Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How do I run logon script with netsh command for all users?

Posted on 2009-07-07
8
Medium Priority
?
2,630 Views
Last Modified: 2012-08-13
I have written a script that will create a bogus gateway for users that are members of the "NoInternet" security group. The script uses netsh commands to change the gateway. The script works perfectly when an administrator is logging into a workstation (i.e., when an   adminstrator account is temporarily placed in the NoInternet group for testing purposes), but not when other members of the NoInternet security group logon. I suspect it has something to do with the permissions for running netsh commands. In each case the script starts to run as evidenced by the pop-up message that is given by the script, but only executes successfully with administrator credentials.

The script is run from the netlogon share as a logon script.  Does the SYSTEM account not have permissions to run netsh commands. If not, how can I get this script to work for all users?

The script is a kix script.

$NIC = "Local Area Connection"
		
	IF INGROUP("nointernet") = 1
		MESSAGEBOX ("You have lost internet privileges. If you feel this is a mistake, or do not know the reason why, please contact a teacher or computer lab instructor.", "LOSS OF INTERNET PRIVILEGE", 0, 60)
	
		$nointernetcmd = "netsh interface ip set address name=" + chr(34) + $NIC + chr(34) + " gateway=1.2.3.4 gwmetric=0"
			
		shell "%comspec% /c  $nointernetcmd"		
	
 
	else
		$gateway = ENUMIPINFO (0, 3, 1)
		if $gateway = "1.2.3.4"
 
			$staticcmd = "netsh interface ip set address name=" + chr(34) + $NIC + chr(34) + " static 10.0.0.0 255.255.255.0 10.1.1.1 1"
			$dhcpcmd = "netsh interface ip set address name=" + chr(34) + $NIC + chr(34) + " source=dhcp"
 
			shell "%comspec% /c $staticcmd "
 
			shell "%comspec% /c $dhcpcmd"
 
			shell "%comspec% /c ipconfig /release"
	
			shell "%comspec% /c ipconfig /renew" 
		else
		ENDIF
	endif
$gateway = ENUMIPINFO (0, 3, 1)
? "The current gateway is $gateway"

Open in new window

0
Comment
Question by:quiet_tree
8 Comments
 
LVL 1

Expert Comment

by:tojo2k
ID: 24797130
SYSTEM does have the right to run netsh, but if you run the script as a logon script, then it is being run under the profile of the currently logged in user.  If  you want it to run under the SYSTEM account then you should change it to a startup script.
0
 
LVL 5

Accepted Solution

by:
tdukie13 earned 1500 total points
ID: 24797177
What about using group policy?

Setup a bogus proxy server and disable the connections page under Internet Options.

Best,
T
0
 

Author Comment

by:quiet_tree
ID: 24797178
This script will not work as a startup script. The script needs to know who is logging on in order to do what it has to do.
0
WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.

 
LVL 4

Expert Comment

by:andrewc2189
ID: 24797384
I am monitoring this question and I don't have time to write out a full and proper response at the moment, but just a quick comment. I believe you could get this to work if you gave permission to the group of users in no internet to "%SystemRoot%\system32\netsh.exe" By Default only system and the administrators group have access to it. I believe you could write a start up script to change this. However, I would bear in mind that they would retain access to the netsh command past login and it is a very powerful utility. There may be a safer more secure way to accomplish your goal like a preview expert has said.
0
 
LVL 19

Expert Comment

by:deroode
ID: 24797422
You can use the CPAU tool to run the netsh.exe command with different credentials. This is especially usefull if your workstations have identical local administrator accounts and passwords.

http://www.joeware.net/freetools/tools/cpau/usage.htm

First, experiment with the settings,
when you're comfortable that this works you can create an encrypted job file, so that the admin credentials aren't visible in the kix script.
0
 
LVL 1

Expert Comment

by:tojo2k
ID: 24797554
Of course, if you give people the rights to use netsh, they can just undo your script.
0
 
LVL 14

Expert Comment

by:Robin CM
ID: 24824130
If you use ISA to control your internet access then you don't need to use a script at all.

Also, depending on how big your network is, having a broken gateway will do more than just break internet access, it will break all network access.
0
 

Author Closing Comment

by:quiet_tree
ID: 31600745
I've decided to create an OU to place user accounts that have lost internet privileges, and to link a GPO that sets a bogus proxy server and port to this OU. User accounts can be easily moved in and out of this OU. The one down-side to this is that the GPO will only control MS Internet Explorer. I will  have to make sure that other browsers cannot be installed.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A recent project that involved parsing Tableau Desktop and Server log files to extract reusable user queries for use in other systems. I chose to use PowerShell to gather the data, and SharePoint to present it...
In this post, I will showcase the steps for how to create groups in Office 365. Office 365 groups allow for ease of flexibility and collaboration between staff members.
Loops Section Overview
Screencast - Getting to Know the Pipeline

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question