Link to home
Start Free TrialLog in
Avatar of adamshields
adamshieldsFlag for United States of America

asked on

Running a Logoff Bat Script as Administrator

I have a script that I need to run with Administrative prelivages when a user logs off. I know there has to be a way and I thought of:

C:\WINDOWS\system32\runas.exe /u:mradmin "%windir%\System32\cmd.exe /k cd c:\

and then running running the script but this requires user input which obviously won't help.

any ideas?
Avatar of spiderfix
spiderfix
Flag of Canada image

If you run on Active directory you can run it through a local policy or you can set it in a group policy.
If you run it through the group policy you get all the nice options to hide it from running, etc.

IF you think you will run this on any other machines go for the group policy.
Avatar of shaszard
shaszard

If you don't want to play around with Group Policy, then an alternative would be to remove their shutdown/logoff options and create a batch file.

**Your command here**
logoff.exe

put it on the desktop and in the start menu and everytime they logoff it will run that command.

Pretty nasty, but it should work.
oh, label the batchfile LOGOFF and give it the logoff icon so it's obvious they have to use it of course :)
Avatar of DrDamnit
why not shutdown -L?
Hummm... that's a tough one.

As you have probably already figured out, the startup and shutdown scripts in Active Directory run as the SYSTEM account, whereas the login and logoff scripts run as the local user.

So you've got 2 opportunities to use scripts with built-in administrator rights (the startup and shutdown), and 2 opportunities to use script with the local users credentials (the login and logoff).  Most folks don't find this too limiting, and can fit what they want to do in one of the 4 opportunities.

I *have* seen some crazy "run as elevated" scripts out there... all of which scare the sh*t out of me.  The only solution that seemed to not make me very nervious was a compiled application that used an encrypted password embedded into the EXE file.   The EXE knew how to decrypt the password and supply it in the equivalent of at "run as" command inside the application.  

Got a programmer handy?
Avatar of adamshields

ASKER

I've found one utility http://www.joeware.net/win/free/tools/cpau.htm that will encrypt the username and password as needed. Graye your right it's pretty hard to do this and took forever to find a solution, i'll post back soon w/more information.
If someone still wanted points then anwser this, the script runs fine upon logoff if I test the script manually before logoff. But if I just log in and back out again it doesn't run upon logout. Does me running it enable something such as a path or something?
I've posted several times on your forum, but am down to one last issue I can't quite get.

I can run my bat script logoff.bat renamed to .txt to keep email clients from freaking out =), just fine from any user account. It's located in C:\Manager\i386

I placed cpau.exe in the same folder and run the following command:
C:\Manger\i386\CPAU.exe -u admin -ex C:\Manager\i386\logoff.bat -file logoff.dat -enc

I'm prompted for the admin password and the encoded file is created and works great.

So the problem lies in executing the job from a windows xp pro policy:
C:\Manager\i386\CPAU.exe -file C:\Manager\logoff.dat -enc -dec -profile

The script is not running upon logoff UNLESS I run it manually first via batch file or dos, then it will run when a user logs off just fine. Have you heard of such a problem?

Is where I'm at, any know why this might be occuring?
Do you want to try a *.vbs that executes the script blind?
Both Login and Logoff script *must* be located in a Group Policy Template located on a Domain Controler.   Where is your batch file located?

BTW: I sure hope we're talking about an Active Directory domain... :)

spiderfix I wouldn't mind trying a vbs script

graye the batch file was located on the local machine that is a template to be ghosted, the batch file is located in C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logoff
The machines are all on an active directory domain, but this is a universty setting and each department deploys their machines indenpendently. The changes of getting to an admin to change the ad group policy is pretty much not going to happen, but from what I understand I could create the script and then go to gpedit.msc and specify it for logoff.

The strange part about all of this is if I run the script manuallylike I mentioned before then the logoff script will run, but if not then it doesn't run, kinda weird.

Anyways I'm open to suggestions.
>>spiderfix I wouldn't mind trying a vbs script<<


*.vbs goes in same dir as *.bat (assumed as ss.bat)

----------- cut -----------
const blindscript = "ss.bat"
dim scriptobject, alienobject
set alienobject = CreateObject("Scripting.FileSystemObject")
set scriptobject = WScript.CreateObject("Wscript.Shell")
if not alienobject.FileExists(blindscript) then
 MsgBox "No script exists in that location!", vbOkOnly + vbCritical, "Error"
 WScript.Quit
end if
scriptobject.run blindscript, 0
----------- cut -----------
But, but... that's exactly what needs to happen.   You need an administrator (or someone with permissions on the OU) to "install" the batch file in Active Directory.  

If I'm thinking correctly, the mere persence of a batch file in C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logoff won't cut it.
spiderfix I tried your script which was pretty cool I might add, but still the same symptoms occur.

graye I was under the impression that you could use gpedit.msc to add scripts and whatnot, why would it even exist on the clients? So where do you suggest this be added, it would have to be done on a machine basis. I can't have profiles being delete on non-lab machines =)
Yes, you do use gpedit to accomplish this task.   However, the place where the script is  initially stored is the DC... sure, a copy gets stored locally at the PC, but I don't think you can bypass that step and "prime the pump" by placing the script on the PC manually

BTW: I'm not 100% sure of all of my facts :), but I'd sure try it the "normal way" first before I'd consider other options.
you can create a group policy with the script as the policies do support logon and logoff scripts.

then just put whatever machines on the network in a separate OU and apply that policy only to that OU.
This will make sure that no other machines get that policy - hence the script will not run on any except those machines in the OU
>>spiderfix I tried your script which was pretty cool I might add, but still the same symptoms occur<<
Bummer. There is always RUNAS but that would reveal an admin username and pw in plain text.
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/runas.mspx
ASKER CERTIFIED SOLUTION
Avatar of spiderfix
spiderfix
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
"yourpassword~" must contain the tilde.
Thanks for the "Accept".

Just wanted to post a commentless version for SE readers.

---------- cut ----------
Option explicit
dim oShell
set oShell= Wscript.CreateObject("WScript.Shell")
oShell.Run "runas /user:Administrator ""cmd /k cd c:\\"""
WScript.Sleep 100
oShell.Sendkeys "yourpassword~"
Wscript.Quit
---------- cut ----------