Windows Thread, Users as local admins for logon script? in Technical; I have a query from our senior tech.
When he setup the system he had to create domain users as ...
When he setup the system he had to create domain users as a local administrator on a machine so that the logon and postlogon script would run. He said that any other configuration would prevent the logon scripts coming up when someone logs onto the machine.
a. Does this sound right? &
b. Is there another way around this.
I apologise for the ignorance (if any) but my knowledge is mainly with setting home networks for people and I am on a very steep learning curve with running a larger network. The senior tech is on a contract basis and we get him out whenever there is a problem that I can't resolve. Fortunately the system is fairly reliable so I don't see him much;-)
This doesn't seem right to me. If your logon scripts are called from the domain it should run them with the privileges required. I have scripts running all over the place for students and there's no way I'm making them an administrator
Actually its a bit untidy but i'm sure i'll get round to that eventually. You know what they say 'if it ain't broke don't fix it'.
Its not the normal way I would do things, and it sounds like the script needs admin rights. I used to do this when I had workgroups but not on active directory domain. I would normally put these in log on and log off scripts in active directory in a group policy.
Scripts don't need admin rights to run but they might try to perform a task that requires admin rights, so if the user isn't an admin the task will fail as the script will run at the same level of the logged on user.
Scripts called via group policy(startup/shutdown/logon/logoff) will be run with administrative rights, scripts run as logon scripts(defined with in each users account within the ad, run from the netlogon share) are run with the users credentials.
There are also programs you can use within scripts to temporarily elevate privilages but imo if what you need to do requires administrative rights just launch the scripts via group policy.
The scripts are mainly for assigning printers based on which room they are in and also for something which my brain can't remember (hey it's only near midnight here now )...
I'll get a copy of the script tomorrow and find out. As I said before for now it does work so I don't really play with it unless I have to, but in time am looking at starting from scratch, especially if we go to Server 2008 next year.
@actech: If you're allocating printers per room, look at creating machine connections instead of user connections in a startup script. I do that here with (i think):
Scripts called via group policy(startup/shutdown/logon/logoff) will be run with administrative rights, scripts run as logon scripts(defined with in each users account within the ad, run from the netlogon share) are run with the users credentials.
Not quite true. All scripts run with the credentials of the account running them (unless, as you say, you use a program to temporarily elevate privileges).
For a user logon/off script (specied either in the group policy for an OU or in AD for the user themselves) this means it's the user who runs the script and there are no admin rights.
For a computer startup/shutdown script the script runs as the computer account - ie "system" which effectively has local admin rights on the machine (but can't access the network except where resources give access to the "domain computers" group)
That is crazy! I would never allow students on a machine with even local admin rights, the kind of sharing and access rights that creates alone is scary, you do know if all domain users are local admins everywhere, all domain users can access the C$ share on any computer as long as they know a computer name?
My students can not map a network drive or add/remove icons from their own Desktop and are restricted users locally but my GPO user login script for the Student UO maps 2 drives and adds 4 icons to each students desktop whenever they log on. I can post a stripped copy of my script if u need it. I think there is a place in GPO to specify Legacy scripts running with elevated permissions but I can't recall exactly.
I'll get a copy of the script tomorrow and find out. As I said before for now it does work so I don't really play with it unless I have to, but in time am looking at starting from scratch, especially if we go to Server 2008 next year.
Server 2008 has the ability to deploy printers with group policy as does 2003 R2. It does make the job a lot easier to get certain printers available only for certain users or rooms
I had a chat to the tech again today and he said the issue was running the logon script. I have included a copy of the logon script so that people can see what is in it. If there is a better I am open to suggestions. The problem for us is that I am not up to speed with this side of networks yet and the tech's forte is with Novell systems, kinda sucks when we have to run a Windows system (We don't have a choice)
It would have been a bit easier to figure out everything you needed if he had labeled his subs but it really appears the lion's share of what those scripts do is easily done using GPOs. I use 2003 R2 servers and XP clients and can do all of those things with OUs, GPOs, and a 30-40 line printer/drive mapping script.
This all seems like a really complicated way to do what you are doing but again I don't know your environment. If you are running like NT server and 98 clients maybe you have to do things the hard way and then my recommendation would be to get to AD! If you have AD, take the time to read up on GPOs even make a new OU called test with one user in it so you can play. In the end it will be worth your time researching.
LinkBack URL
About LinkBacks
Reply With Quote
)...
Originally Posted by Jamman960 
