Link to home
Start Free TrialLog in
Avatar of gtrivedi
gtrivedi

asked on

Elevate privledges in user Logon Script in GPO

I'm creating a GPO which has a logon vbScript in User Settings section. This GPO is applied on a OU which has some user acounts. I would like to know if there is a way to elevate privledges for these scripts because normally they run with the same privledges as the user logging on to a machine. However I don't want:

1) to use an MSI for this purpose
2) put the script in Computer Setings(Startup)

Much appreciated.
Avatar of Jesse B
Jesse B
Flag of Australia image
I don't think you'll be able to do it.  What exactly is the script doing that requires it to be in the User Settings section of the GPO?
ASKER CERTIFIED SOLUTION
Avatar of Redwulf__53
Redwulf__53
Flag of Netherlands image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of gtrivedi
gtrivedi

ASKER

I want to be able to change some permissions. the VBScript uses XCACLS to change permission on
%userprofile%\destop folder. I have used the /D switch to deny access to Desktop folder. but the user can go via windows explorer to the desktop folder in their profile and frant himself Full Control. How do I stop that. the XCACLS command is something like this:
strGUID = "{****************************************}"					'<<the GUID of the GPO where this script resides.
 
Set objFSO = Wscript.CreateObject("Scripting.FileSystemObject")
Set objShell = Wscript.CreateObject("Wscript.shell") 
 
  
strLogonServer = objShell.ExpandEnvironmentStrings("%LOGONSERVER%")
strTargetFolder = objShell.ExpandEnvironmentStrings("%USERPROFILE%")
 
strUserDomain = objShell.ExpandEnvironmentStrings("%USERDOMAIN%")
strUserName = strUserDomain & "\" &objShell.ExpandEnvironmentStrings("%USERNAME%")
 
strTargetFolder = strTargetFolder & "\" & "Desktop"
strTargetFolderPath = chr(34) & strTargetFolder & chr(34) & " "
strPathXCACLS = strLogonServer & "\SYSVOL\PRG-DC.DHL.COM\Policies\" & strGUID & "\User\Scripts\Logon" & "\XCACLS.exe "
 
'strCommand = strPathXCACLS & strTargetFolderPath & "/G " & strUserName & ":RX Administrators:F System:F /Y"
strCommand = strPathXCACLS & strTargetFolderPath & "/D " & strUserName & " /G Administrators:F System:F /Y /C"
 
removePerm	
 
Wscript.quit						
 
 
PRIVATE SUB removePerm()
	
	if (objFSO.FolderExists(strTargetFolder)) then 
		msgbox ("Ok Desktop folder exists...")
		set objExec = objShell.Exec(strCommand)
		strResult = objExec.StdOut.Readall
		msgbox (strResult)
	end if	
 
END SUB

Open in new window

Avatar of Redwulf__53
Redwulf__53
Flag of Netherlands image
Ummm this question is turning direction dramatically.
In your case, I suggest using Group Policy to redirect the Desktop folder to a read-only folder on a server share.
Avatar of gtrivedi
gtrivedi

ASKER

hi Redwulf,

I have considered using folder redirection but unfortunately because of our company having many small branch offices without their own filers and bandwidth issues, that cannot be implemented.
Yes the question took off a different route but is it possible to remove permissions vy XCACLS and then prohibit the user from changing it back. like limit the access of user on the security tab of the desktop folder properties ?
Avatar of Redwulf__53
Redwulf__53
Flag of Netherlands image
The user will always have Full Control on his/her own Profile folder (otherwise you'll get all sorts of problems), and that implies he/she can always change the permissions/ownership back on the Desktop folder. Maybe creating a dummy desktop folder inside the Windows system folder (where the user cannot change permissions) and redirecting the Desktop to that could solve your problem?
Avatar of gtrivedi
gtrivedi

ASKER

Sound like a good idea to me. I'll have to try it.