Solved

Administrative Rights to Single Logon Script

Posted on 2012-03-11
11
466 Views
Last Modified: 2012-04-07
Greetings, Experts!

A few months ago a few experts helped me develop a script to delete user profiles that were in backup status (found here).  I have that script set to execute upon user login.  That script works great, but only if logged in by an administrator.  I have group policies set to prevent student access to registry editing, so each time a user logs in, the script is denied access to the registry Output when running scriptI have played around with a few workarounds, but so far have not been successful in making it work in my managed environment.

For example, I have found that if while logged in as a student and right-click on the file while holding the shift key that the option to run as a different user appears.  When the proper credentials entered, it executes just fine.  I just can't figure out how to make it work through Group Policy.

My clients are all running Windows 7 Professional and DCs are 2008 R2.

This wouldn't be an issue if the user profiles wouldn't end up in backup status...if I could prevent it from happening in the first place then that would be ideal.  This is just a band-aid solution.

Any ideas?
0
Comment
Question by:Evan Hines
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
11 Comments
 
LVL 43

Expert Comment

by:Davis McCarn
ID: 37709430
I'll try to help with the backup status first....

First, fix one of the users and login to that account
cmd<ENTER>
Run "WHOAMI /USER" to determine the user's SID.
Either login as an admin or invoke REGEDIT with admin credentials
Check the ProfileImagePath value under the following registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList\<SID-from-WHOAMI> and note the ProfileImagePath value
Search the ProfileList key for that value and delete any other SID´s, that point to the same ProfileImagePath.

The problem is caused by multiple creations and deletions of the same username. It seems that the ProfilePath remains in the registry, even after the user has been deleted.

If that is too tedious or doesn't solve the problem, you can run your script as a scheduled task with local admin credentials which will then work.
0
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 500 total points
ID: 37709928
Run the script as a startup or shutdown script. Those run under the SYSTEM account, which has administrative access. A scheduled task would work as well.
0
 
LVL 1

Author Comment

by:Evan Hines
ID: 37710411
Running the script as a scheduled task with a local account occurred to me late last night.  I am currently testing it.  

We currently have a group policy in place that automatically removes policies that are more than 15 days old.  Could that be contributing to the cause of the .bak profiles?
0
MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

 
LVL 43

Expert Comment

by:Davis McCarn
ID: 37710487
Not from what I found.  It was the deletion and recreation of the UserProfile which seems to cause it.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 37710917
How are you determining that a profile is 15 days old? How are you using GPO to delete it?
0
 
LVL 1

Author Comment

by:Evan Hines
ID: 37711294
The GPO setting is
Computer Configuration > Policies > Administrative Templates > System > Delete user profiles older than a specified number of days on system restart : Enabled : Delete user profiles older than (days) : 15

We do that for basic system cleanliness and to speed up our summer computer data cleaning.  It's really not necessary.
0
 
LVL 43

Expert Comment

by:Davis McCarn
ID: 37711709
That will cause your issue if the user does not login to the PC for 15 days.
0
 
LVL 15

Expert Comment

by:markdmac
ID: 37715056
I agree with the advice given above to run the script as a startup script.  Then you just to to remotely reboot the computers to initiate a cleanup.
0
 
LVL 1

Author Comment

by:Evan Hines
ID: 37717080
Previously during the year as part of our routine maintenance we would go through and remove the User folders of the users that are no longer going to use the computers.  Our decision to do this was because it was quicker than using the GUI to remove them one at a time (and it was before we ran across the DelProf2 program).  That resulted in us having registry entries without corresponding user folders.  And from what has been said so far here, that is probably what is causing our issue.

We are currently taking a lab of computers and manually synchronizing the registry keys with the Users folders.  We will monitor it for a few days to see if they manually stay in check and if we continue to have any issues with those computers.

As for the original issue of getting the batch script to run while a non-admin user is logged in, the scheduled task is working perfectly.  I'll update with results of our test in a few days.
0
 
LVL 1

Author Closing Comment

by:Evan Hines
ID: 37819638
In addition to the answer to the question the other information about having non-synced user profiles & their respective registry keys was also causing issues.  By synchronizing the user profiles and scheduling a task to delete the backup profiles regularly, nearly all of my profile-related issue have been resolved.
0

Featured Post

Windows running painfully slow? Try these tips..

Stay away from Speed Up Computer Programs that do more harm than good.
Try these tips instead.
Step by step instructions in trouble shooting Windows Performance issues.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SYSVOL folder permission security best practice ? 14 143
Exchange password change on mobile 2 101
Windows 10 Policy for Flash 3 58
Scripting 4 33
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question