Permissions for VBS
I'm currently trying to sort out a print server and the corresponding scripts, OUs and Group policies for my school.
I've had good results just using some simple Batch files that run on logon (assigned by GP). But for some reason these don't seem to work on all clients.
So I started to try VBS scripts instead these work fine for an admin user logging in to the client but not students. I've added script.vbs to the list of programs they're allowed to run (had to do this for the batch logon scripts to work as well) but they never seem to run at login and they can't run them afterwards either. Scripts are under a folder in Netlogon which they have access to btw.
Going back to the other problem that I seem to have on some clients when I run the batch script I get error code 1260 which again is something to do with permissions, yet the script will work on a similar pc in the same OU!
Any help out there?
When you get error numbers like "1260", go to a command prompt and type:
net helpmsg 1260
in this case it says "This program is blocked by group policy. For more information, contact your system administrator."
I suspect you've allowed access to "script.vbs" but this isn't what's needed - you need to allow access to cscript.exe or wscript.exe (probably best to do both if you're not sure which is the default script host on your machines)
Think of the VBS file as being a document opened by an application. If you want someone to open DOC files, you don't allow access to the specific DOC file, you allow access to winword.exe - the same is true here.
Yeah I'd been looking for what they needed to run it (couldn't find it from a google search) but did just find it on here and thanks to you.
The batch files use cscript.exe and the kids don't have access to run that yet they do still work (either at logon and after logging in)! Odd.
Also if I allow wscript.exe and cscript.exe will some of the more tech savvy kids start messing around and create their own scripts to annoy me then though?
Originally Posted by Chrish5
Even if you don't allow that, how are you going to stop them from running programs they write using VBA in Word etc? I always think that the thing to do is make sure you have a secure system in terms of file/folder permissions and then not worry too much. The kids have much more time than you and will find ways round many of the things you can do. As far as I know, if you have NTFS permissions correct then there's no way they can browse folders they shouldn't, delete files which shouldn't be deleted and so on.
Not sure if this would be in your remit, but if you can make available sacrificial machines for kids to use or set up VMs that they can use then you can let the ones who want to learn use these without having to worry about what they do. Past experience suggests that a busy, interested child is much less risk than a child who is blocked from everything and then spends time trying to break those blocks.
NTFS permissions should all be fine here but this still isn't working as it should, is there a setting up a print server idiots guids here somewhere?
I get the following error when trying to run the VBS scripts now;
I've let the Students policy only run certain progs - including cscript,wscript and this script.vbs. Line 2 is simply objNetprint.AddWindowsPrinterConnection "\\ygp-svr-002\1A1-5250"
So what permissions do they need to add the printers? They have them since the bat files work!
Can't see the error message here - the image doesn't seem to be accessible. Can you just copy the text of the error and paste it (if it's a message box then clicking on the title bar and pressing CTRL C will copy the whole text of the box to the clipboard - you can then just paste it in. I generally find this much easier than faffing about with bitmaps of errors!)
Line 1 should say:
if it doesn't, then that's why it's not working
I did start typing the error but a picture speaks 1000 words :)
Just tried the first image hosting site that wasn't blocked here - obviously it's blocked elsewhere, anyway here's the text.
Error: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viever or contact your system administrator.
And yes Line 1 is as you put.
Update - I found a setting under Computer Settings - Security Settings - Local Policies - Security Options. Devices: Prevent users from installing printer drivers.
This wasn't set on any policy affecting the users/computers but with that disabled on the students policy they can now run the vb script and the bat scripts don't return the 1260 error anymore (at least for 1 user on 2 machines...)