+ Post New Thread
Results 1 to 7 of 7
Windows Thread, Permissions for VBS in Technical; I'm currently trying to sort out a print server and the corresponding scripts, OUs and Group policies for my school. ...
  1. #1

    Join Date
    Sep 2008
    Location
    Cardiff
    Posts
    23
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Permissions for VBS

    I'm currently trying to sort out a print server and the corresponding scripts, OUs and Group policies for my school.

    I've had good results just using some simple Batch files that run on logon (assigned by GP). But for some reason these don't seem to work on all clients.
    So I started to try VBS scripts instead these work fine for an admin user logging in to the client but not students. I've added script.vbs to the list of programs they're allowed to run (had to do this for the batch logon scripts to work as well) but they never seem to run at login and they can't run them afterwards either. Scripts are under a folder in Netlogon which they have access to btw.

    Going back to the other problem that I seem to have on some clients when I run the batch script I get error code 1260 which again is something to do with permissions, yet the script will work on a similar pc in the same OU!

    Any help out there?

  2. #2

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,157
    Thank Post
    116
    Thanked 529 Times in 452 Posts
    Blog Entries
    2
    Rep Power
    124
    When you get error numbers like "1260", go to a command prompt and type:

    net helpmsg 1260

    in this case it says "This program is blocked by group policy. For more information, contact your system administrator."

    I suspect you've allowed access to "script.vbs" but this isn't what's needed - you need to allow access to cscript.exe or wscript.exe (probably best to do both if you're not sure which is the default script host on your machines)

    Think of the VBS file as being a document opened by an application. If you want someone to open DOC files, you don't allow access to the specific DOC file, you allow access to winword.exe - the same is true here.

  3. #3

    Join Date
    Sep 2008
    Location
    Cardiff
    Posts
    23
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Yeah I'd been looking for what they needed to run it (couldn't find it from a google search) but did just find it on here and thanks to you.

    The batch files use cscript.exe and the kids don't have access to run that yet they do still work (either at logon and after logging in)! Odd.

    Also if I allow wscript.exe and cscript.exe will some of the more tech savvy kids start messing around and create their own scripts to annoy me then though?

  4. #4

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,157
    Thank Post
    116
    Thanked 529 Times in 452 Posts
    Blog Entries
    2
    Rep Power
    124
    Quote Originally Posted by Chrish5 View Post
    Also if I allow wscript.exe and cscript.exe will some of the more tech savvy kids start messing around and create their own scripts to annoy me then though?
    Yes :-)

    Even if you don't allow that, how are you going to stop them from running programs they write using VBA in Word etc? I always think that the thing to do is make sure you have a secure system in terms of file/folder permissions and then not worry too much. The kids have much more time than you and will find ways round many of the things you can do. As far as I know, if you have NTFS permissions correct then there's no way they can browse folders they shouldn't, delete files which shouldn't be deleted and so on.

    Not sure if this would be in your remit, but if you can make available sacrificial machines for kids to use or set up VMs that they can use then you can let the ones who want to learn use these without having to worry about what they do. Past experience suggests that a busy, interested child is much less risk than a child who is blocked from everything and then spends time trying to break those blocks.

  5. #5

    Join Date
    Sep 2008
    Location
    Cardiff
    Posts
    23
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    NTFS permissions should all be fine here but this still isn't working as it should, is there a setting up a print server idiots guids here somewhere?

    I get the following error when trying to run the VBS scripts now;

    I've let the Students policy only run certain progs - including cscript,wscript and this script.vbs. Line 2 is simply objNetprint.AddWindowsPrinterConnection "\\ygp-svr-002\1A1-5250"

    So what permissions do they need to add the printers? They have them since the bat files work!
    Last edited by Chrish5; 1st October 2008 at 09:23 AM.

  6. #6

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,157
    Thank Post
    116
    Thanked 529 Times in 452 Posts
    Blog Entries
    2
    Rep Power
    124
    Can't see the error message here - the image doesn't seem to be accessible. Can you just copy the text of the error and paste it (if it's a message box then clicking on the title bar and pressing CTRL C will copy the whole text of the box to the clipboard - you can then just paste it in. I generally find this much easier than faffing about with bitmaps of errors!)

    Line 1 should say:

    set objnetprint=createobject("wscript.network")

    if it doesn't, then that's why it's not working

  7. #7

    Join Date
    Sep 2008
    Location
    Cardiff
    Posts
    23
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I did start typing the error but a picture speaks 1000 words
    Just tried the first image hosting site that wasn't blocked here - obviously it's blocked elsewhere, anyway here's the text.

    Error: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viever or contact your system administrator.
    Code: 800704EC
    And yes Line 1 is as you put.


    Update - I found a setting under Computer Settings - Security Settings - Local Policies - Security Options. Devices: Prevent users from installing printer drivers.
    This wasn't set on any policy affecting the users/computers but with that disabled on the students policy they can now run the vb script and the bat scripts don't return the 1260 error anymore (at least for 1 user on 2 machines...)
    Last edited by Chrish5; 1st October 2008 at 01:24 PM.

SHARE:
+ Post New Thread

Similar Threads

  1. vbs logon with ie
    By box_l in forum Scripts
    Replies: 5
    Last Post: 11th August 2010, 11:35 PM
  2. VBS in Webpage help
    By DSapseid in forum Scripts
    Replies: 1
    Last Post: 4th July 2008, 11:53 PM
  3. small vbs help please
    By RabbieBurns in forum Scripts
    Replies: 4
    Last Post: 20th May 2008, 03:30 PM
  4. Sub within a sub - VBS Script
    By FN-GM in forum Scripts
    Replies: 5
    Last Post: 18th May 2008, 06:30 PM
  5. ResetAccountsAdminSDHolder.vbs
    By meastaugh1 in forum Scripts
    Replies: 1
    Last Post: 5th February 2007, 11:52 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •