Link to home
Start Free TrialLog in
Avatar of ei00004
ei00004Flag for United States of America

asked on

Needing GPO (scripts (logon/logoff)) to run with administrator rights

How can I get Group Policy (scripts (logon/logoff)) to run with administrator rights?
Avatar of raptorjb007
raptorjb007
Flag of United States of America image
There are four types of scripts that can be configured in GPO.

Computer: Startup & Shutdown
User: Logon & Logoff

Out of these four types, only the user logon script type runs as the user, the other three run as LocalSystem. If LocalSystem rights are not enough, you could incorporate a script that elevates itself using the runas command, however this would be insecure due to the fact that the password would be stored unencrypted in the script, and to run the user would require read access to the script itself thus creating the possibility for users to obtain admin credentials.

What is it you are trying to script that requires admin rights? Perhaps there is a way to accomplish the task with a limited access account.
Avatar of ei00004
ei00004
Flag of United States of America image

ASKER

Thanks for the explantion, I have changed the script to run as Startup in the GPO, but I'm still not sure it is executing on the client pc. I only need to execute a simple batch file that copies a (.ini) file from a shared folder on the server to a folder on the client PC's C:\ drive. I need to check a few client PC's to verify the file has been copied there.

I also need to run a kixtart script using AdminScriptEditor (ASE) as administrator to change the printers on the client pc's from one print server to another. I know I can use the runas command but I'm not sure of the syntax. I'm not too worried about the local admin password being displayed in clear text because this script will only run for a short time, then the lines of code will be deleted.
ASKER CERTIFIED SOLUTION
Avatar of raptorjb007
raptorjb007
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of raptorjb007
raptorjb007
Flag of United States of America image
Any luck?
Avatar of ei00004
ei00004
Flag of United States of America image

ASKER

Yes thank you, I was able to create a GPO that allows me to add Domain Users to the local admin group on their local PCs. I accomplished this by creating a new policy, then selecting Edit. Select > Computer Configuration\Windows Settings\Security Settings\Restricted Groups. Right-click Restricted Groups then click Add Group.

Click Browse > select the local computer, then select the group that you want to add to the local Administrators group (in this case, the "Domain\Domain Users" group)  click ADD, and then click OK.


This security rights change also allows me to execute a GPO Logon/Logoff batch file that copies a (.ini) file from a shared folder on the server to a folder on the client PC's C:\ drive.

It also allows the kixtart script to execute properly as administrator and changes the printers on the client pc's from one print server to another.

I know this is not the best secure way because all users are now local admins on all PCs, however this is temporarily running just long enough for the changes to be pushed out. I then can use the GPOs > Computer Configuration > Windows Settings > Security Settings > File System option to change file/folder perms to allow the Domain Users group modify permissions.
Avatar of ei00004
ei00004
Flag of United States of America image

ASKER

This has been resolved, thanks for your help.