running VBS script with GPO question

Hi I am trying to get this VBS script working. It basically points to a .reg file that edits the registry so that Java will not update. I can run it and it works by just clicking on it but when I try to add it as a logon script in GPO it wont work. I stored the .vbs script and .reg file in the \\domaincontroller\sysvol folder. I tried adding it as a machine startup script and as a user logon script. What could I be doing wrong? Or does the script need to be edited to be a logon script? Thanks. The scripts added.

Thomas NSystems Analyst - Windows System AdministratorAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

Todd GerbertConnect With a Mentor IT ConsultantCommented:
1. Since the registry file is editing keys in HKEY_LOCAL_MACHINE it will need to be a machine startup script (if it runs as a user logon script it will do so with the users' credentials, and probably won't have permissions to edit those keys).

2. You might need to specify the full path to the registry file, e.g. wshShell.Run("c:\windows\RegEdit /s " & "\\dc\sysvol\RemoveJavaUpdate.reg")
Matt VCommented:
Did you do a gpupdate /force on teh target machine to make sure the GPO took effect?
In light of the current rash of JAVA viruses, i don't believe doing that is a good idea.
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Todd GerbertIT ConsultantCommented:

I can empathize with the a domain environment where users don't have permissions to update Java, it's pretty annoying to have a field a million phone calls along the lines of "I keep getting a messages about coffee" - better to just not have the end-user see the update notifications.
patternedConnect With a Mentor Commented:
Add this file to C:\Windows\Inf
Open up a GPO, browse to Computer config/Administrative templates.
Right click administrative templates, and click add/remove templates.
Browse to the attached file and add it.
Under "Admin Templates" you should now see "Java Updates"
Right click Java Updates and go to View/Filtering.
On the bottom, uncheck the "Only Show policy settings that can be fully managed"
Click ok.
Click back into Java Updates directory, and enable all the settings within that template.
Sorry, EE filtered that file extension.

Download the attached file and change the extension to ".ADM"
I'm with tgerbert on this one, as well.
I got nagging remarks from all my end users until I finally pushed these registry fixes.
Without system file permissions, my users are relatively safe, and any virus/malware that does get in is easily dealt with.

Unless these Java flaws somehow grant access, which would be slightly retarded.  Thanks Oracle for all you have done. /sarcasm
Thomas NSystems Analyst - Windows System AdministratorAuthor Commented:
Thanks. I think I need to try tgerberts suggestion and point the full path to the reg file. If it does not work I will try patterned's idea.
Thomas NSystems Analyst - Windows System AdministratorAuthor Commented:
Can someone tell me if I put in a startup script for a machine, if I make a change the machine will run the script again on startup..correct? I dont have to do anything else.
Todd GerbertIT ConsultantCommented:
Thomas NSystems Analyst - Windows System AdministratorAuthor Commented:
It did not work but if I go to the actual sysvol folder on the DC that is holding the script and just click on works. For some reason as a startup script it doesnt work.

Patterned: On your ADM file you say I need to add the file to the  c:\windows\inf folder. Is this on the DC or somewhere else?
ThinkPaperConnect With a Mentor IT ConsultantCommented:
Simpler yet, just do a 1 time push to all workstations. This way you don't have to depend on the machine rebooting (whenever that occurs). You can use a remote tool such as Microsoft' psexec to push the reg files to all machines in one sweep.

psexec @computer.txt -u domainname\AdminAcctName -p Password regedit /s "\\server\share\RemoveJavaUpdate.reg"

computer.txt is the text file containing the list of workstations or IPs per line.
RemoveJavaUpdate.reg is saved on a SHARE where all machines have access to read/execute.

It should return an error code of 0, assuming it succeeds. Test this out on a few machine to verify it works.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.