Logon script users have no permissions?

Posted on 2010-01-06
Last Modified: 2012-05-08
The problem I'm facing is that certain command cannot be done using logon scripts because the user does not have permissions to run the commands.

Without using a startup script, can someone show me a workaround or something?
Question by:snyderkv
    LVL 37

    Assisted Solution

    Kindly give examples of what it is you need to do that you cant.
    LVL 58

    Assisted Solution


    There isn't an easy workaround.

    Logon scripts run in the context of the locally logged on user, whereas startup scripts run in the security context of the computer account.

    If the user logging in doesn't have administrator privileges, certain commands which require those rights will not be available, and the script will fail to apply.

    You would either need to give users the appropriate rights to run the commands (risky), move the command to a startup script or use some sort of "runas" function to run the command in the logon script as an administrator.

    The first and last options are risky. You don't generally want users running around with administrator rights and the runas option would require an administrator password to be stored - and accessible - to the users in plain text. This is a major security hole.

    Why can't you move the command to a startup script?

    LVL 5

    Assisted Solution

    We use the RunAs tool named TqcRunas.

    It's also possible to compile a batchfile and scramble the password inside the batchfile.

    However, if it is possible, it's best to create a startup-script. What do you want to do in your logonscript?

    Author Comment

    Local admin based on currently logged on users active directory dept field or att extension ... don't know

    Author Comment

    Thanks I will try TQCRunas
    LVL 18

    Assisted Solution

    Anytime you need to put domain user credential in any file, it would be high maintenance and also risky. It may also violates your company policy or active directory policy when comes to aduiting.
    When user does not have the appropriate permission to run command, it usually has to do with configuration or installation which required admin rights to run. Usually startup script as Matt suggested can be use as a workaround. Other alternative is if you use SMS now call SCCM. But know exactly what youa re trying to do would probably help as many configuration of system can also be done via GPO.
    LVL 5

    Expert Comment

    Another option is to use AD to run installations per-user. That means that only users in a specific AD-group get the installations. These can be elevated, such that the local system-account runs these. It requires a fair amount of knowledge to build installations like this, using Windows Installer technology.

    Accepted Solution

    For example,

    net localgroup administrators /add. Users cannot run batch or vbs files that perform functions that require admin priviledges.

    Americom, thats not an issue. I will try tqcrunas. Thanks


    Featured Post

    PRTG Network Monitor: Intuitive Network Monitoring

    Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    Dns Zone_msdcs not found 4 31
    ADFS 3.0 with a One-Way Forest Trust 1 20
    exchange 8 32
    Essentials Role in Server 2012 R2 broken 6 12
    The saying goes a bad carpenter blames his tools. In the Directory Services world a bad system administrator, well, even with the best tools they’re probably not going to become an all star.  However for the system admin who is willing to spend a li…
    Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now