Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How to use Run as command in a script

Posted on 2012-03-14
8
Medium Priority
?
561 Views
Last Modified: 2012-03-15
My current environment is windows 7 workstations and windows server 2003 DC and servers.
All domain users are just users with no Administrators privilege.

I need to creat a batch file that add reg key in registries, this batch should run in  machine start uo through group policy.

The problem is that i need this batch with Admin rights so it can access the registry editor.

How can i use the local administrator account to run this batch ???

I am fliexible to use any language of scripting just advice with the commands
0
Comment
Question by:mostabdo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 85

Assisted Solution

by:oBdA
oBdA earned 2000 total points
ID: 37719741
That's the wrong approach, sorry.
A script that is applied to a computer as startup script will run in the local System security context. It can do to HKLM whatever it feels like, and UAC is not active for the System account.
In other words: if you want to change settings in HKLM, use a startup script applied to the computers in question. I'd recommend to use reg.exe instead of regedit.exe (see examples below); regedit is mainly a GUI tool, whereas reg.exe is a command line tool.
Note that if the startup script accesses network shares, the computer objects need the appropriate permissions to access the shares (note, too, that all domain computer objects by default are members of "Authenticated Users" as well as "Domain Computers").

If you want to change settings in HKCU, a startup script won't help anything, because HKCU is the logged on user's registry. You'll need a logon script applied to the user objects in question.
With the exception of the HKCU\...\policies\... keys, a user has write access to his registry.
You can use reg.exe to set user registry keys directly or import a registry file; unlike regedit.exe, reg.exe does not require a UAC confirmation.
In other words: if you want to change settings in HKCU outside of \policies\, use a logon script applied to the users in question, and use reg.exe instead of regedit.exe (or a VB script).
Example for the use of reg.exe to import a reg file:
reg.exe import "S:\ome\file.reg"

Open in new window

Example for the use of reg.exe to set a registry value:
reg.exe add "HKCU\Software\Acme" /v "SomeValue" /t "REG_SZ" /d "Some Data for the value" /f

Open in new window

If you want to write to HKCU\...\policies\..., use a group policy applied to the users with the according policies configured. These keys are not meant to be set manually, and users may not write to them for a good reason, because they contain administrative restrictions. "runas" won't help anything here, either, because HKCU would be the Administrator's HKCU, not the one of the user starting the "runas" command.
0
 

Author Comment

by:mostabdo
ID: 37721228
Well...thank you so much for explanation...I need to add a key to theHKLM, i used the below command in batch file (AA.bat)

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum /v {F02C1A0D-BE21-4350-88B0-7367FC96EF3C} /t REG_DWORD /d 00000001 /f

So i will add the AA.bat to the startup script and the machine should apply it without problems ..is it right??
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 47

Expert Comment

by:Donald Stewart
ID: 37721658
0
 
LVL 85

Assisted Solution

by:oBdA
oBdA earned 2000 total points
ID: 37722340
The above script would work, but as I said, the policies key shouldn't be changed directly.
I'd recommend to actually use the "User Configuration/HKCU" key and apply it to any users you want to restrict; setting this under Computer Configuration/HKLM will remove the icon for everybody, including administrators.

The first file below is a traditional adm file. You can use by opening the GPO you want it in in the GP editor, right-clicking "Administrative Templates", then "Add/Remove templates" and browsing to the adm file. In your GP editor, you should now have a new entry "Remove Network icon on the desktop" under "Administrative Templates\Custom Desktop" both in Computer and User Configuration.

If you're already managing your policies from W2k8/Win7, you should have a folder C:\Windows\PolicyDefinitons on your DC; in this case, don't use the adm file. Instead, copy the CustomDesktop.admx file below into that folder, and the CustomDesktop.adml file into the subfolder "en-us".
In your GP editor, you should now have a new entry "Remove Network icon on the desktop" under "Administrative Templates\Desktop" both in Computer and User Configuration.
CustomDesktop.adm:
CLASS MACHINE
CATEGORY "Custom Desktop"
  POLICY "Remove Network icon on the desktop"
    KEYNAME "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum"
    EXPLAIN "This setting hides Network from the desktop and from the new Start menu if enabled.\n\nIf you enable this setting, Network is hidden on the desktop, the new Start menu, the Explorer folder tree pane, and the Explorer Web views.\n\nIf you disable this setting, Network is displayed as usual, appearing as normal on the desktop, Start menu, folder tree pane, and Web views, unless restricted by another setting."
    VALUENAME "{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}"
    VALUEON NUMERIC 1
    VALUEOFF NUMERIC 0
  END POLICY
END CATEGORY

CLASS USER
CATEGORY "Custom Desktop"
  POLICY "Remove Network icon on the desktop"
    KEYNAME "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum"
    EXPLAIN "This setting hides Network from the desktop and from the new Start menu if enabled.\n\nIf you enable this setting, Network is hidden on the desktop, the new Start menu, the Explorer folder tree pane, and the Explorer Web views.\n\nIf you disable this setting, Network is displayed as usual, appearing as normal on the desktop, Start menu, folder tree pane, and Web views, unless restricted by another setting."
    VALUENAME "{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}"
    VALUEON NUMERIC 1
    VALUEOFF NUMERIC 0
  END POLICY
END CATEGORY

Open in new window

CustomDesktop.admx:
<?xml version="1.0" encoding="utf-8"?>
<policyDefinitions xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">
  <policyNamespaces>
    <target prefix="custom" namespace="Custom.Policies.WindowsDesktop" />
    <using prefix="windows" namespace="Microsoft.Policies.Windows" />
  </policyNamespaces>
  <resources minRequiredRevision="1.0" />
  <policies>
    <policy name="NoNetworkIconMachine" class="Machine" displayName="$(string.NoNetworkIcon)" explainText="$(string.NoNetworkIcon_Help)" key="Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum" valueName="{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}">
      <parentCategory ref="windows:Desktop" />
      <supportedOn ref="windows:SUPPORTED_WindowsXP" />
      <enabledValue>
        <decimal value="1" />
      </enabledValue>
      <disabledValue>
        <decimal value="0" />
      </disabledValue>
    </policy>
    <policy name="NoNetworkIcon" class="User" displayName="$(string.NoNetworkIcon)" explainText="$(string.NoNetworkIcon_Help)" key="Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum" valueName="{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}">
      <parentCategory ref="windows:Desktop" />
      <supportedOn ref="windows:SUPPORTED_WindowsXP" />
      <enabledValue>
        <decimal value="1" />
      </enabledValue>
      <disabledValue>
        <decimal value="0" />
      </disabledValue>
    </policy>
  </policies>
</policyDefinitions>

Open in new window

en-us\CustomDesktop.adml:
<?xml version="1.0" encoding="utf-8"?>
<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">
  <displayName>enter display name here</displayName>
  <description>enter description here</description>
  <resources>
    <stringTable>
      <string id="NoNetworkIcon">Remove Network icon on the desktop</string>
      <string id="NoNetworkIcon_Help">This setting hides Network from the desktop and from the new Start menu. This setting allows administrators to restrict their users from seeing Network in the shell namespace, allowing them to present their users with a simpler desktop environment.

If you enable this setting, Network is hidden on the desktop, the new Start menu, the Explorer folder tree pane, and the Explorer Web views.

If you disable this setting, Network is displayed as usual, appearing as normal on the desktop, Start menu, folder tree pane, and Web views, unless restricted by another setting.

If you do not configure this setting, the default is to display Network as usual.</string>
    </stringTable>
  </resources>
</policyDefinitionResources>

Open in new window

0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 37722357
"If you're already managing your policies from W2k8/Win7,"


Then you dont need any custom ADM, ADMX or ADML files....You would use GPP
0
 
LVL 85

Accepted Solution

by:
oBdA earned 2000 total points
ID: 37722517
That's purely a matter of preference (pun intended). Since there are already three policies removing other icons in the default settings (My Documents, My Computer, Recycle Bin), I'd prefer to find this together with the rest.
Plus, as I said, the /policies/ keys are meant for real policies, not for manual manipulation, and GPP is basically Yet Another Registry Editor.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 37722532
The whole point of GPP is to rid of registry edits, scripts, and importing templates! I'm sure everyone's "Preference" would be to do it the easier way.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question