Solved

How do I run logon script with netsh command for all users?

Posted on 2009-07-07
8
2,477 Views
Last Modified: 2012-08-13
I have written a script that will create a bogus gateway for users that are members of the "NoInternet" security group. The script uses netsh commands to change the gateway. The script works perfectly when an administrator is logging into a workstation (i.e., when an   adminstrator account is temporarily placed in the NoInternet group for testing purposes), but not when other members of the NoInternet security group logon. I suspect it has something to do with the permissions for running netsh commands. In each case the script starts to run as evidenced by the pop-up message that is given by the script, but only executes successfully with administrator credentials.

The script is run from the netlogon share as a logon script.  Does the SYSTEM account not have permissions to run netsh commands. If not, how can I get this script to work for all users?

The script is a kix script.

$NIC = "Local Area Connection"
		
	IF INGROUP("nointernet") = 1
		MESSAGEBOX ("You have lost internet privileges. If you feel this is a mistake, or do not know the reason why, please contact a teacher or computer lab instructor.", "LOSS OF INTERNET PRIVILEGE", 0, 60)
	
		$nointernetcmd = "netsh interface ip set address name=" + chr(34) + $NIC + chr(34) + " gateway=1.2.3.4 gwmetric=0"
			
		shell "%comspec% /c  $nointernetcmd"		
	
 
	else
		$gateway = ENUMIPINFO (0, 3, 1)
		if $gateway = "1.2.3.4"
 
			$staticcmd = "netsh interface ip set address name=" + chr(34) + $NIC + chr(34) + " static 10.0.0.0 255.255.255.0 10.1.1.1 1"
			$dhcpcmd = "netsh interface ip set address name=" + chr(34) + $NIC + chr(34) + " source=dhcp"
 
			shell "%comspec% /c $staticcmd "
 
			shell "%comspec% /c $dhcpcmd"
 
			shell "%comspec% /c ipconfig /release"
	
			shell "%comspec% /c ipconfig /renew" 
		else
		ENDIF
	endif
$gateway = ENUMIPINFO (0, 3, 1)
? "The current gateway is $gateway"

Open in new window

0
Comment
Question by:quiet_tree
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 1

Expert Comment

by:tojo2k
ID: 24797130
SYSTEM does have the right to run netsh, but if you run the script as a logon script, then it is being run under the profile of the currently logged in user.  If  you want it to run under the SYSTEM account then you should change it to a startup script.
0
 
LVL 5

Accepted Solution

by:
tdukie13 earned 500 total points
ID: 24797177
What about using group policy?

Setup a bogus proxy server and disable the connections page under Internet Options.

Best,
T
0
 

Author Comment

by:quiet_tree
ID: 24797178
This script will not work as a startup script. The script needs to know who is logging on in order to do what it has to do.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 4

Expert Comment

by:andrewc2189
ID: 24797384
I am monitoring this question and I don't have time to write out a full and proper response at the moment, but just a quick comment. I believe you could get this to work if you gave permission to the group of users in no internet to "%SystemRoot%\system32\netsh.exe" By Default only system and the administrators group have access to it. I believe you could write a start up script to change this. However, I would bear in mind that they would retain access to the netsh command past login and it is a very powerful utility. There may be a safer more secure way to accomplish your goal like a preview expert has said.
0
 
LVL 19

Expert Comment

by:deroode
ID: 24797422
You can use the CPAU tool to run the netsh.exe command with different credentials. This is especially usefull if your workstations have identical local administrator accounts and passwords.

http://www.joeware.net/freetools/tools/cpau/usage.htm

First, experiment with the settings,
when you're comfortable that this works you can create an encrypted job file, so that the admin credentials aren't visible in the kix script.
0
 
LVL 1

Expert Comment

by:tojo2k
ID: 24797554
Of course, if you give people the rights to use netsh, they can just undo your script.
0
 
LVL 14

Expert Comment

by:robincm
ID: 24824130
If you use ISA to control your internet access then you don't need to use a script at all.

Also, depending on how big your network is, having a broken gateway will do more than just break internet access, it will break all network access.
0
 

Author Closing Comment

by:quiet_tree
ID: 31600745
I've decided to create an OU to place user accounts that have lost internet privileges, and to link a GPO that sets a bogus proxy server and port to this OU. User accounts can be easily moved in and out of this OU. The one down-side to this is that the GPO will only control MS Internet Explorer. I will  have to make sure that other browsers cannot be installed.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
Windows 10 came with  a lot of built in applications, Some organisations leave them there, some will control them using GPO's. This Article is useful for those who do not want to have any applications in their image (example:me).
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question