Logon script users have no permissions?

Posted on 2010-01-06
Medium Priority
Last Modified: 2012-05-08
The problem I'm facing is that certain command cannot be done using logon scripts because the user does not have permissions to run the commands.

Without using a startup script, can someone show me a workaround or something?
Question by:snyderkv
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 300 total points
ID: 26189014
Kindly give examples of what it is you need to do that you cant.
LVL 58

Assisted Solution

tigermatt earned 300 total points
ID: 26189029

There isn't an easy workaround.

Logon scripts run in the context of the locally logged on user, whereas startup scripts run in the security context of the computer account.

If the user logging in doesn't have administrator privileges, certain commands which require those rights will not be available, and the script will fail to apply.

You would either need to give users the appropriate rights to run the commands (risky), move the command to a startup script or use some sort of "runas" function to run the command in the logon script as an administrator.

The first and last options are risky. You don't generally want users running around with administrator rights and the runas option would require an administrator password to be stored - and accessible - to the users in plain text. This is a major security hole.

Why can't you move the command to a startup script?


Assisted Solution

Netcraft earned 1100 total points
ID: 26189183
We use the RunAs tool named TqcRunas.

It's also possible to compile a batchfile and scramble the password inside the batchfile.

However, if it is possible, it's best to create a startup-script. What do you want to do in your logonscript?
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.


Author Comment

ID: 26189288
Local admin based on currently logged on users active directory dept field or att extension ... don't know

Author Comment

ID: 26189292
Thanks I will try TQCRunas
LVL 18

Assisted Solution

Americom earned 300 total points
ID: 26190721
Anytime you need to put domain user credential in any file, it would be high maintenance and also risky. It may also violates your company policy or active directory policy when comes to aduiting.
When user does not have the appropriate permission to run command, it usually has to do with configuration or installation which required admin rights to run. Usually startup script as Matt suggested can be use as a workaround. Other alternative is if you use SMS now call SCCM. But know exactly what youa re trying to do would probably help as many configuration of system can also be done via GPO.

Expert Comment

ID: 26195474
Another option is to use AD to run installations per-user. That means that only users in a specific AD-group get the installations. These can be elevated, such that the local system-account runs these. It requires a fair amount of knowledge to build installations like this, using Windows Installer technology.

Accepted Solution

snyderkv earned 0 total points
ID: 26196877
For example,

net localgroup administrators /add. Users cannot run batch or vbs files that perform functions that require admin priviledges.

Americom, thats not an issue. I will try tqcrunas. Thanks


Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question