Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

running VBS script with GPO question

Posted on 2010-11-12
12
Medium Priority
?
532 Views
Last Modified: 2012-05-10
Hi I am trying to get this VBS script working. It basically points to a .reg file that edits the registry so that Java will not update. I can run it and it works by just clicking on it but when I try to add it as a logon script in GPO it wont work. I stored the .vbs script and .reg file in the \\domaincontroller\sysvol folder. I tried adding it as a machine startup script and as a user logon script. What could I be doing wrong? Or does the script need to be edited to be a logon script? Thanks. The scripts added.

 RemoveJavaUpdate.reg
RemoveJavaUpdate.vbs
0
Comment
Question by:Thomas N
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
  • +3
12 Comments
 
LVL 22

Expert Comment

by:Matt V
ID: 34122204
Did you do a gpupdate /force on teh target machine to make sure the GPO took effect?
0
 
LVL 17

Expert Comment

by:pjam
ID: 34122225
IMHO
In light of the current rash of JAVA viruses, i don't believe doing that is a good idea.
0
 
LVL 33

Accepted Solution

by:
Todd Gerbert earned 668 total points
ID: 34122256
1. Since the registry file is editing keys in HKEY_LOCAL_MACHINE it will need to be a machine startup script (if it runs as a user logon script it will do so with the users' credentials, and probably won't have permissions to edit those keys).

2. You might need to specify the full path to the registry file, e.g. wshShell.Run("c:\windows\RegEdit /s " & "\\dc\sysvol\RemoveJavaUpdate.reg")
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 34122283
@pjam

I can empathize with the asker...in a domain environment where users don't have permissions to update Java, it's pretty annoying to have a field a million phone calls along the lines of "I keep getting a messages about coffee" - better to just not have the end-user see the update notifications.
0
 
LVL 4

Assisted Solution

by:patterned
patterned earned 664 total points
ID: 34122312
Add this file to C:\Windows\Inf
Open up a GPO, browse to Computer config/Administrative templates.
Right click administrative templates, and click add/remove templates.
Browse to the attached file and add it.
Under "Admin Templates" you should now see "Java Updates"
Right click Java Updates and go to View/Filtering.
On the bottom, uncheck the "Only Show policy settings that can be fully managed"
Click ok.
Click back into Java Updates directory, and enable all the settings within that template.
0
 
LVL 4

Expert Comment

by:patterned
ID: 34122328
Sorry, EE filtered that file extension.

Download the attached file and change the extension to ".ADM"
Disable-Java-Updates.txt
0
 
LVL 4

Expert Comment

by:patterned
ID: 34122383
I'm with tgerbert on this one, as well.
I got nagging remarks from all my end users until I finally pushed these registry fixes.
Without system file permissions, my users are relatively safe, and any virus/malware that does get in is easily dealt with.

Unless these Java flaws somehow grant access, which would be slightly retarded.  Thanks Oracle for all you have done. /sarcasm
0
 

Author Comment

by:Thomas N
ID: 34122940
Thanks. I think I need to try tgerberts suggestion and point the full path to the reg file. If it does not work I will try patterned's idea.
0
 

Author Comment

by:Thomas N
ID: 34123290
Can someone tell me if I put in a startup script for a machine, if I make a change the machine will run the script again on startup..correct? I dont have to do anything else.
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 34123296
Correct.
0
 

Author Comment

by:Thomas N
ID: 34123367
It did not work but if I go to the actual sysvol folder on the DC that is holding the script and just click on it...it works. For some reason as a startup script it doesnt work.

Patterned: On your ADM file you say I need to add the file to the  c:\windows\inf folder. Is this on the DC or somewhere else?
0
 
LVL 16

Assisted Solution

by:ThinkPaper
ThinkPaper earned 668 total points
ID: 34123665
Simpler yet, just do a 1 time push to all workstations. This way you don't have to depend on the machine rebooting (whenever that occurs). You can use a remote tool such as Microsoft' psexec to push the reg files to all machines in one sweep.

psexec @computer.txt -u domainname\AdminAcctName -p Password regedit /s "\\server\share\RemoveJavaUpdate.reg"

conditions:
computer.txt is the text file containing the list of workstations or IPs per line.
RemoveJavaUpdate.reg is saved on a SHARE where all machines have access to read/execute.

It should return an error code of 0, assuming it succeeds. Test this out on a few machine to verify it works.

http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question