?
Solved

get this when logging on as a user

Posted on 2008-06-10
11
Medium Priority
?
1,445 Views
Last Modified: 2013-12-04
Hope someone can help, this was working in our test OU, when we went domain wide this script isn't disableing the usb ports,It will if ran manually under a domain admin account sure it's just a matter of permisions, am attatching a screenshot of the entire error,any help/advice would be greatly appreciated. Thanks in advance
script-error.bmp
0
Comment
Question by:dklahn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +1
11 Comments
 
LVL 8

Expert Comment

by:Lotok
ID: 21752630
it looks like the user does not have access to edit the registry. You could try adding a runas to the login script

see here for details on using the command: http://www.computerhope.com/runas.htm
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21752735
I would recommend applying this script via group policy using a computer policy.
Computer Configuration->Scripts->Startup

If run as a computer startup script the script is run as the computer on instead of the user bypassing the permissions issue with a limited level user account. It will also run when the computer boots up rather than when the user logs on, keep this in mind as it effects all users who log into a computer with this policy applied..

In group policy there are four types of script that can be run, computer(Startup, shutdown) and user(login, logoff). Of these, only the user logon scripts will run as the user, the other three run as Localsystem.

There are also ADM templates that can resolve this issue in group policy without the use of a script. Let me know if you would like additional information regarding this.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 21752899
Hi!

Standard user has no permissions to edit HKLM part of the registry. If suggestions to run script as startup script don't work for you, use GPO to change security settings on these particular registry keys.

HTH

Toni
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 

Author Comment

by:dklahn
ID: 21752915
I had thought of that, the only problem is in each of our ou's,there are a few users who do need to have access to usb devices, mostly cameras with sd cards, as far as I know,theres really no way to pick and choose witch ones allow/deny,thats why I've been trieing to do this with 2 log on scripts one to allow,and one to deny
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 21753005
Group policy alows you to use Security filtering. Assign GPO to OU, create only one global security group, for example "Prohibit use of USB devices" and assign the following policy to this group: Apply Group Policy - Deny.

If you need more information, let me know...
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21753078
Since most of the solutions for this problem involve modifying the HKLM registry, these will all be computer based solutions rather than user.

You may be able work around this by combining solutions.

-Create a Security group to define the users who need to have USB access.
-Use a GPO to apply the script to resticts access for both the startup(computer) and logoff(user) to the managed OU.
-Use a GPO to grant modify access to the key for the previously defined security group. Be sure to add the default ACL settings for the KEY in GPO as it set the ACL only to what is defined in the GPO.
-Assign a logon script, preferably by an account profile script. However a GPO logon script can work if AD is organized enough to allow you to effect only the target users.

This way when the a unrestricted user logs in, they have permission to modify the key so the script can un-restrict them. The logoff and startup scripts will reset the restriction so another user cannot simply log in after them or reboot to gain access.
0
 

Author Comment

by:dklahn
ID: 21754257
makes sense, is there anyway to just allow the change in the registry through gpo?thanks again
0
 
LVL 6

Accepted Solution

by:
raptorjb007 earned 500 total points
ID: 21756441
If by grant access to allow the change in the registry you are mean to modify the permissions for that Key to simply allow your original script to work. Yes, this can be done through group policy in:
computer->windows->security->registry

Add the key to the policy and grant the "full control" permission to users.

This will allow users to modify that key, thus allow your logon script to work.
0
 
LVL 31

Assisted Solution

by:Toni Uranjek
Toni Uranjek earned 500 total points
ID: 21756470
Check this article:

"Apply or modify permission entries for objects using Group Policy"
http://technet2.microsoft.com/windowsserver/en/library/1687ef1d-b382-49c7-b184-a4cc888be5251033.mspx?mfr=true
0
 

Author Comment

by:dklahn
ID: 21759973
thanks alot guys,it works great now, really appreciate all the help
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21782503
Glad to be of assistance.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month10 days, 21 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question