Solved

How do I run logon script with netsh command for all users?

Posted on 2009-07-07
8
2,355 Views
Last Modified: 2012-08-13
I have written a script that will create a bogus gateway for users that are members of the "NoInternet" security group. The script uses netsh commands to change the gateway. The script works perfectly when an administrator is logging into a workstation (i.e., when an   adminstrator account is temporarily placed in the NoInternet group for testing purposes), but not when other members of the NoInternet security group logon. I suspect it has something to do with the permissions for running netsh commands. In each case the script starts to run as evidenced by the pop-up message that is given by the script, but only executes successfully with administrator credentials.

The script is run from the netlogon share as a logon script.  Does the SYSTEM account not have permissions to run netsh commands. If not, how can I get this script to work for all users?

The script is a kix script.

$NIC = "Local Area Connection"

		

	IF INGROUP("nointernet") = 1

		MESSAGEBOX ("You have lost internet privileges. If you feel this is a mistake, or do not know the reason why, please contact a teacher or computer lab instructor.", "LOSS OF INTERNET PRIVILEGE", 0, 60)

	

		$nointernetcmd = "netsh interface ip set address name=" + chr(34) + $NIC + chr(34) + " gateway=1.2.3.4 gwmetric=0"

			

		shell "%comspec% /c  $nointernetcmd"		

	
 

	else

		$gateway = ENUMIPINFO (0, 3, 1)

		if $gateway = "1.2.3.4"
 

			$staticcmd = "netsh interface ip set address name=" + chr(34) + $NIC + chr(34) + " static 10.0.0.0 255.255.255.0 10.1.1.1 1"

			$dhcpcmd = "netsh interface ip set address name=" + chr(34) + $NIC + chr(34) + " source=dhcp"
 

			shell "%comspec% /c $staticcmd "
 

			shell "%comspec% /c $dhcpcmd"
 

			shell "%comspec% /c ipconfig /release"

	

			shell "%comspec% /c ipconfig /renew" 

		else

		ENDIF

	endif

$gateway = ENUMIPINFO (0, 3, 1)

? "The current gateway is $gateway"

Open in new window

0
Comment
Question by:quiet_tree
8 Comments
 
LVL 1

Expert Comment

by:tojo2k
ID: 24797130
SYSTEM does have the right to run netsh, but if you run the script as a logon script, then it is being run under the profile of the currently logged in user.  If  you want it to run under the SYSTEM account then you should change it to a startup script.
0
 
LVL 5

Accepted Solution

by:
tdukie13 earned 500 total points
ID: 24797177
What about using group policy?

Setup a bogus proxy server and disable the connections page under Internet Options.

Best,
T
0
 

Author Comment

by:quiet_tree
ID: 24797178
This script will not work as a startup script. The script needs to know who is logging on in order to do what it has to do.
0
 
LVL 4

Expert Comment

by:andrewc2189
ID: 24797384
I am monitoring this question and I don't have time to write out a full and proper response at the moment, but just a quick comment. I believe you could get this to work if you gave permission to the group of users in no internet to "%SystemRoot%\system32\netsh.exe" By Default only system and the administrators group have access to it. I believe you could write a start up script to change this. However, I would bear in mind that they would retain access to the netsh command past login and it is a very powerful utility. There may be a safer more secure way to accomplish your goal like a preview expert has said.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 19

Expert Comment

by:deroode
ID: 24797422
You can use the CPAU tool to run the netsh.exe command with different credentials. This is especially usefull if your workstations have identical local administrator accounts and passwords.

http://www.joeware.net/freetools/tools/cpau/usage.htm

First, experiment with the settings,
when you're comfortable that this works you can create an encrypted job file, so that the admin credentials aren't visible in the kix script.
0
 
LVL 1

Expert Comment

by:tojo2k
ID: 24797554
Of course, if you give people the rights to use netsh, they can just undo your script.
0
 
LVL 14

Expert Comment

by:robincm
ID: 24824130
If you use ISA to control your internet access then you don't need to use a script at all.

Also, depending on how big your network is, having a broken gateway will do more than just break internet access, it will break all network access.
0
 

Author Closing Comment

by:quiet_tree
ID: 31600745
I've decided to create an OU to place user accounts that have lost internet privileges, and to link a GPO that sets a bogus proxy server and port to this OU. User accounts can be easily moved in and out of this OU. The one down-side to this is that the GPO will only control MS Internet Explorer. I will  have to make sure that other browsers cannot be installed.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Suggested Solutions

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Synchronize a new Active Directory domain with an existing Office 365 tenant
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now