gtrivedi
asked on
Elevate privledges in user Logon Script in GPO
I'm creating a GPO which has a logon vbScript in User Settings section. This GPO is applied on a OU which has some user acounts. I would like to know if there is a way to elevate privledges for these scripts because normally they run with the same privledges as the user logging on to a machine. However I don't want:
1) to use an MSI for this purpose
2) put the script in Computer Setings(Startup)
Much appreciated.
1) to use an MSI for this purpose
2) put the script in Computer Setings(Startup)
Much appreciated.
I don't think you'll be able to do it. What exactly is the script doing that requires it to be in the User Settings section of the GPO?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I want to be able to change some permissions. the VBScript uses XCACLS to change permission on
%userprofile%\destop folder. I have used the /D switch to deny access to Desktop folder. but the user can go via windows explorer to the desktop folder in their profile and frant himself Full Control. How do I stop that. the XCACLS command is something like this:
%userprofile%\destop folder. I have used the /D switch to deny access to Desktop folder. but the user can go via windows explorer to the desktop folder in their profile and frant himself Full Control. How do I stop that. the XCACLS command is something like this:
strGUID = "{****************************************}" '<<the GUID of the GPO where this script resides.
Set objFSO = Wscript.CreateObject("Scripting.FileSystemObject")
Set objShell = Wscript.CreateObject("Wscript.shell")
strLogonServer = objShell.ExpandEnvironmentStrings("%LOGONSERVER%")
strTargetFolder = objShell.ExpandEnvironmentStrings("%USERPROFILE%")
strUserDomain = objShell.ExpandEnvironmentStrings("%USERDOMAIN%")
strUserName = strUserDomain & "\" &objShell.ExpandEnvironmentStrings("%USERNAME%")
strTargetFolder = strTargetFolder & "\" & "Desktop"
strTargetFolderPath = chr(34) & strTargetFolder & chr(34) & " "
strPathXCACLS = strLogonServer & "\SYSVOL\PRG-DC.DHL.COM\Policies\" & strGUID & "\User\Scripts\Logon" & "\XCACLS.exe "
'strCommand = strPathXCACLS & strTargetFolderPath & "/G " & strUserName & ":RX Administrators:F System:F /Y"
strCommand = strPathXCACLS & strTargetFolderPath & "/D " & strUserName & " /G Administrators:F System:F /Y /C"
removePerm
Wscript.quit
PRIVATE SUB removePerm()
if (objFSO.FolderExists(strTargetFolder)) then
msgbox ("Ok Desktop folder exists...")
set objExec = objShell.Exec(strCommand)
strResult = objExec.StdOut.Readall
msgbox (strResult)
end if
END SUB
Ummm this question is turning direction dramatically.
In your case, I suggest using Group Policy to redirect the Desktop folder to a read-only folder on a server share.
In your case, I suggest using Group Policy to redirect the Desktop folder to a read-only folder on a server share.
ASKER
hi Redwulf,
I have considered using folder redirection but unfortunately because of our company having many small branch offices without their own filers and bandwidth issues, that cannot be implemented.
Yes the question took off a different route but is it possible to remove permissions vy XCACLS and then prohibit the user from changing it back. like limit the access of user on the security tab of the desktop folder properties ?
I have considered using folder redirection but unfortunately because of our company having many small branch offices without their own filers and bandwidth issues, that cannot be implemented.
Yes the question took off a different route but is it possible to remove permissions vy XCACLS and then prohibit the user from changing it back. like limit the access of user on the security tab of the desktop folder properties ?
The user will always have Full Control on his/her own Profile folder (otherwise you'll get all sorts of problems), and that implies he/she can always change the permissions/ownership back on the Desktop folder. Maybe creating a dummy desktop folder inside the Windows system folder (where the user cannot change permissions) and redirecting the Desktop to that could solve your problem?
ASKER
Sound like a good idea to me. I'll have to try it.