How do I run logon script with netsh command for all users?

I have written a script that will create a bogus gateway for users that are members of the "NoInternet" security group. The script uses netsh commands to change the gateway. The script works perfectly when an administrator is logging into a workstation (i.e., when an   adminstrator account is temporarily placed in the NoInternet group for testing purposes), but not when other members of the NoInternet security group logon. I suspect it has something to do with the permissions for running netsh commands. In each case the script starts to run as evidenced by the pop-up message that is given by the script, but only executes successfully with administrator credentials.

The script is run from the netlogon share as a logon script.  Does the SYSTEM account not have permissions to run netsh commands. If not, how can I get this script to work for all users?

The script is a kix script.

$NIC = "Local Area Connection"
		
	IF INGROUP("nointernet") = 1
		MESSAGEBOX ("You have lost internet privileges. If you feel this is a mistake, or do not know the reason why, please contact a teacher or computer lab instructor.", "LOSS OF INTERNET PRIVILEGE", 0, 60)
	
		$nointernetcmd = "netsh interface ip set address name=" + chr(34) + $NIC + chr(34) + " gateway=1.2.3.4 gwmetric=0"
			
		shell "%comspec% /c  $nointernetcmd"		
	
 
	else
		$gateway = ENUMIPINFO (0, 3, 1)
		if $gateway = "1.2.3.4"
 
			$staticcmd = "netsh interface ip set address name=" + chr(34) + $NIC + chr(34) + " static 10.0.0.0 255.255.255.0 10.1.1.1 1"
			$dhcpcmd = "netsh interface ip set address name=" + chr(34) + $NIC + chr(34) + " source=dhcp"
 
			shell "%comspec% /c $staticcmd "
 
			shell "%comspec% /c $dhcpcmd"
 
			shell "%comspec% /c ipconfig /release"
	
			shell "%comspec% /c ipconfig /renew" 
		else
		ENDIF
	endif
$gateway = ENUMIPINFO (0, 3, 1)
? "The current gateway is $gateway"

Open in new window

quiet_treeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tojo2kCommented:
SYSTEM does have the right to run netsh, but if you run the script as a logon script, then it is being run under the profile of the currently logged in user.  If  you want it to run under the SYSTEM account then you should change it to a startup script.
0
tdukie13Commented:
What about using group policy?

Setup a bogus proxy server and disable the connections page under Internet Options.

Best,
T
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
quiet_treeAuthor Commented:
This script will not work as a startup script. The script needs to know who is logging on in order to do what it has to do.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

andrewc2189Commented:
I am monitoring this question and I don't have time to write out a full and proper response at the moment, but just a quick comment. I believe you could get this to work if you gave permission to the group of users in no internet to "%SystemRoot%\system32\netsh.exe" By Default only system and the administrators group have access to it. I believe you could write a start up script to change this. However, I would bear in mind that they would retain access to the netsh command past login and it is a very powerful utility. There may be a safer more secure way to accomplish your goal like a preview expert has said.
0
deroodeSystems AdministratorCommented:
You can use the CPAU tool to run the netsh.exe command with different credentials. This is especially usefull if your workstations have identical local administrator accounts and passwords.

http://www.joeware.net/freetools/tools/cpau/usage.htm

First, experiment with the settings,
when you're comfortable that this works you can create an encrypted job file, so that the admin credentials aren't visible in the kix script.
0
tojo2kCommented:
Of course, if you give people the rights to use netsh, they can just undo your script.
0
Robin CMSenior Security and Infrastructure EngineerCommented:
If you use ISA to control your internet access then you don't need to use a script at all.

Also, depending on how big your network is, having a broken gateway will do more than just break internet access, it will break all network access.
0
quiet_treeAuthor Commented:
I've decided to create an OU to place user accounts that have lost internet privileges, and to link a GPO that sets a bogus proxy server and port to this OU. User accounts can be easily moved in and out of this OU. The one down-side to this is that the GPO will only control MS Internet Explorer. I will  have to make sure that other browsers cannot be installed.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.