Vista Domain Account Rights
Im running a vista machine, on windows 2003 domain. My domain account is in the Administrators group on a local machine running vista, yet when i go to install some programs, i still get prompted for Admin rights. Even when i right click the setup file and go to "Run As Administrator", it still says i dont have enough rights. I went into the security policy settings, and enabled/disabled everything i could under the UAC settings. I actually got rid of as much security as was available, which is more than i ultimately want to do, and it still wont let me... Does anyone know how to get vista to play nicer with domain accounts?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Oh man this has probably been one of the trickiest components of this
blasted UAC I've had to face so far.
Basically, due to the way UAC handles permisisons during logins as
described on this page
http://technet2.microsoft.com/Windo...3.mspx?mfr=true
We have to schedule the script to run as interactive user. BUT, this
solution now breaks your non admin users who don't have permission to
schedule anything.
I've written/modifed two scripts which are pasted below which will
hopefully solve everybody's problems. In my GPO for my scripts I have
Script Name:
\\soe.eo\NETLOGON\launchsc
Script Parameters:
drive_mapping \\soe.eo\NETLOGON\Logon\dr
The drive mapping script does all my drive mappings, so you use your
own one there.
The launchscript wsf file first determines if you are an administrator
- if you are, then it schedules the script to run as recommended by
Microsoft, otherwise it just launches it normally.
The reason I've added a second parameter to the MS suggested solution
is because if you want to run more than 1 script, then it will fail as
the original script has a hard coded scheduled task name. This change
I've made will allow you to schedule more than 1 login script provided
you give them different names.
This scenario is working for me on several scripts launched from the
same GPO and regardless of whether or not I log in as an administrator
or standard user. I use this methodology to map network drives as
well as connect network printers.
blasted UAC I've had to face so far.
Basically, due to the way UAC handles permisisons during logins as
described on this page
http://technet2.microsoft.com/Windo...3.mspx?mfr=true
We have to schedule the script to run as interactive user. BUT, this
solution now breaks your non admin users who don't have permission to
schedule anything.
I've written/modifed two scripts which are pasted below which will
hopefully solve everybody's problems. In my GPO for my scripts I have
Script Name:
\\soe.eo\NETLOGON\launchsc
Script Parameters:
drive_mapping \\soe.eo\NETLOGON\Logon\dr
The drive mapping script does all my drive mappings, so you use your
own one there.
The launchscript wsf file first determines if you are an administrator
- if you are, then it schedules the script to run as recommended by
Microsoft, otherwise it just launches it normally.
The reason I've added a second parameter to the MS suggested solution
is because if you want to run more than 1 script, then it will fail as
the original script has a hard coded scheduled task name. This change
I've made will allow you to schedule more than 1 login script provided
you give them different names.
This scenario is working for me on several scripts launched from the
same GPO and regardless of whether or not I log in as an administrator
or standard user. I use this methodology to map network drives as
well as connect network printers.
Contents of launchscript.wsf
<job>
<script language="VBScript">
If WScript.Arguments.Length <> 2 Then
WScript.Echo "Usage: wscript launcscript.wsf <ScriptName>
<ScriptPath>"
WScript.Quit
End If
On Error Resume Next
strScriptName = WScript.Arguments(0)
strScriptPath = WScript.Arguments(1)
strTestFile = "C:\test.txt"
set FileSys = CreateObject("Scripting.FileSystemObject")
Set WshShell = WScript.CreateObject("WScript.Shell")
FileSys.CreateTextFile strTestFile, Overwrite
If FileSys.FileExists (strTestFile) then
' We are an administrator - schedule the script to run
WshShell.Run "\\soe-dc\NETLOGON\schedulescript.wsf " & strScriptName
& " " & strScriptPath,1,true
else
' We are a standard user - just launch the script
WshShell.Run "wscript " & strScriptPath,1,true
end if
FileSys.DeleteFile strTestFile
</script>
</job>
Contents of schedulescript.wsf
<job>
<script language="VBScript">
'************************************************* *****************
' This script launches the second parameter as the interactive user.
' Written by Microsoft - Improved by Lester
'************************************************* *****************
' A constant that specifies a registration trigger.
const TriggerTypeRegistration = 7
' A constant that specifies an executable action.
const ActionTypeExecutable = 0
' A constant that specifies the flag in RegisterTaskDefinition.
const FlagTaskCreate = 2
' A constant that specifies an executable action.
const LogonTypeInteractive = 3
If WScript.Arguments.Length <> 2 Then
WScript.Echo "Usage: wscript schedulescript.wsf <AppName> <AppPath>"
WScript.Quit
End If
strAppName = WScript.Arguments(0)
strAppPath = WScript.Arguments(1)
'************************************************* *****************
' Create the TaskService object.
'************************************************* *****************
Set service = CreateObject("Schedule.Service")
call service.Connect()
strTaskName = "Launch " & strAppName
'************************************************* *****************
' Get a folder to create a task definition in.
'************************************************* *****************
Dim rootFolder
Set rootFolder = service.GetFolder("\")
'************************************************* *****************
'Delete the task if already present
'************************************************* *****************
On Error Resume Next
call rootFolder.DeleteTask(strTaskName, 0)
Err.Clear
'************************************************* *****************
' Create the new task
'************************************************* *****************
Dim taskDefinition
Set taskDefinition = service.NewTask(0)
'************************************************* *****************
' Create a registration trigger.
'************************************************* *****************
Dim triggers
Set triggers = taskDefinition.Triggers
Dim trigger
Set trigger = triggers.Create(TriggerTypeRegistration)
'************************************************* ********************
' Create the action for the task to execute.
'************************************************* ********************
' Add an action to the task. The action executes the app.
Dim Action
Set Action = taskDefinition.Actions.Create( ActionTypeExecutable )
Action.Path = strAppPath
'************************************************* ********************
' Register (create) the task.
'************************************************* ********************
call rootFolder.RegisterTaskDefinition( strTaskName, taskDefinition,
FlagTaskCreate, , , LogonTypeInteractive)
</script>
</job>
Sorry, I should have introduced the previous post, I had the problem where being a local administrator prevented my network drives from being mapped, and the solution above is the same solution I posted at google forums some time ago.
Going back to the first posts, I'm having the same issue with UAC, and my work-around is to simply have two sessions open -- one with my domain account and the other with the local administrator account. I switch users back and forth as required. What a pain! But it beats rebooting the machine every time I would need to turn UAC on or off.
ASKER