update exited with robocopy error code: " & retcode
    seelog(logfile)
  End If
end function

'get logged in user
un = CreateObject("WScript.Network").UserName

'check for logfile, and if not exist, create
'folder1 always exists, no need to check or create
lfp = "c:\folder1\folder2\folder3\logfile1.log"
ld1 = "c:\folder1\folder2"
ld2 = "c:\folder1\folder2\folder3"

set fso = createobject("scripting.filesystemobject")

if not fso.fileexists(lfp) then
  if not fso.folderexists(ld1) then
    fso.createfolder(ld1)
  end if
  if not fso.folderexists(ld2) then
    fso.createfolder(ld2)
  end if
  set cf = fso.createtextfile(lfp)
  cf.close
end if

'open logfile (lfp variable)
'for writing (2)
'overwrite if already exists (true)
wscript.sleep 30000
'************permission denied happens on next line on lfp var*************
Set lf = fso.OpenTextFile(lfp, 2, True)

lf.writeline "[" & now & "]  " & "Script started."
lf.writeline "[" & now & "]  " & "Logged in user: " & un
lf.writeline "[" & now & "]  " & "========================================================="

more code writing to log file and executing robocopy....

I suppose suppressing all errors is an option, but 1) I'd rather not, and 2) I'm not clear on how to accomplish that in VBScript.

ETA:

On Error Resume Next
  Set lf = fso.OpenTextFile(lfp, 2, True)
On Error Goto 0

I tested this and it does break the script. lf is not set due to the error so the following lines error out with 'object required "lf"' code 800a01a8 as expected.

Answer 1

I don't like doing this, but my work around was to launch the .vbs from a .bat (personal preference - I like to keep everything from one job in one script so in the future I don't have to go chasing files around).

I placed a logon.bat file in my GPO as the logon script.

@echo off
echo Launching update script...

cscript c:\folder1\script.vbs

This seems to work around the (apparently false) permissions issue I was having. I'm still curious if anyone can tell me exactly why I was seeing the behavior I saw. Does the script engine write to a temp location maybe, when calling OpenTextFile (when launching directly from the GPO) that only admin users would have access to?