Solved

How to use Run as command in a script

Posted on 2012-03-14
8
550 Views
Last Modified: 2012-03-15
My current environment is windows 7 workstations and windows server 2003 DC and servers.
All domain users are just users with no Administrators privilege.

I need to creat a batch file that add reg key in registries, this batch should run in  machine start uo through group policy.

The problem is that i need this batch with Admin rights so it can access the registry editor.

How can i use the local administrator account to run this batch ???

I am fliexible to use any language of scripting just advice with the commands
0
Comment
Question by:mostabdo
8 Comments
 
LVL 5

Expert Comment

by:sujithmd
ID: 37719603
0
 
LVL 84

Assisted Solution

by:oBdA
oBdA earned 500 total points
ID: 37719741
That's the wrong approach, sorry.
A script that is applied to a computer as startup script will run in the local System security context. It can do to HKLM whatever it feels like, and UAC is not active for the System account.
In other words: if you want to change settings in HKLM, use a startup script applied to the computers in question. I'd recommend to use reg.exe instead of regedit.exe (see examples below); regedit is mainly a GUI tool, whereas reg.exe is a command line tool.
Note that if the startup script accesses network shares, the computer objects need the appropriate permissions to access the shares (note, too, that all domain computer objects by default are members of "Authenticated Users" as well as "Domain Computers").

If you want to change settings in HKCU, a startup script won't help anything, because HKCU is the logged on user's registry. You'll need a logon script applied to the user objects in question.
With the exception of the HKCU\...\policies\... keys, a user has write access to his registry.
You can use reg.exe to set user registry keys directly or import a registry file; unlike regedit.exe, reg.exe does not require a UAC confirmation.
In other words: if you want to change settings in HKCU outside of \policies\, use a logon script applied to the users in question, and use reg.exe instead of regedit.exe (or a VB script).
Example for the use of reg.exe to import a reg file:
reg.exe import "S:\ome\file.reg"

Open in new window

Example for the use of reg.exe to set a registry value:
reg.exe add "HKCU\Software\Acme" /v "SomeValue" /t "REG_SZ" /d "Some Data for the value" /f

Open in new window

If you want to write to HKCU\...\policies\..., use a group policy applied to the users with the according policies configured. These keys are not meant to be set manually, and users may not write to them for a good reason, because they contain administrative restrictions. "runas" won't help anything here, either, because HKCU would be the Administrator's HKCU, not the one of the user starting the "runas" command.
0
 

Author Comment

by:mostabdo
ID: 37721228
Well...thank you so much for explanation...I need to add a key to theHKLM, i used the below command in batch file (AA.bat)

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum /v {F02C1A0D-BE21-4350-88B0-7367FC96EF3C} /t REG_DWORD /d 00000001 /f

So i will add the AA.bat to the startup script and the machine should apply it without problems ..is it right??
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 47

Expert Comment

by:Donald Stewart
ID: 37721658
0
 
LVL 84

Assisted Solution

by:oBdA
oBdA earned 500 total points
ID: 37722340
The above script would work, but as I said, the policies key shouldn't be changed directly.
I'd recommend to actually use the "User Configuration/HKCU" key and apply it to any users you want to restrict; setting this under Computer Configuration/HKLM will remove the icon for everybody, including administrators.

The first file below is a traditional adm file. You can use by opening the GPO you want it in in the GP editor, right-clicking "Administrative Templates", then "Add/Remove templates" and browsing to the adm file. In your GP editor, you should now have a new entry "Remove Network icon on the desktop" under "Administrative Templates\Custom Desktop" both in Computer and User Configuration.

If you're already managing your policies from W2k8/Win7, you should have a folder C:\Windows\PolicyDefinitons on your DC; in this case, don't use the adm file. Instead, copy the CustomDesktop.admx file below into that folder, and the CustomDesktop.adml file into the subfolder "en-us".
In your GP editor, you should now have a new entry "Remove Network icon on the desktop" under "Administrative Templates\Desktop" both in Computer and User Configuration.
CustomDesktop.adm:
CLASS MACHINE
CATEGORY "Custom Desktop"
  POLICY "Remove Network icon on the desktop"
    KEYNAME "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum"
    EXPLAIN "This setting hides Network from the desktop and from the new Start menu if enabled.\n\nIf you enable this setting, Network is hidden on the desktop, the new Start menu, the Explorer folder tree pane, and the Explorer Web views.\n\nIf you disable this setting, Network is displayed as usual, appearing as normal on the desktop, Start menu, folder tree pane, and Web views, unless restricted by another setting."
    VALUENAME "{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}"
    VALUEON NUMERIC 1
    VALUEOFF NUMERIC 0
  END POLICY
END CATEGORY

CLASS USER
CATEGORY "Custom Desktop"
  POLICY "Remove Network icon on the desktop"
    KEYNAME "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum"
    EXPLAIN "This setting hides Network from the desktop and from the new Start menu if enabled.\n\nIf you enable this setting, Network is hidden on the desktop, the new Start menu, the Explorer folder tree pane, and the Explorer Web views.\n\nIf you disable this setting, Network is displayed as usual, appearing as normal on the desktop, Start menu, folder tree pane, and Web views, unless restricted by another setting."
    VALUENAME "{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}"
    VALUEON NUMERIC 1
    VALUEOFF NUMERIC 0
  END POLICY
END CATEGORY

Open in new window

CustomDesktop.admx:
<?xml version="1.0" encoding="utf-8"?>
<policyDefinitions xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">
  <policyNamespaces>
    <target prefix="custom" namespace="Custom.Policies.WindowsDesktop" />
    <using prefix="windows" namespace="Microsoft.Policies.Windows" />
  </policyNamespaces>
  <resources minRequiredRevision="1.0" />
  <policies>
    <policy name="NoNetworkIconMachine" class="Machine" displayName="$(string.NoNetworkIcon)" explainText="$(string.NoNetworkIcon_Help)" key="Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum" valueName="{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}">
      <parentCategory ref="windows:Desktop" />
      <supportedOn ref="windows:SUPPORTED_WindowsXP" />
      <enabledValue>
        <decimal value="1" />
      </enabledValue>
      <disabledValue>
        <decimal value="0" />
      </disabledValue>
    </policy>
    <policy name="NoNetworkIcon" class="User" displayName="$(string.NoNetworkIcon)" explainText="$(string.NoNetworkIcon_Help)" key="Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum" valueName="{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}">
      <parentCategory ref="windows:Desktop" />
      <supportedOn ref="windows:SUPPORTED_WindowsXP" />
      <enabledValue>
        <decimal value="1" />
      </enabledValue>
      <disabledValue>
        <decimal value="0" />
      </disabledValue>
    </policy>
  </policies>
</policyDefinitions>

Open in new window

en-us\CustomDesktop.adml:
<?xml version="1.0" encoding="utf-8"?>
<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">
  <displayName>enter display name here</displayName>
  <description>enter description here</description>
  <resources>
    <stringTable>
      <string id="NoNetworkIcon">Remove Network icon on the desktop</string>
      <string id="NoNetworkIcon_Help">This setting hides Network from the desktop and from the new Start menu. This setting allows administrators to restrict their users from seeing Network in the shell namespace, allowing them to present their users with a simpler desktop environment.

If you enable this setting, Network is hidden on the desktop, the new Start menu, the Explorer folder tree pane, and the Explorer Web views.

If you disable this setting, Network is displayed as usual, appearing as normal on the desktop, Start menu, folder tree pane, and Web views, unless restricted by another setting.

If you do not configure this setting, the default is to display Network as usual.</string>
    </stringTable>
  </resources>
</policyDefinitionResources>

Open in new window

0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 37722357
"If you're already managing your policies from W2k8/Win7,"


Then you dont need any custom ADM, ADMX or ADML files....You would use GPP
0
 
LVL 84

Accepted Solution

by:
oBdA earned 500 total points
ID: 37722517
That's purely a matter of preference (pun intended). Since there are already three policies removing other icons in the default settings (My Documents, My Computer, Recycle Bin), I'd prefer to find this together with the rest.
Plus, as I said, the /policies/ keys are meant for real policies, not for manual manipulation, and GPP is basically Yet Another Registry Editor.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 37722532
The whole point of GPP is to rid of registry edits, scripts, and importing templates! I'm sure everyone's "Preference" would be to do it the easier way.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Active Directory replication delay is the cause to many problems.  Here is a super easy script to force Active Directory replication to all sites with by using an elevated PowerShell command prompt, and a tool to verify your changes.
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question