Logon script users have no permissions?

The problem I'm facing is that certain command cannot be done using logon scripts because the user does not have permissions to run the commands.

Without using a startup script, can someone show me a workaround or something?
snyderkvAsked:
Who is Participating?
 
snyderkvConnect With a Mentor Author Commented:
For example,

net localgroup administrators /add. Users cannot run batch or vbs files that perform functions that require admin priviledges.

Americom, thats not an issue. I will try tqcrunas. Thanks




0
 
Neil RussellConnect With a Mentor Technical Development LeadCommented:
Kindly give examples of what it is you need to do that you cant.
0
 
tigermattConnect With a Mentor Commented:

There isn't an easy workaround.

Logon scripts run in the context of the locally logged on user, whereas startup scripts run in the security context of the computer account.

If the user logging in doesn't have administrator privileges, certain commands which require those rights will not be available, and the script will fail to apply.

You would either need to give users the appropriate rights to run the commands (risky), move the command to a startup script or use some sort of "runas" function to run the command in the logon script as an administrator.

The first and last options are risky. You don't generally want users running around with administrator rights and the runas option would require an administrator password to be stored - and accessible - to the users in plain text. This is a major security hole.

Why can't you move the command to a startup script?

-Matt
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
NetcraftConnect With a Mentor Commented:
We use the RunAs tool named TqcRunas.

It's also possible to compile a batchfile and scramble the password inside the batchfile.
http://www.robvanderwoude.com/scriptcompilers.php

However, if it is possible, it's best to create a startup-script. What do you want to do in your logonscript?
0
 
snyderkvAuthor Commented:
Local admin based on currently logged on users active directory dept field or att extension ... don't know
0
 
snyderkvAuthor Commented:
Thanks I will try TQCRunas
0
 
AmericomConnect With a Mentor Commented:
Anytime you need to put domain user credential in any file, it would be high maintenance and also risky. It may also violates your company policy or active directory policy when comes to aduiting.
When user does not have the appropriate permission to run command, it usually has to do with configuration or installation which required admin rights to run. Usually startup script as Matt suggested can be use as a workaround. Other alternative is if you use SMS now call SCCM. But know exactly what youa re trying to do would probably help as many configuration of system can also be done via GPO.
0
 
NetcraftCommented:
Another option is to use AD to run installations per-user. That means that only users in a specific AD-group get the installations. These can be elevated, such that the local system-account runs these. It requires a fair amount of knowledge to build installations like this, using Windows Installer technology.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.