+ Post New Thread
Results 1 to 7 of 7
Windows 7 Thread, Logon scripts in Technical; So Windows 7 suffers the same issues with logon scripts as Vista if you logon as an administrator, basically running ...
  1. #1
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74

    Logon scripts

    So Windows 7 suffers the same issues with logon scripts as Vista if you logon as an administrator, basically running your scripts with a different token to your logon session so you can't see mapped drives. What's the best way around this that you've found so far other than turning off UAC, the MS way of using task schedular seems a bit messy and apparently doesn't work 100% of the time.

  2. #2

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,781
    Thank Post
    865
    Thanked 1,665 Times in 1,450 Posts
    Blog Entries
    11
    Rep Power
    442
    Is it all scripts? What do they do? Can you not sue Server 2008 Group Policy?

  3. #3
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    It's certainly ones that map drives, is only affects users that are local admins.

    I'll look into 2008 policiy when we have it running but the scripts work really well normaly and they run ok for normal users just not for admins.

  4. #4

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,781
    Thank Post
    865
    Thanked 1,665 Times in 1,450 Posts
    Blog Entries
    11
    Rep Power
    442
    Work for admins and not users. Windows 7 is the opposite to the other versions.

    What does it say when it fails?

  5. #5
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    There's no error as technically it works. The script is processed using your user token but then as you're running as an admin you can't see them. Ordinary users only have one token so they don't see the problem, it's the same in Vista.

    You can get around it by disabling UAC but i'd like to find another way. Think i might just of found my answer.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\System
    EnableLinkedConnections =(dword)1
    http://forums.techarena.in/vista-security/681760.htm

    ---------------------------------------------------------------------

    EDIT

    Yes the EnableLinkedConnections regedit works so all drives are now available.
    Last edited by cookie_monster; 6th May 2009 at 08:45 AM.

  6. #6


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,710
    Thank Post
    220
    Thanked 2,615 Times in 1,926 Posts
    Rep Power
    777
    Out of interest, was it the LaunchApp.wsf task scheduler method that wasn't working for you properly?

    Group Policy Scripts can fail due to User Account Control
    The main goal of User Account Control (UAC) is to lessen the exposure and attack surface of the operating system. UAC does this by requiring all users to run in standard user mode. This limit minimizes the ability for users to make changes that could destabilize their computers or unintentionally expose the network to viruses through undetected malicious software (also called malware) that has infected their computer.

    With UAC, you can run most applications, components, and processes with a limited privilege, but have "elevation potential" for specific administrative tasks and application functions. Windows accomplishes this by using two access tokens for each user: limited and elevated access tokens. Access tokens identify the user, the user's groups, and the user's privileges. The system uses access tokens to control access to securable objects and to control the ability of the user to perform various system-related operations on the local computer.

    An elevated token, for a local administrator, includes and enables all of the administrative privileges. UAC requires local administrators to use their elevated token when attempting to perform a system-only task or administrative task. A limited token, for a local administrator, includes all of the administrative privileges; however, these privileges are disabled. This allows Windows to view the administrative user and a normal user, with the option to elevate their privileges.

    By default, all users logging on to Windows Vista use their full token to process Group Policy and logon scripts. However, they use their limited user token to load the desktop and all subsequent processes. Non-administrative limited and elevated tokens are mostly identical, with regard to privileges and groups. Therefore, a process started with a non-administrative limited user token can view processes started with a non-administrative elevated token. Windows allows this because the viewing application does not require any elevation to view the process started with the elevated token.

    Windows processes a locally logging on administrator the same way. Group Policy and logon scripts process using the elevated user token, and the desktop and all subsequent processes use the limited token. However, there is a privilege difference between the limited and elevated user token. Therefore, Windows restricts processes started with a limited token from the ability to share information with processes started with the elevated token.

    UAC may prevent Group Policy logon scripts from appearing to work properly. For example, a domain environment contains a GPO that includes a logon script to map network drives. A non-administrative user logs on to the domain from a Windows Vista computer. After Windows Vista loads the desktop, the non-administrative user starts Windows Explorer. The user sees their mapped drives. Under the same environment, an administrative user logs on to the domain from a Windows Vista computer. After Windows Vista loads the desktop, the administrative user starts Windows Explorer. The user does not see their mapped drives.

    When the administrative user logs on, Windows processes the logon scripts using the elevated token. The script actually works and maps the drive. However, Windows blocks the view of the mapped network drives because the desktop uses the limited token while the drives were mapped using the elevated token.

    To get around this issue, administrative users should map network drives under the limited user token. This mapping is accomplished by using the launchapp.wsf script shown in Appendix A, which works by scheduling the commands using the task scheduler. The task scheduler launches the script under the administrative full token, thereby allowing Windows Explorer, other limited token processes, and the elevated token process to view the mapped network drives.
    LaunchApp.wsf
    Code:
    <job><script language="VBScript">
    '---------------------------------------------------------
    ' This sample launches the application as interactive user.
    '---------------------------------------------------------
    ' A constant that specifies a registration trigger.
    const TriggerTypeRegistration = 7
    ' A constant that specifies an executable action.
    const ActionTypeExecutable = 0   
    ' A constant that specifies the flag in RegisterTaskDefinition.
    const FlagTaskCreate = 2   
    ' A constant that specifies an executable action.
    const LogonTypeInteractive = 3 
    If WScript.Arguments.Length <> 1 Then
        WScript.Echo "Usage: cscript launchapp.wsf <AppPath>" 
        WScript.Quit
    End If
    strAppPath  = WScript.Arguments(0)
    '********************************************************
    ' Create the TaskService object.
    '********************************************************
    Set service = CreateObject("Schedule.Service")
    call service.Connect()
    strTaskName = "Launch App As Interactive User"
    '********************************************************
    ' Get a folder to create a task definition in. 
    '********************************************************
    Dim rootFolder
    Set rootFolder = service.GetFolder("\")
    'Delete the task if already present
    On Error Resume Next
    call rootFolder.DeleteTask(strTaskName, 0)
    Err.Clear
    '********************************************************
    ' Create the new task
    '********************************************************
    Dim taskDefinition
    Set taskDefinition = service.NewTask(0) 
    '********************************************************
    ' Create a registration trigger.
    '********************************************************
    Dim triggers
    Set triggers = taskDefinition.Triggers
    Dim trigger
    Set trigger = triggers.Create(TriggerTypeRegistration)   
    '***********************************************************
    ' Create the action for the task to execute.
    '***********************************************************
    ' Add an action to the task. The action executes the app.
    Dim Action
    Set Action = taskDefinition.Actions.Create( ActionTypeExecutable )
    Action.Path = strAppPath
    WScript.Echo "Task definition created. About to submit the task..."
    '***********************************************************
    ' Register (create) the task.
    '***********************************************************
    call rootFolder.RegisterTaskDefinition( _
        strTaskName, taskDefinition, FlagTaskCreate, _
        ,, LogonTypeInteractive)
    WScript.Echo "Task submitted."
    </script>
    </job>

  7. #7
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    I didn't try LaunchApp.wsf as i'd read various posts online about it being unreliable.

SHARE:
+ Post New Thread

Similar Threads

  1. HELP! - Logon Scripts
    By Hedghog in forum Windows
    Replies: 2
    Last Post: 26th September 2008, 10:50 AM
  2. Logon Scripts
    By techyphil in forum Windows
    Replies: 8
    Last Post: 4th September 2008, 06:26 AM
  3. Logon scripts
    By mmoseley in forum Windows
    Replies: 1
    Last Post: 23rd December 2007, 11:46 PM
  4. Mac Logon Scripts
    By atfnet in forum Mac
    Replies: 2
    Last Post: 12th September 2007, 06:23 PM
  5. What do you use for your logon scripts.
    By Kyle in forum How do you do....it?
    Replies: 17
    Last Post: 13th October 2006, 07:54 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •