Link to home
Start Free TrialLog in
Avatar of nostrasystems
nostrasystems

asked on

Microsoft, Windows, XP and Vista, Add Printer scripts

Hi,
I have scripts that add printers to user prfiles when they log in. It works in XP but not Vista. I looked though other EE postings etc.. and the script needs to be elevated to administrator level in order to add the printer, kind of like you cannot ipconfig  /release % /renew unless you are in admin cmd. Some others are local adminsistrators and others are not.

I cannot get the script to elevate the permission to add the printer.
Below is a copy of one of the scipts that works in XP.
-------------------------------------------------------------------------
Option Explicit
Dim objNetwork, strUNCPrinter
strUNCPrinter = "\\oatlands-dc\ResourceRoom"
Set objNetwork = CreateObject("WScript.Network")
objNetwork.AddWindowsPrinterConnection strUNCPrinter

WScript.Quit

----------------------------------------------------------------------------------

Can anyone help?
Avatar of maze-uk
maze-uk
Is it a script the user runs manually, or via GPO?
Avatar of nostrasystems
nostrasystems

ASKER

Hi, It is ran using a logon batch file in their AD account.
Avatar of maze-uk
maze-uk
Microsoft technet Script Elevation PowerToys for Windows Vista :
http://technet.microsoft.com/en-us/magazine/cc162321.aspx

That should fix your issue.
Avatar of maze-uk
maze-uk
Found on another forum (techarena):

With Vista you need to know about: a) the creation and use of limited access tokens by a user who is a local admin, b) the task scheduler, and 3) modifying launchapp.wsf for each GPO initiated at logon.

1.      If your user is a local admin, then the existing GPO logon script you have wont work. Your logon scripts should work for non-local admins.

2.      Your existing logon script wont work for a local admin because your local admin has to receive a limited user token to map drives. Per AdamV http://www.gpanswers.com/community/viewtopic.php?p=5625#5625 Im summarizing his post here: Group Policy and logon scripts process using the elevated user token, and the desktop and all subsequent processes use the limited token. Windows restricts processes started with a limited token from the ability to share information with processes started with the elevated token.

3.      The workaround is to run a launchapp.wsf script which will give your local admin a limited access token so the mapping of drives is done at a protected level, instead at an admin level. Remember in Vista even though you log in as Local Admin you are not running everything at an Admin level. (To run programs at an admin level you right click the *.exe and choose run as admin.) LaunchApp.wsf is easy to use.

4.      After you get LaunchApp.wsf working with your script you will want to edit the script and comment out the lines that create annoying dialog box. Comment out the following lines: WScript.Echo "Task definition created. About to submit the task." and   WScript.Echo "Task submitted for all drives."

5.      WAIT  DONT Stop Here, you have to know about the new functionality with Task Scheduler!   In order to launch your mapped drive logon script LaunchApp.wsf schedules a job to run your GPO logon script with that limited token I was talking about.

6.      So why was it important to know about Task Scheduler? Because the LaunchApp.wsf created a scheduled job called "Launch App As Interactive User" and if you have LaunchApp.wsf being used for several GPOs it will choke on itself in the Task Scheduler because to the OS it looks like your creating several scheduled jobs with the same name.

7.      So how do I run several GPOs that have to invoke LaunchApp.wsf to run? At first I modified my logon script GPO, to run logon scripts synchronously. This worked because it forces LaunchApp.wsf to launch and complete one scheduled job at a time. The negative: it takes longer for users to logon in synchronous mode.

8.      To get out of having to use Logon Script Synchronous Mode, open up LaunchApp.wsf and look again for the line strTaskName = "Launch App As Interactive User" and add the name of the GPO your trying to run to the end of the name. So the line would look like strTaskName = "Launch App As Interactive User  Mapped drives for Programming Dept". This causes each GPO that uses LaunchApp.wsf to create its own scheduled task with its own name. It also makes it easier to see what is happening in the new Task Scheduler Event log.

9.      Lastly, obviously you only have to run launchapp.wsf for Vista Clients. Now you could create a WMI filter that states SELECT * from Win32_OperatingSystem WHERE Caption LIKE "%Vista%" But I found it nicer to not have to apply a filter by running LaunchApp2.wsf found at Michaels Zills blog at http://www.enterprisedev.org//blogs/michael/archive/2007/01/ 05/deploying-group-policy-using-vista.aspx This allows you to create one GPO that will apply to both XP and Vista Clients.
ASKER CERTIFIED SOLUTION
Avatar of maze-uk
maze-uk
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of maze-uk
maze-uk
... and last: Deploying Group Policy Using Windows Vista (http://technet.microsoft.com/en-us/library/cc766208.aspx).
there is a section  "Group Policy Scripts can fail due to User Account Control" with a workaroud:
To configure launchapp.wsf to postpone the execution of a logon script
1 Copy the logon script and the launchapp.wsf script to a network share.
2 Start Group Policy Management Console (GPMC). In GPMC, right-click the GPO you want to modify, and then click Edit.
3 In the User Configuration node, expand Windows Settings, and then click Scripts.
4 Right-click Logon, and then click Properties.
5 In the Logon Properties dialog box, click Add.
6 In the Script Name box, type launchapp.wsf
7 In the Script Parameters box, type the full path and name to logon.bat