GPO or logon script - Need elevate admin rights

llarava
llarava used Ask the Experts™
on
Hi,

We would like to execute the following script which requires admin rights in order to work. Basically the script checks the user profiles that are created locally in the workstation and deletes the documents that are older than 1 day within the profile.

We would like to use the script as part of the logon script or via gpo and I was wondering if there is any way to elevate the rights so that script runs with admin rights and does its job?

Any help?

Thank you!
On Error Resume Next

''' Set Registry Hive
Const HKEY_LOCAL_MACHINE = &H80000002

'''  This section of code creates the list of user profiles
'''
strComputer = "."
Set objRegistry=GetObject("winmgmts:\\" & _ 
    strComputer & "\root\default:StdRegProv")
 
strKeyPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"
objRegistry.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubkeys
 
''' Create a loop to cycle through the profiles
'''

For Each objSubkey In arrSubkeys
  strValueName = "ProfileImagePath"
  strSubPath = strKeyPath & "\" & objSubkey
  objRegistry.GetExpandedStringValue _
    HKEY_LOCAL_MACHINE,strSubPath,strValueName,strValue
 
  strValue = strValue & "\Desktop"

''' Delete any file on desktop that is older than one day old
''' Skip the default user desktop (although this may not be necessary)

  If NOT strValue ="C:\WINDOWS\system32\config\systemprofile\Desktop" _
  Then

    Set objFSO = CreateObject("Scripting.FileSystemObject")
    If objFSO.FolderExists(strValue) Then
      Set Folder = objFSO.GetFolder(strValue)
      For Each File in Folder.Files
        If DateDiff("d",File.DateLastModified,Now) > 1 Then _
        objFSO.DeleteFile File
      Next
    End If

  End If

  Set objFSO = Nothing

Next

Set objRegistry = Nothing

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
Running it as a Startup script in a GPO will run the script in the context of the system, which should have the necessary rights.

Author

Commented:
I was going to try what you have indicated. You will have to use a startup script at the computer level so that the script runs in the context of the system. I am not sure if this is going to work but I will give it a try.

I have also though about using GPO preferences and use scheduled tasks via GPO then setup the scheduled task to run with admin credentials.

Is there a way to run native GPO/startup scripts at the user level with administrative rights?
There are some third party like ScriptLogic that allow you to elevate the user rights or to pass administrative credentials.

Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
You can use the Runas utility to elevate privileges in a script, but that requires you to include the username and password in the script, which is a security issue. Alternatively you could utilize PSExec to run the script on all computers without using a GPO to deploy it if it's a one time thing.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Most Valuable Expert 2011
Top Expert 2011

Commented:
Quick look at the script, looks like it is working under HKLM, and NOT HKCU, so running it as a user shouldnt be needed... Kinda curious to see why youre querying the System Profile though, at "C:\WINDOWS\system32\config\systemprofile\Desktop"
I noticed the system profile too... Why don't you expand the user environment for %userprofile% instead and check the desktop there. As far as elevating you may want to query "runas" from the script and have it monitor when the application is done running and have it close it as well. Just an idea. Scheduling the script may be the most secure as that won't expose your login. Just be sure one again that it closes te application when it's done so you Sony have it hanging with a elevated process.

Author

Commented:
johnb6767,Russell_Ven…,

I not really into scripting I just used the System Profile though, at "C:\WINDOWS\system32\config\systemprofile\Desktop because I thought it will work.

Can you please modify the code with the %userprofile% as you have specified above? Are there any downsides of querying the Desktop VS %userprofile%

My goal is for the script to eliminate old data that is being left on some computers that is used by everyone in the company also we are going to use the same method for a group of generic Virtual Desktops so that users profiles get lighter but not removed from the system.

Author

Commented:
"I noticed the system profile too... Why don't you expand the user environment for %userprofile% instead and check the desktop there."

Is there a downside of querying the Desktop VS %userprofile%?  
Most Valuable Expert 2011
Top Expert 2011

Commented:
"C:\WINDOWS\system32\config\systemprofile\Desktop

There should NEVER be any data there. Unless you have a service running under SYSTEM perhaps that is designed to retrieve data... There will never be any USER created data there.

The suggestion above to query %userprofile%\Desktop is a good variable to use ina  script, as it will query the current user's desktop folder, regardless of thier username. The USERPROFILE variable resolves the following path (for instance, if John Logged on)...

C:\Users\John
or pre vista/7
c:\Documents and Settings\John

Replace JOHN with the user logged on. So you can use that variable in a script, and it applies to all users......

Author

Commented:
johnb6767,

I understand. Can you help me out to modify the current code with the change the you have suggested. We are running XPSP3 workstations.

Sorry, I have been busy with important work. I will see what I can do.
Here is what I came up with.

'-----------------------------------Cut here-----------------------------------------------
On Error Next

Dim UserProfile
Set wshShell = CreateObject("WScript.Shell")
UserProfile = wshShell.ExpandEnvironmentStrings("%USERPROFILE%")
UserProfile = UserProfile & "\Desktop"
If len(UserProfile) > 0 Then
  Set objFSO = CreateObject("Scripting.FileObject")
  if objFSO.FolderExists(UserProfile) Then
    Set Folder = objFSO.GetFolder(UserProfile)
    For Each File in Folder.Files
      if DateDiff("d", File.DatelastModified, Now) > 1 Then
        ObjFSO.DeleteFile File
      End If
    Next
  End If
End If

Set UserProfile = Nothing
Set wshShell    = Nothing

Next

Set objRegistery = Nothing

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial