GPO or logon script - Need elevate admin rights
Hi,
We would like to execute the following script which requires admin rights in order to work. Basically the script checks the user profiles that are created locally in the workstation and deletes the documents that are older than 1 day within the profile.
We would like to use the script as part of the logon script or via gpo and I was wondering if there is any way to elevate the rights so that script runs with admin rights and does its job?
Any help?
Thank you!
We would like to execute the following script which requires admin rights in order to work. Basically the script checks the user profiles that are created locally in the workstation and deletes the documents that are older than 1 day within the profile.
We would like to use the script as part of the logon script or via gpo and I was wondering if there is any way to elevate the rights so that script runs with admin rights and does its job?
Any help?
Thank you!
On Error Resume Next
''' Set Registry Hive
Const HKEY_LOCAL_MACHINE = &H80000002
''' This section of code creates the list of user profiles
'''
strComputer = "."
Set objRegistry=GetObject("winmgmts:\\" & _
strComputer & "\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"
objRegistry.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubkeys
''' Create a loop to cycle through the profiles
'''
For Each objSubkey In arrSubkeys
strValueName = "ProfileImagePath"
strSubPath = strKeyPath & "\" & objSubkey
objRegistry.GetExpandedStringValue _
HKEY_LOCAL_MACHINE,strSubPath,strValueName,strValue
strValue = strValue & "\Desktop"
''' Delete any file on desktop that is older than one day old
''' Skip the default user desktop (although this may not be necessary)
If NOT strValue ="C:\WINDOWS\system32\config\systemprofile\Desktop" _
Then
Set objFSO = CreateObject("Scripting.FileSystemObject")
If objFSO.FolderExists(strValue) Then
Set Folder = objFSO.GetFolder(strValue)
For Each File in Folder.Files
If DateDiff("d",File.DateLastModified,Now) > 1 Then _
objFSO.DeleteFile File
Next
End If
End If
Set objFSO = Nothing
Next
Set objRegistry = Nothing
Last Comment
Adam Brown
Running it as a Startup script in a GPO will run the script in the context of the system, which should have the necessary rights.
ASKER
I was going to try what you have indicated. You will have to use a startup script at the computer level so that the script runs in the context of the system. I am not sure if this is going to work but I will give it a try.
I have also though about using GPO preferences and use scheduled tasks via GPO then setup the scheduled task to run with admin credentials.
Is there a way to run native GPO/startup scripts at the user level with administrative rights?
There are some third party like ScriptLogic that allow you to elevate the user rights or to pass administrative credentials.
I have also though about using GPO preferences and use scheduled tasks via GPO then setup the scheduled task to run with admin credentials.
Is there a way to run native GPO/startup scripts at the user level with administrative rights?
There are some third party like ScriptLogic that allow you to elevate the user rights or to pass administrative credentials.
You can use the Runas utility to elevate privileges in a script, but that requires you to include the username and password in the script, which is a security issue. Alternatively you could utilize PSExec to run the script on all computers without using a GPO to deploy it if it's a one time thing.
Quick look at the script, looks like it is working under HKLM, and NOT HKCU, so running it as a user shouldnt be needed... Kinda curious to see why youre querying the System Profile though, at "C:\WINDOWS\system32\confi
I noticed the system profile too... Why don't you expand the user environment for %userprofile% instead and check the desktop there. As far as elevating you may want to query "runas" from the script and have it monitor when the application is done running and have it close it as well. Just an idea. Scheduling the script may be the most secure as that won't expose your login. Just be sure one again that it closes te application when it's done so you Sony have it hanging with a elevated process.
ASKER
johnb6767,Russell_Ven…,
I not really into scripting I just used the System Profile though, at "C:\WINDOWS\system32\confi
Can you please modify the code with the %userprofile% as you have specified above? Are there any downsides of querying the Desktop VS %userprofile%
My goal is for the script to eliminate old data that is being left on some computers that is used by everyone in the company also we are going to use the same method for a group of generic Virtual Desktops so that users profiles get lighter but not removed from the system.
I not really into scripting I just used the System Profile though, at "C:\WINDOWS\system32\confi
Can you please modify the code with the %userprofile% as you have specified above? Are there any downsides of querying the Desktop VS %userprofile%
My goal is for the script to eliminate old data that is being left on some computers that is used by everyone in the company also we are going to use the same method for a group of generic Virtual Desktops so that users profiles get lighter but not removed from the system.
ASKER
"I noticed the system profile too... Why don't you expand the user environment for %userprofile% instead and check the desktop there."
Is there a downside of querying the Desktop VS %userprofile%?
Is there a downside of querying the Desktop VS %userprofile%?
"C:\WINDOWS\system32\confi
There should NEVER be any data there. Unless you have a service running under SYSTEM perhaps that is designed to retrieve data... There will never be any USER created data there.
The suggestion above to query %userprofile%\Desktop is a good variable to use ina script, as it will query the current user's desktop folder, regardless of thier username. The USERPROFILE variable resolves the following path (for instance, if John Logged on)...
C:\Users\John
or pre vista/7
c:\Documents and Settings\John
Replace JOHN with the user logged on. So you can use that variable in a script, and it applies to all users......
There should NEVER be any data there. Unless you have a service running under SYSTEM perhaps that is designed to retrieve data... There will never be any USER created data there.
The suggestion above to query %userprofile%\Desktop is a good variable to use ina script, as it will query the current user's desktop folder, regardless of thier username. The USERPROFILE variable resolves the following path (for instance, if John Logged on)...
C:\Users\John
or pre vista/7
c:\Documents and Settings\John
Replace JOHN with the user logged on. So you can use that variable in a script, and it applies to all users......
ASKER
johnb6767,
I understand. Can you help me out to modify the current code with the change the you have suggested. We are running XPSP3 workstations.
I understand. Can you help me out to modify the current code with the change the you have suggested. We are running XPSP3 workstations.
Sorry, I have been busy with important work. I will see what I can do.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Active Directory
Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.
86K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
