+ Post New Thread
Results 1 to 13 of 13
Windows Thread, Users as local admins for logon script? in Technical; I have a query from our senior tech. When he setup the system he had to create domain users as ...
  1. #1
    actech's Avatar
    Join Date
    Mar 2008
    Location
    Australia
    Posts
    198
    Thank Post
    50
    Thanked 20 Times in 17 Posts
    Rep Power
    17

    Users as local admins for logon script?

    I have a query from our senior tech.

    When he setup the system he had to create domain users as a local administrator on a machine so that the logon and postlogon script would run. He said that any other configuration would prevent the logon scripts coming up when someone logs onto the machine.

    a. Does this sound right? &
    b. Is there another way around this.

    I apologise for the ignorance (if any) but my knowledge is mainly with setting home networks for people and I am on a very steep learning curve with running a larger network. The senior tech is on a contract basis and we get him out whenever there is a problem that I can't resolve. Fortunately the system is fairly reliable so I don't see him much;-)

    Cheers
    Rowan

  2. #2
    cromertech's Avatar
    Join Date
    Dec 2007
    Location
    Cromer by the coast
    Posts
    731
    Thank Post
    177
    Thanked 109 Times in 97 Posts
    Rep Power
    55

    Red face

    This doesn't seem right to me. If your logon scripts are called from the domain it should run them with the privileges required. I have scripts running all over the place for students and there's no way I'm making them an administrator

    Actually its a bit untidy but i'm sure i'll get round to that eventually. You know what they say 'if it ain't broke don't fix it'.

  3. #3
    ricki's Avatar
    Join Date
    Jul 2005
    Location
    uk
    Posts
    1,475
    Thank Post
    20
    Thanked 164 Times in 157 Posts
    Rep Power
    52
    HI

    Its not the normal way I would do things, and it sounds like the script needs admin rights. I used to do this when I had workgroups but not on active directory domain. I would normally put these in log on and log off scripts in active directory in a group policy.

    Richard

  4. #4
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,217
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    75
    Scripts don't need admin rights to run but they might try to perform a task that requires admin rights, so if the user isn't an admin the task will fail as the script will run at the same level of the logged on user.

    What is the script trying to do?

  5. #5
    Jamman960's Avatar
    Join Date
    Sep 2007
    Location
    London/Kent
    Posts
    995
    Thank Post
    187
    Thanked 198 Times in 158 Posts
    Rep Power
    47
    Scripts called via group policy(startup/shutdown/logon/logoff) will be run with administrative rights, scripts run as logon scripts(defined with in each users account within the ad, run from the netlogon share) are run with the users credentials.

    There are also programs you can use within scripts to temporarily elevate privilages but imo if what you need to do requires administrative rights just launch the scripts via group policy.

  6. Thanks to Jamman960 from:

    richard.thomas (22nd April 2008)

  7. #6
    actech's Avatar
    Join Date
    Mar 2008
    Location
    Australia
    Posts
    198
    Thank Post
    50
    Thanked 20 Times in 17 Posts
    Rep Power
    17
    @ cookie monster

    The scripts are mainly for assigning printers based on which room they are in and also for something which my brain can't remember (hey it's only near midnight here now )...

    I'll get a copy of the script tomorrow and find out. As I said before for now it does work so I don't really play with it unless I have to, but in time am looking at starting from scratch, especially if we go to Server 2008 next year.

  8. #7
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,217
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    75
    Ok well adding a network printer shouldn't require admin rights, we'll see tomorrow.

    Get some sleep ;-)

  9. #8

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,866
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    @actech: If you're allocating printers per room, look at creating machine connections instead of user connections in a startup script. I do that here with (i think):

    Code:
    rundll32.exe printui.dll,PrintUIEntry /in /ga /n\\pathto\yourprinter

  10. #9

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,157
    Thank Post
    116
    Thanked 529 Times in 452 Posts
    Blog Entries
    2
    Rep Power
    124
    Quote Originally Posted by Jamman960 View Post
    Scripts called via group policy(startup/shutdown/logon/logoff) will be run with administrative rights, scripts run as logon scripts(defined with in each users account within the ad, run from the netlogon share) are run with the users credentials.

    Not quite true. All scripts run with the credentials of the account running them (unless, as you say, you use a program to temporarily elevate privileges).

    For a user logon/off script (specied either in the group policy for an OU or in AD for the user themselves) this means it's the user who runs the script and there are no admin rights.

    For a computer startup/shutdown script the script runs as the computer account - ie "system" which effectively has local admin rights on the machine (but can't access the network except where resources give access to the "domain computers" group)

  11. #10
    Bestbett's Avatar
    Join Date
    Apr 2007
    Location
    Hiding
    Posts
    46
    Thank Post
    4
    Thanked 1 Time in 1 Post
    Rep Power
    0
    That is crazy! I would never allow students on a machine with even local admin rights, the kind of sharing and access rights that creates alone is scary, you do know if all domain users are local admins everywhere, all domain users can access the C$ share on any computer as long as they know a computer name?
    My students can not map a network drive or add/remove icons from their own Desktop and are restricted users locally but my GPO user login script for the Student UO maps 2 drives and adds 4 icons to each students desktop whenever they log on. I can post a stripped copy of my script if u need it. I think there is a place in GPO to specify Legacy scripts running with elevated permissions but I can't recall exactly.

  12. #11
    cromertech's Avatar
    Join Date
    Dec 2007
    Location
    Cromer by the coast
    Posts
    731
    Thank Post
    177
    Thanked 109 Times in 97 Posts
    Rep Power
    55
    Quote Originally Posted by actech View Post

    I'll get a copy of the script tomorrow and find out. As I said before for now it does work so I don't really play with it unless I have to, but in time am looking at starting from scratch, especially if we go to Server 2008 next year.
    Server 2008 has the ability to deploy printers with group policy as does 2003 R2. It does make the job a lot easier to get certain printers available only for certain users or rooms

  13. #12
    actech's Avatar
    Join Date
    Mar 2008
    Location
    Australia
    Posts
    198
    Thank Post
    50
    Thanked 20 Times in 17 Posts
    Rep Power
    17
    I had a chat to the tech again today and he said the issue was running the logon script. I have included a copy of the logon script so that people can see what is in it. If there is a better I am open to suggestions. The problem for us is that I am not up to speed with this side of networks yet and the tech's forte is with Novell systems, kinda sucks when we have to run a Windows system (We don't have a choice)
    Attached Files Attached Files

  14. #13
    Bestbett's Avatar
    Join Date
    Apr 2007
    Location
    Hiding
    Posts
    46
    Thank Post
    4
    Thanked 1 Time in 1 Post
    Rep Power
    0
    It would have been a bit easier to figure out everything you needed if he had labeled his subs but it really appears the lion's share of what those scripts do is easily done using GPOs. I use 2003 R2 servers and XP clients and can do all of those things with OUs, GPOs, and a 30-40 line printer/drive mapping script.
    This all seems like a really complicated way to do what you are doing but again I don't know your environment. If you are running like NT server and 98 clients maybe you have to do things the hard way and then my recommendation would be to get to AD! If you have AD, take the time to read up on GPOs even make a new OU called test with one user in it so you can play. In the end it will be worth your time researching.



SHARE:
+ Post New Thread

Similar Threads

  1. Logon script & Printer script question.
    By Galway in forum Windows
    Replies: 3
    Last Post: 29th August 2007, 12:00 PM
  2. WinSuite local logon.
    By mrwobbly in forum Network and Classroom Management
    Replies: 4
    Last Post: 11th July 2007, 11:01 AM
  3. Add local users to xp home remotely
    By adamyoung in forum Windows
    Replies: 4
    Last Post: 28th June 2007, 11:56 AM
  4. Local admins and Mandatory Profiles
    By Bobo in forum Windows
    Replies: 21
    Last Post: 2nd April 2007, 04:02 PM
  5. Replies: 6
    Last Post: 22nd February 2007, 08:36 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •