How do I run logon script with netsh command for all users?

Posted on 2009-07-07
Medium Priority
Last Modified: 2012-08-13
I have written a script that will create a bogus gateway for users that are members of the "NoInternet" security group. The script uses netsh commands to change the gateway. The script works perfectly when an administrator is logging into a workstation (i.e., when an   adminstrator account is temporarily placed in the NoInternet group for testing purposes), but not when other members of the NoInternet security group logon. I suspect it has something to do with the permissions for running netsh commands. In each case the script starts to run as evidenced by the pop-up message that is given by the script, but only executes successfully with administrator credentials.

The script is run from the netlogon share as a logon script.  Does the SYSTEM account not have permissions to run netsh commands. If not, how can I get this script to work for all users?

The script is a kix script.

$NIC = "Local Area Connection"
	IF INGROUP("nointernet") = 1
		MESSAGEBOX ("You have lost internet privileges. If you feel this is a mistake, or do not know the reason why, please contact a teacher or computer lab instructor.", "LOSS OF INTERNET PRIVILEGE", 0, 60)
		$nointernetcmd = "netsh interface ip set address name=" + chr(34) + $NIC + chr(34) + " gateway= gwmetric=0"
		shell "%comspec% /c  $nointernetcmd"		
		$gateway = ENUMIPINFO (0, 3, 1)
		if $gateway = ""
			$staticcmd = "netsh interface ip set address name=" + chr(34) + $NIC + chr(34) + " static 1"
			$dhcpcmd = "netsh interface ip set address name=" + chr(34) + $NIC + chr(34) + " source=dhcp"
			shell "%comspec% /c $staticcmd "
			shell "%comspec% /c $dhcpcmd"
			shell "%comspec% /c ipconfig /release"
			shell "%comspec% /c ipconfig /renew" 
$gateway = ENUMIPINFO (0, 3, 1)
? "The current gateway is $gateway"

Open in new window

Question by:quiet_tree

Expert Comment

ID: 24797130
SYSTEM does have the right to run netsh, but if you run the script as a logon script, then it is being run under the profile of the currently logged in user.  If  you want it to run under the SYSTEM account then you should change it to a startup script.

Accepted Solution

tdukie13 earned 1500 total points
ID: 24797177
What about using group policy?

Setup a bogus proxy server and disable the connections page under Internet Options.


Author Comment

ID: 24797178
This script will not work as a startup script. The script needs to know who is logging on in order to do what it has to do.
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!


Expert Comment

ID: 24797384
I am monitoring this question and I don't have time to write out a full and proper response at the moment, but just a quick comment. I believe you could get this to work if you gave permission to the group of users in no internet to "%SystemRoot%\system32\netsh.exe" By Default only system and the administrators group have access to it. I believe you could write a start up script to change this. However, I would bear in mind that they would retain access to the netsh command past login and it is a very powerful utility. There may be a safer more secure way to accomplish your goal like a preview expert has said.
LVL 19

Expert Comment

ID: 24797422
You can use the CPAU tool to run the netsh.exe command with different credentials. This is especially usefull if your workstations have identical local administrator accounts and passwords.


First, experiment with the settings,
when you're comfortable that this works you can create an encrypted job file, so that the admin credentials aren't visible in the kix script.

Expert Comment

ID: 24797554
Of course, if you give people the rights to use netsh, they can just undo your script.
LVL 14

Expert Comment

by:Robin CM
ID: 24824130
If you use ISA to control your internet access then you don't need to use a script at all.

Also, depending on how big your network is, having a broken gateway will do more than just break internet access, it will break all network access.

Author Closing Comment

ID: 31600745
I've decided to create an OU to place user accounts that have lost internet privileges, and to link a GPO that sets a bogus proxy server and port to this OU. User accounts can be easily moved in and out of this OU. The one down-side to this is that the GPO will only control MS Internet Explorer. I will  have to make sure that other browsers cannot be installed.

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

In previous parts of this Nano Server deployment series, we learned how to create, deploy and configure Nano Server as a Hyper-V host. In this part, we will look for a clustering option. We will create a Hyper-V cluster of 3 Nano Server host nodes w…
Measuring Server's processing rate with a simple powershell command. The differences in processing rate also was recorded in different use-cases, when a server in free and busy states.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Loops Section Overview

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question