Solved

Run a script with admin rights

Posted on 2009-04-07
17
393 Views
Last Modified: 2012-05-06
Dear All,
I already posted a question regarding a problem I face which is in the following:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_24283794.html
 In summary users need to have admin rights to run such a script, how to accomplish this since the users doesn't have admin rights on their machines? and I don't know their computer names?
0
Comment
Question by:mahmoud_2008
  • 9
  • 8
17 Comments
 
LVL 83

Expert Comment

by:oBdA
ID: 24085424
Use a GPO to apply a *computer* *startup* script to the machines in question. Unlike login scripts, startup scripts run in the system's security context, and the system has the necessary permissions to add files to the system32 folder.
0
 
LVL 1

Author Comment

by:mahmoud_2008
ID: 24088867
I did the following:
create a startup script at computers stratup with the following:
copy \\DC(IP)\netlogon\Filename1   c:\windows\system32
copy \\DC(IP)\netlogon\Filename2   c:\windows\system32
copy \\DC(IP)\netlogon\Filename3   c:\windows\system32
 apply this group policy for computers but still I couldn't see the files copied to the machines which I apply the froup policy into it, did I miss something?
0
 
LVL 83

Expert Comment

by:oBdA
ID: 24090207
The syntax looks okay. If the file names contain spaces, you need to enclose them in quotes, and you might want to take %Systemroot% instead of C:\Windows
Save the script as startup.cmd or whatever.cmd in the netlogon share, then set the policy to run (obviously replacing your.domain.local with your domain name)
\\your.domain.local\netlogon\startup.cmd
In addition, you might want to create a log file; if there is no file with the name of the script and the extension .log in %Systemroot%\Temp after a reboot of the machine, you need to check your event log and your group policies, because the script isn't running.

set LogFile=%Systemroot%\Temp\%~n0.log

>>"%LogFile%" echo %Date% %Time%: Startup script started

copy "\\DC(IP)\netlogon\Filename1" "%Systemroot%\system32" >>"%LogFile%"

copy "\\DC(IP)\netlogon\Filename2" "%Systemroot%\system32" >>"%LogFile%"

copy "\\DC(IP)\netlogon\Filename3" "%Systemroot%\system32" >>"%LogFile%"

Open in new window

0
 
LVL 1

Author Comment

by:mahmoud_2008
ID: 24093758
oBdA it display the following error messages:
Wed 04/08/2009  7:29:22.72: Startup script started
Access is denied.
Access is denied.
Access is denied.
Access is denied.
0
 
LVL 83

Expert Comment

by:oBdA
ID: 24099599
Try the following script, it will give you a detailed log about which permissions are missing.
Just adjust SourceFolder variable (no quotes around the path) and the source files (each file separated by a space from the next, quotes around each file name if it contains a space).
set LogFile=%Systemroot%\Temp\%~n0.log

>>"%LogFile%" echo %Date% %Time%: Startup script started

set SourceFolder=\\DC(IP)\netlogon

set SourceFiles="Filename 1" "Filename 2" "Filename 3"

set TargetFolder=%Systemroot%\system32

>>"%LogFile%" echo Profile: %UserProfile%

>>"%LogFile%" echo Source folder directory listing:

dir "%SourceFolder%" >>"%LogFile%" 2>&1

if errorlevel 1 (

  >>"%LogFile%" echo Unable to read from "%SourceFolder%"; exiting script.

  goto :eof

)

>>"%LogFile%" echo Target folder directory listing:

dir "%SourceFolder%" >>"%LogFile%" 2>&1

if errorlevel 1 (

  >>"%LogFile%" echo Unable to read from "%TargetFolder%"; exiting script.

  goto :eof

)

>>"%LogFile%" echo Testing write access to target folder:

copy "%~f0" "%TargetFolder%" >>"%LogFile%"

if errorlevel 1 (

  >>"%LogFile%" echo Unable to write to "%TargetFolder%"; current permissions:

  cacls "%TargetFolder%" >>"%LogFile%" 2>&1

  goto :eof

)

>>"%LogFile%" echo Permissions verified.

del "%TargetFolder%\%~nx0"

for %%a in (%SourceFiles%) do (

  >>"%LogFile%" echo Copying %%~a ...

  copy "%SourceFolder%\%%~a" "%TargetFolder%" >>"%LogFile%"

)

Open in new window

0
 
LVL 1

Author Comment

by:mahmoud_2008
ID: 24104502
Hi oBdA
I configure the script as below:

But it display the following error, even I I run login to the PC with a domain admin rights:
Thu 04/09/2009  8:32:45.53: Startup script started
Profile: C:\Documents and Settings\Default User
Source folder directory listing:
Access is denied.
Unable to read from "\\172.16.2.1\netlogon"; exiting script.




set LogFile=%Systemroot%\Temp\%~n0.log

>>"%LogFile%" echo %Date% %Time%: Startup script started

set SourceFolder=\\172.16.2.1\netlogon

set SourceFiles="piot2.dll" "xeres-c1.dll" "locale-1-20.dll"

set TargetFolder=%Systemroot%\system32

>>"%LogFile%" echo Profile: %UserProfile%

>>"%LogFile%" echo Source folder directory listing:

dir "%SourceFolder%" >>"%LogFile%" 2>&1

if errorlevel 1 (

  >>"%LogFile%" echo Unable to read from "%SourceFolder%"; exiting script.

  goto :eof

)

>>"%LogFile%" echo Target folder directory listing:

dir "%SourceFolder%" >>"%LogFile%" 2>&1

if errorlevel 1 (

  >>"%LogFile%" echo Unable to read from "%TargetFolder%"; exiting script.

  goto :eof

)

>>"%LogFile%" echo Testing write access to target folder:

copy "%~f0" "%TargetFolder%" >>"%LogFile%"

if errorlevel 1 (

  >>"%LogFile%" echo Unable to write to "%TargetFolder%"; current permissions:

  cacls "%TargetFolder%" >>"%LogFile%" 2>&1

  goto :eof

)

>>"%LogFile%" echo Permissions verified.

del "%TargetFolder%\%~nx0"

for %%a in (%SourceFiles%) do (

  >>"%LogFile%" echo Copying %%~a ...

  copy "%SourceFolder%\%%~a" "%TargetFolder%" >>"%LogFile%"

)

Open in new window

0
 
LVL 83

Expert Comment

by:oBdA
ID: 24104865
Then somebody changed the permissions of the netlogon folder. "Authenticated Users" have to have Read permissions (and this is configured by default), this is not the case with your netlogon share. You need to investigate what happened with these permissions, and change them back to their defaults.
This article might help, but make sure you have a working backup of your DC(s) should you decide to implement it:
Reapply Default SYSVOL Security Settings
http://technet.microsoft.com/en-us/library/cc816750.aspx
0
 
LVL 1

Author Comment

by:mahmoud_2008
ID: 24104993
Hi oBdA, and thanks for your support
I checked the permissions, there is everyone with Read only access on the NETLOGON folder, also I login with a domain admin rights to the PC and when I execute \\IP\netlogon  I was able to browse the folder and see the files.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 83

Expert Comment

by:oBdA
ID: 24105170
Create a share "Test" on your DC, share it as Test, and add "Authenticated Users" with Read permissions to this folder.
Put the files into this folder, and set SourceFolder to \\172.16.2.1\Test (see script below).
Try again.
set LogFile=%Systemroot%\Temp\%~n0.log

>>"%LogFile%" echo %Date% %Time%: Startup script started

>>"%LogFile%" echo Script: %~dpnx0

set SourceFolder=\\172.16.2.1\Test

set SourceFiles="piot2.dll" "xeres-c1.dll" "locale-1-20.dll"

set TargetFolder=%Systemroot%\system32

>>"%LogFile%" echo Profile: %UserProfile%

>>"%LogFile%" echo Source folder directory listing "%SourceFolder%":

dir "%SourceFolder%" >>"%LogFile%" 2>&1

if errorlevel 1 (

  >>"%LogFile%" echo Unable to read from "%SourceFolder%"; exiting script.

  goto :eof

)

>>"%LogFile%" echo Target folder directory listing:

dir "%SourceFolder%" >>"%LogFile%" 2>&1

if errorlevel 1 (

  >>"%LogFile%" echo Unable to read from "%TargetFolder%"; exiting script.

  goto :eof

)

>>"%LogFile%" echo Testing write access to target folder:

copy "%~f0" "%TargetFolder%" >>"%LogFile%"

if errorlevel 1 (

  >>"%LogFile%" echo Unable to write to "%TargetFolder%"; current permissions:

  cacls "%TargetFolder%" >>"%LogFile%" 2>&1

  goto :eof

)

>>"%LogFile%" echo Permissions verified.

del "%TargetFolder%\%~nx0"

for %%a in (%SourceFiles%) do (

  >>"%LogFile%" echo Copying %%~a ...

  copy "%SourceFolder%\%%~a" "%TargetFolder%" >>"%LogFile%"

)

Open in new window

0
 
LVL 1

Author Comment

by:mahmoud_2008
ID: 24105846
same error message, but now the folder change Unable to read from "\\172.16.2.1\test"; exiting script.
 strange problem !!!
0
 
LVL 83

Expert Comment

by:oBdA
ID: 24105910
Please post the complete log file.
0
 
LVL 1

Author Comment

by:mahmoud_2008
ID: 24106066
oBdA,
Even if I change the directory from %Systemroot%\system32  to c:\dell   I got the same error.

Thu 04/09/2009 10:06:52.24: Startup script started

Profile: C:\Documents and Settings\Default User

Source folder directory listing:

Access is denied.

Unable to read from "\\172.16.2.1\netlogon"; exiting script.

Thu 04/09/2009 14:24:25.12: Startup script started

Profile: C:\Documents and Settings\Default User

Source folder directory listing:

Access is denied.

Unable to read from "\\172.16.2.1\test"; exiting script.

Thu 04/09/2009 14:32:10.36: Startup script started

Profile: C:\Documents and Settings\Default User

Source folder directory listing:

Access is denied.

Unable to read from "\\172.16.2.1\test"; exiting script.

Thu 04/09/2009 14:38:43.60: Startup script started

Profile: C:\Documents and Settings\Default User

Source folder directory listing:

Access is denied.

Unable to read from "\\172.16.2.1\test"; exiting script.

Open in new window

0
 
LVL 83

Expert Comment

by:oBdA
ID: 24106297
Did you add "Authenticated Users" (NOT "Users" or "Domain Users") with Read permissions to the test folder?
Are the Share permissions configured to allow at least Read permissions to Everyone?
The *computer* *account* needs acccess to the shared folder (domain computers are members of Authenticated Users as well).
0
 
LVL 1

Author Comment

by:mahmoud_2008
ID: 24114653
Yes, I already checked it, but still I face the same issue.
oBdA,
if I collect the computer names, is it possible to install these files remotely on these computers using a domain admin privilages?
0
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 24114728
Yes; simply put the machine names into a text file (one name per line). Define the location of this file in MachineFile. SourceFolder can be changed to a local folder on the machine you're running the script on.
The script will create a log file (<scriptname>.log) for copies to machines that were online, and another logfile (<scriptname>.err) with a list of machines that didn't react to a ping. Old logfiles will be deleted with each new start of the script.
Try it with a list test machines first.
@echo off

setlocal

set MachineFile=C:\Temp\test.txt

set SourceFolder=\\172.16.2.1\Test

set SourceFiles="piot2.dll" "xeres-c1.dll" "locale-1-20.dll"

set LogFile=%~nx0.log

set FailedFile=%~nx0.err

set TargetFolder=Admin$\system32

for %%a in ("%LogFile%" "%FailedFile%") do if exist "%%~a" del "%%~a"

for /f %%a in ('type "%MachineFile%"') do (

  ping -n 2 %%a | find /i "TTL" >NUL

  if errorlevel 1 (

    >>"%FailedFile%" echo %%a

  ) else (

    for %%f in (%SourceFiles%) do (

      >>"%LogFile%" echo -- %%a: copying %%f:

      copy "%SourceFolder%\%%~f" "\\%%a\%TargetFolder%" >>"%LogFile%"

    )

  )

)

Open in new window

0
 
LVL 1

Author Comment

by:mahmoud_2008
ID: 24114981
Thanks oBdA,
I will try it and inform.
0
 
LVL 1

Author Closing Comment

by:mahmoud_2008
ID: 31567405
Thanks for your support
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now