[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Run batch file in group policy with admin credentials

Posted on 2009-02-24
17
Medium Priority
?
10,707 Views
Last Modified: 2012-08-13
Hi Experts.  I am fighting with this batch file that is changing a file association and obviously I can't run the file under the user's credentials.  So how do I run the batch under the local admin's credentials or system credentials?  Thanks for the help.

The AD Domain is Windows 2003 servers and XP workstations.
0
Comment
Question by:samiam41
17 Comments
 
LVL 31

Accepted Solution

by:
Toni Uranjek earned 1000 total points
ID: 23723327
Hi samiam41,

Run script as startup script. Startup scripts can be defined under Computer configuration in Group Policy object.

HTH

Toni
0
 
LVL 9

Author Comment

by:samiam41
ID: 23723356
Ohh.....  Under computer config....  D@mn.  Thanks.  Trying now.
0
 
LVL 32

Assisted Solution

by:nappy_d
nappy_d earned 1000 total points
ID: 23723514
Try this in a batch script....

  1. create a batch script with this command runas /user:administrator -p %1 \\path to your scriptFile.bat
  2. Add this script to a GPO policy under User Configuration\WIndows Settings\Scripts\Logon
  3. The %1 will pass the parameter to your script which is your administrator's password(see the attached screnshot)
Note!! Both of the batch scripts should be located in the correct sysvol directory for this this to work.



Picture-113.png
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 9

Author Comment

by:samiam41
ID: 23724508
nappy_d, thanks for the suggestion.  I will try it out once I finish with the first one.
0
 
LVL 9

Author Comment

by:samiam41
ID: 23724798
Would this do the same thing?

'User Config\Admin Templates\System\Logon\Run these programs at user logon'
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 23724879
Yes, but you still will have the problem of passing the administrative password on as the user will not be able to elevate the batch script to run as the administrator, hence my suggestion.
0
 
LVL 9

Author Comment

by:samiam41
ID: 23724903
Gotcha.  Just asking.  I'm with you on this.  No harm is asking.
0
 
LVL 9

Author Comment

by:samiam41
ID: 23726578
Is there any concern with storing the admin password in this manner?
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 23726766
The only concern is that if you do not mind that other admins will see the password, none whatsoever.  The configuration screen that you are on, is in accessible by non administrative users.

Did it work for you?
0
 
LVL 7

Expert Comment

by:firemanf29
ID: 23727362
The better solution is to place the batch files in the Logon script for the user in GP.

User Configuration - Windows Settings - Scripts (Logon/Logoff) - Logon
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 23728204
That is the solution I provided and then I instructed him to make the password in the parameter filed.  This way is some smarty pant user manages to browse the sysvol and finds toe batch file, the admin password is not in the file.
0
 
LVL 9

Author Comment

by:samiam41
ID: 23766089
I was out of the office near the end of the week so I didn't get to test nappy's suggestion.  I will do this on Monday and will have an update.  

@nappy - Is this the "local" admin account of "domain" admin?  Thanks.
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 23766341
This has to be run with local admin account and privileges.
0
 
LVL 9

Author Comment

by:samiam41
ID: 23768451
Thanks.  Wanted to make sure that I used the correct credentials in testing.
0
 
LVL 9

Author Comment

by:samiam41
ID: 23774649
Sounds like a plan. I am going to begin modifying the group policy which applies to the smallest group and verify that all works as expected in this environment.  Thanks for the suggestion nappy d.

0
 
LVL 9

Author Closing Comment

by:samiam41
ID: 31550639
Thanks for the posts.  Both ideas worked and were approved by the state's AD team at our meeting this morning.  I appreciate your help with this and look forward to working with you again in the future.

Take care,
Aaron
0
 

Expert Comment

by:SUNYESF
ID: 37911176
I tried this and the -p switch did not work. Even if I hard code the password into the script (bad idea) it still does not work. Has anyone tested this and had it work?
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question