Logon Script Rights 
Author Message
 Logon Script Rights

How can I run my logon scripts for clients with local admin rights?

Win2000 Active Directory domain. Clients are 10% XP, 70% Win2000, 15% NT5,
and 5% winRotten9x. Although I have excluded the Win9x machines from running
the logon script.

I use a .bat file which calls a .vbs. The .vbs gathers a bunch of
information then calls 14 other scripts passing command line parameters.

For certain things - registry edits and etc, I need the script to run with
local admin rights on the box. Or I would prefer for the entire logon script
process to run elevated.

Any ideas?

Thanks,
Marty



Tue, 14 Dec 2004 23:29:54 GMT  
 Logon Script Rights
Some corrections...

That first line should read:
How can I run my logon scripts with local admin rights for clients who's
domain accounts are not members of the local administrators group?

Marty


Quote:
> How can I run my logon scripts for clients with local admin rights?

> Win2000 Active Directory domain. Clients are 10% XP, 70% Win2000, 15% NT4,
> and 5% winRotten9x. Although I have excluded the Win9x machines from
running
> the logon script.

> I use a .bat file which calls a .vbs. The .vbs gathers a bunch of
> information then calls 14 other scripts passing command line parameters.

> For certain things - registry edits and etc, I need the script to run with
> local admin rights on the box. Or I would prefer for the entire logon
script
> process to run elevated.

> Any ideas?

> Thanks,
> Marty



Tue, 14 Dec 2004 23:35:50 GMT  
 Logon Script Rights
Marty,

this is a tough one.  I don't know if you can do a "RunAs" on NT4 at all, and on
the other platforms, the standard tool requires interactive password input.
It's possible to create an ActiveX control (or maybe find a precompiled tool of
some kind) that will allow you to do a "runas" from script and specify the
password, but you would still be embedding a cleartext password.

That said, could you give some more details about what you are doing.  It sounds
like there's a lot (14 scripts!) but it might be possible to group some of the
activities and perform them in a different fashion which won't require logon
privilege elevation.

For example, if your systems have WMI installed on them, any HKLM/HKCR registry
edits can be done remotely in a batch.  Software installs which use an MSI
routine can all be done remotely as well, and various audits could be also
performed this way by doing a "runas" from an administrative system.


Quote:
> Some corrections...

> That first line should read:
> How can I run my logon scripts with local admin rights for clients who's
> domain accounts are not members of the local administrators group?

> Marty



> > How can I run my logon scripts for clients with local admin rights?

> > Win2000 Active Directory domain. Clients are 10% XP, 70% Win2000, 15% NT4,
> > and 5% winRotten9x. Although I have excluded the Win9x machines from
> running
> > the logon script.

> > I use a .bat file which calls a .vbs. The .vbs gathers a bunch of
> > information then calls 14 other scripts passing command line parameters.

> > For certain things - registry edits and etc, I need the script to run with
> > local admin rights on the box. Or I would prefer for the entire logon
> script
> > process to run elevated.

> > Any ideas?

> > Thanks,
> > Marty



Tue, 14 Dec 2004 23:51:30 GMT  
 Logon Script Rights
Thanks for your reply Alex.

My logon scripts do a ton of things but the main problem is registry
writing. I'm logging registry write errors to the event log on a server. Non
local admin users can't write to...
                 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\...
                      HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\...
                 HKLM\SOFTWARE\Policies\...
                       HKCU\Software\Policies\...
                       HKLM\SYSTEM\CurrentControlSet\Services\...

OK, so no big surprises. I know...I should be using domain group policy for
the policies keys and WMI remote for the others. But I was looking for one
big super cool way to run the scripts elevated. Plus, now I'll have to learn
group policy and write some WMI remote scripts.

RunAs is out since I don't want to float text passwords around, plus I still
have some NT4 boxes. This also makes the point that you can't do everything
via logon script unless all of your users have local admin rights.

Thanks,
Marty



Quote:
> Marty,

> this is a tough one.  I don't know if you can do a "RunAs" on NT4 at all,
and on
> the other platforms, the standard tool requires interactive password
input.
> It's possible to create an ActiveX control (or maybe find a precompiled
tool of
> some kind) that will allow you to do a "runas" from script and specify the
> password, but you would still be embedding a cleartext password.

> That said, could you give some more details about what you are doing.  It
sounds
> like there's a lot (14 scripts!) but it might be possible to group some of
the
> activities and perform them in a different fashion which won't require
logon
> privilege elevation.

> For example, if your systems have WMI installed on them, any HKLM/HKCR
registry
> edits can be done remotely in a batch.  Software installs which use an MSI
> routine can all be done remotely as well, and various audits could be also
> performed this way by doing a "runas" from an administrative system.



> > Some corrections...

> > That first line should read:
> > How can I run my logon scripts with local admin rights for clients who's
> > domain accounts are not members of the local administrators group?

> > Marty



> > > How can I run my logon scripts for clients with local admin rights?

> > > Win2000 Active Directory domain. Clients are 10% XP, 70% Win2000, 15%
NT4,
> > > and 5% winRotten9x. Although I have excluded the Win9x machines from
> > running
> > > the logon script.

> > > I use a .bat file which calls a .vbs. The .vbs gathers a bunch of
> > > information then calls 14 other scripts passing command line
parameters.

> > > For certain things - registry edits and etc, I need the script to run
with
> > > local admin rights on the box. Or I would prefer for the entire logon
> > script
> > > process to run elevated.

> > > Any ideas?

> > > Thanks,
> > > Marty



Sun, 19 Dec 2004 02:59:17 GMT  
 Logon Script Rights

Quote:

> RunAs is out since I don't want to float text passwords around, plus I still
> have some NT4 boxes. This also makes the point that you can't do everything
> via logon script unless all of your users have local admin rights.

You might consider buying one or more of the products listed below from the
Quimeras Company (http://www.quimeras.com). It don't require something to be
installed on the local computers (if you run it from a network share) and can be
run from login scripts:

TqcRunAs for Windows 2000/XP (also has an ActiveX interface)
NTsu 3.1 "Run as..." Extensions for Windows NT 4.0

--
torgeir



Thu, 23 Dec 2004 06:06:30 GMT  
 
 [ 5 post ] 

 Relevant Pages 

1. How to insert administrator right in logon script

2. logon.exe script.vbs in profile (logon script)

3. How can I get logon server name and IP address from logon script using wsh

4. Win98, Logon script & finding logon server

5. vb script as network logon script

6. Running Scripting Host Files as Logon Script

7. WSH Script in NT Logon Script

8. right group? Advice on the right way

9. script to show Last User logon time, not working right??

10. Script to Assign User Rights Policies

11. Script with admin rights

12. Running a vb script with admin rights

 

 
Powered by phpBB® Forum Software