[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 10801
  • Last Modified:

Editing a host file with a batch file

Hello experts.

I'm trying copy an edited host and lmhosts.sam file to the c:/windows/system32/drivers/etc/ folder by running a batch file as follows:
_________________________________
cd\
cd c:/windows/system32/drivers/etc
copy \\server\host_files\hosts /y
copy \\server\host_files\lmhosts.sam /y
exit
_________________________________

However I'm only able to run this successfully when an account with administrative rights logs into the computer.  Is there any way to have this run successfully when regular users log into their accounts through login script?  Or does anyone have an alternate way to update this file with other means?
0
craizlee
Asked:
craizlee
  • 9
  • 7
  • 5
  • +2
1 Solution
 
DoTheDEW335Commented:
you might be able to schedule it to run and have it "run as" an administrator. I'm not quite sure how you could schedule it to run when they logon though.
0
 
DoTheDEW335Commented:
depending on when you need it updated i meant. if you need it updated daily once, just use a scheduled event to run the batch file with admin rights, you'll just set it to run as then put in an admin name and pw.
0
 
craizleeAuthor Commented:
You mean as a scheduled task?  Not sure how that really works.  Can it run while a user is logged on/off?  Also, how would I be able to schedule this to every computer on my network?  Over 250 pcs?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
amirinamdarCommented:
Right click My Computer> Manage. Navigate to Local Users and Groups>Users in the left hand pane. In the right side, double click the user you want to add the script for and click on 'Profile' tab. You can add the batch file to the logon script. Unless the script is in the %Systemroot% folder, you will have to type the full path of the script.
0
 
Danny ChildIT ManagerCommented:
The problem is coming up because the Hosts and LMHosts files are set for Read perms only for Users by default.  If you change this, then your batch file will work.
But this begs the question, what are you changing in it?  If it's just the odd IP address now and again, I'd create a batch file that you run manually, with a loop to apply it to each pc, and write a status error as well...
hth Danny
0
 
craizleeAuthor Commented:
amir: This may be helpful if each user is all on one local machine.  I'd prefer not need to go to each individual machine and add the login script locally for each user.  That would take forever.  I've assigned this batch file through Active Directory Group Policy logon script, which is more suitable to add for network users.  However the problem is not running the script, it's the fact that because of permission levels, when the batch file runs, it comes back with an "Access Denied".

Dan: Is there a way to change the perms to read/write for each machine without having to physically go to each one and do it manually?

The reason I am replacing the host file is because I found that some had a list of IP addresses that point to our servers using their public IP addresses instead of their private addresses in which resolve through DNS.  I'm basically just replacing the host file to not have any addresses listed.  This was causing some problems accessing application and database servers remotely through vpn.
0
 
DoTheDEW335Commented:
If they log into the domain why not create a group policy for it.
0
 
Danny ChildIT ManagerCommented:
group policy is the easiest way to deal with this.  

If you copy the file over one time, you can set the perms on the file before you copy it, and then they'll be there forever.  Then your login script would work.  However, by relaxing the perms, you do run the risk that a) users will fiddle, and b) that unwanted stuff can get to the files - adware redirects and pharming risks too.  

Batch file stuff:
the NET VIEW command, redirected to a text file can give a fairly tidy list of pcs on the domain
C:\> net view > c:\list.txt
might need a bit of tweaking to remove stuff at the start and end, and I think you need to be careful with the \\ too.  Open it in Word and use Find.. Replace.  Sorry, bit rusty on this.

then in a batch file
FOR /F " tokens=1 " %%i in (list.txt) do copy lmhosts.sam "%%i\C$\windows\system32\drivers\etc\" >>c:\results.txt

test with a list of a few pcs, and check the results.txt file for the outcome
0
 
craizleeAuthor Commented:
Dan: Not sure what you mean by "If you copy the file over one time, you can set the perms on the file before you copy it, and then they'll be there forever."

also,

then in a batch file
FOR /F " tokens=1 " %%i in (list.txt) do copy lmhosts.sam "%%i\C$\windows\system32\drivers\etc\" >>c:\results.txt

Do i copy that line "FOR /F " tokens=1 " %%i in (list.txt) do copy lmhosts.sam "%%i\C$\windows\system32\drivers\etc\" >>c:\results.txt" exactly into the batch file?  What is %%i?
0
 
craizleeAuthor Commented:
Is there any way to edit these files over the network an alternate way?
0
 
DoTheDEW335Commented:
I don't think it's what you want but the below will work:
You can access the Admin share (C$)
if you have admin un/pw for each client you can access them with the net use command.

NET USE
[devicename | *] [\\computername\sharename[\volume] [password | *]]
        [/USER:[domainname\]username]
        [/USER:[dotted domain name\]username]
        [/USER:[username@dotted domain name]
        [/SMARTCARD]
        [/SAVECRED]
        [[/DELETE] | [/PERSISTENT:{YES | NO}]]

NET USE {devicename | *} [password | *] /HOME

NET USE [/PERSISTENT:{YES | NO}]


eg..

net use * \\COMPUTER(or IP address)\c$ /user:administrator password

0
 
DoTheDEW335Commented:
You could even create a batch file to connect them to a certain drive letter (replace the *) and copy the host file then disconnect, and have it go through each computer. But you would have to type it all in a batch file.
0
 
KenneniahCommented:
Your batch file for copying should work fine as a computer startup script instead of a user logon script, as they run under the system account with admin rights.

In Group Policy
Computer Configuration --> Windows Settings --> Scripts (Startup/Shutdown)
0
 
craizleeAuthor Commented:
Kenneniah:  Interesting.  I will try adding it to the domain policy and see what happens.

Thanks!
0
 
KenneniahCommented:
BTW, you'd have to do one of 2 things for it to work. First, would be to grant read access to the "Domain Computers" AD group to the network share the hosts files are located on so that the system accounts can connect to it.

Or, modifiy the script to map a drive using "net use" specifying a username and password, copying the files, then disconnecting the drive.
0
 
craizleeAuthor Commented:
Ken:  That didn't seem to do anything.  Once I set the computer startup script, Start|Run|typed gpupdate /force, rebooted, all seemed well as it said it was running the startup script.  However when checking the host file, it looked to be the original, and not replaced.  Are you sure the startup script uses the system account with admin privileges?  I think the only obstacle here is permission level for the system folders.  There's got to be a way to accomplish this...
0
 
KenneniahCommented:
Yes, it does. Did you set permissions on the share folder for "Doman Computers" though? If not, the system account would now have been able to make the network connection to get the new host file.
0
 
craizleeAuthor Commented:
yep.  I added "Domain Computers" will full control just to be sure.  Any other suggestions I could try?
0
 
KenneniahCommented:
Hmm, it could be using a null session when the system account is running the script. On the server computer, go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters and edit "NullSessionShares". By default it should have something like "COMCFG DFS$" Add the name of the share the host files are in and give it a try.
0
 
KenneniahCommented:
More information about can be found at http://support.microsoft.com/kb/q289655/
Inlcuding how to allow NullSessionPipes if needed etc.
0
 
craizleeAuthor Commented:
Ken:  Thanks for the suggestion, however I'm a little hesitant to edit the registry at this time as I'm not exactly sure how to add the name of the host file to the REG_MULTI_SZ value, as it states:

 "On a new line in the NullSessionPipes key, type the name of the pipe that you want to access with a null session."  

If you are more familiar with how to do this, let me know.  Also, this would require a reboot, and I won't be able to reboot the server during business hours, so I won't know if the results have taken any effect until the following day.  
0
 
KenneniahCommented:
You probably wouldn't need to set the Pipes section, as mostly that would deal more with applications needing access, not file sharing. I've got something similar working on a couple test machines just adding the sharename to NullSessionShares.
0
 
craizleeAuthor Commented:
When I add the name of the share, how should I name it?  

\\server\share
or
share

not sure of the format.
0
 
KenneniahCommented:
Just the sharename, don't need server. Mine looks like....

COMCFG
DFS$
SHARED
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 9
  • 7
  • 5
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now