Solved

How to use Run as command in a script

Posted on 2012-03-14
8
540 Views
Last Modified: 2012-03-15
My current environment is windows 7 workstations and windows server 2003 DC and servers.
All domain users are just users with no Administrators privilege.

I need to creat a batch file that add reg key in registries, this batch should run in  machine start uo through group policy.

The problem is that i need this batch with Admin rights so it can access the registry editor.

How can i use the local administrator account to run this batch ???

I am fliexible to use any language of scripting just advice with the commands
0
Comment
Question by:mostabdo
8 Comments
 
LVL 5

Expert Comment

by:sujithmd
ID: 37719603
0
 
LVL 83

Assisted Solution

by:oBdA
oBdA earned 500 total points
ID: 37719741
That's the wrong approach, sorry.
A script that is applied to a computer as startup script will run in the local System security context. It can do to HKLM whatever it feels like, and UAC is not active for the System account.
In other words: if you want to change settings in HKLM, use a startup script applied to the computers in question. I'd recommend to use reg.exe instead of regedit.exe (see examples below); regedit is mainly a GUI tool, whereas reg.exe is a command line tool.
Note that if the startup script accesses network shares, the computer objects need the appropriate permissions to access the shares (note, too, that all domain computer objects by default are members of "Authenticated Users" as well as "Domain Computers").

If you want to change settings in HKCU, a startup script won't help anything, because HKCU is the logged on user's registry. You'll need a logon script applied to the user objects in question.
With the exception of the HKCU\...\policies\... keys, a user has write access to his registry.
You can use reg.exe to set user registry keys directly or import a registry file; unlike regedit.exe, reg.exe does not require a UAC confirmation.
In other words: if you want to change settings in HKCU outside of \policies\, use a logon script applied to the users in question, and use reg.exe instead of regedit.exe (or a VB script).
Example for the use of reg.exe to import a reg file:
reg.exe import "S:\ome\file.reg"

Open in new window

Example for the use of reg.exe to set a registry value:
reg.exe add "HKCU\Software\Acme" /v "SomeValue" /t "REG_SZ" /d "Some Data for the value" /f

Open in new window

If you want to write to HKCU\...\policies\..., use a group policy applied to the users with the according policies configured. These keys are not meant to be set manually, and users may not write to them for a good reason, because they contain administrative restrictions. "runas" won't help anything here, either, because HKCU would be the Administrator's HKCU, not the one of the user starting the "runas" command.
0
 

Author Comment

by:mostabdo
ID: 37721228
Well...thank you so much for explanation...I need to add a key to theHKLM, i used the below command in batch file (AA.bat)

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum /v {F02C1A0D-BE21-4350-88B0-7367FC96EF3C} /t REG_DWORD /d 00000001 /f

So i will add the AA.bat to the startup script and the machine should apply it without problems ..is it right??
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 37721658
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 83

Assisted Solution

by:oBdA
oBdA earned 500 total points
ID: 37722340
The above script would work, but as I said, the policies key shouldn't be changed directly.
I'd recommend to actually use the "User Configuration/HKCU" key and apply it to any users you want to restrict; setting this under Computer Configuration/HKLM will remove the icon for everybody, including administrators.

The first file below is a traditional adm file. You can use by opening the GPO you want it in in the GP editor, right-clicking "Administrative Templates", then "Add/Remove templates" and browsing to the adm file. In your GP editor, you should now have a new entry "Remove Network icon on the desktop" under "Administrative Templates\Custom Desktop" both in Computer and User Configuration.

If you're already managing your policies from W2k8/Win7, you should have a folder C:\Windows\PolicyDefinitons on your DC; in this case, don't use the adm file. Instead, copy the CustomDesktop.admx file below into that folder, and the CustomDesktop.adml file into the subfolder "en-us".
In your GP editor, you should now have a new entry "Remove Network icon on the desktop" under "Administrative Templates\Desktop" both in Computer and User Configuration.
CustomDesktop.adm:
CLASS MACHINE
CATEGORY "Custom Desktop"
  POLICY "Remove Network icon on the desktop"
    KEYNAME "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum"
    EXPLAIN "This setting hides Network from the desktop and from the new Start menu if enabled.\n\nIf you enable this setting, Network is hidden on the desktop, the new Start menu, the Explorer folder tree pane, and the Explorer Web views.\n\nIf you disable this setting, Network is displayed as usual, appearing as normal on the desktop, Start menu, folder tree pane, and Web views, unless restricted by another setting."
    VALUENAME "{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}"
    VALUEON NUMERIC 1
    VALUEOFF NUMERIC 0
  END POLICY
END CATEGORY

CLASS USER
CATEGORY "Custom Desktop"
  POLICY "Remove Network icon on the desktop"
    KEYNAME "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum"
    EXPLAIN "This setting hides Network from the desktop and from the new Start menu if enabled.\n\nIf you enable this setting, Network is hidden on the desktop, the new Start menu, the Explorer folder tree pane, and the Explorer Web views.\n\nIf you disable this setting, Network is displayed as usual, appearing as normal on the desktop, Start menu, folder tree pane, and Web views, unless restricted by another setting."
    VALUENAME "{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}"
    VALUEON NUMERIC 1
    VALUEOFF NUMERIC 0
  END POLICY
END CATEGORY

Open in new window

CustomDesktop.admx:
<?xml version="1.0" encoding="utf-8"?>
<policyDefinitions xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">
  <policyNamespaces>
    <target prefix="custom" namespace="Custom.Policies.WindowsDesktop" />
    <using prefix="windows" namespace="Microsoft.Policies.Windows" />
  </policyNamespaces>
  <resources minRequiredRevision="1.0" />
  <policies>
    <policy name="NoNetworkIconMachine" class="Machine" displayName="$(string.NoNetworkIcon)" explainText="$(string.NoNetworkIcon_Help)" key="Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum" valueName="{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}">
      <parentCategory ref="windows:Desktop" />
      <supportedOn ref="windows:SUPPORTED_WindowsXP" />
      <enabledValue>
        <decimal value="1" />
      </enabledValue>
      <disabledValue>
        <decimal value="0" />
      </disabledValue>
    </policy>
    <policy name="NoNetworkIcon" class="User" displayName="$(string.NoNetworkIcon)" explainText="$(string.NoNetworkIcon_Help)" key="Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum" valueName="{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}">
      <parentCategory ref="windows:Desktop" />
      <supportedOn ref="windows:SUPPORTED_WindowsXP" />
      <enabledValue>
        <decimal value="1" />
      </enabledValue>
      <disabledValue>
        <decimal value="0" />
      </disabledValue>
    </policy>
  </policies>
</policyDefinitions>

Open in new window

en-us\CustomDesktop.adml:
<?xml version="1.0" encoding="utf-8"?>
<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">
  <displayName>enter display name here</displayName>
  <description>enter description here</description>
  <resources>
    <stringTable>
      <string id="NoNetworkIcon">Remove Network icon on the desktop</string>
      <string id="NoNetworkIcon_Help">This setting hides Network from the desktop and from the new Start menu. This setting allows administrators to restrict their users from seeing Network in the shell namespace, allowing them to present their users with a simpler desktop environment.

If you enable this setting, Network is hidden on the desktop, the new Start menu, the Explorer folder tree pane, and the Explorer Web views.

If you disable this setting, Network is displayed as usual, appearing as normal on the desktop, Start menu, folder tree pane, and Web views, unless restricted by another setting.

If you do not configure this setting, the default is to display Network as usual.</string>
    </stringTable>
  </resources>
</policyDefinitionResources>

Open in new window

0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 37722357
"If you're already managing your policies from W2k8/Win7,"


Then you dont need any custom ADM, ADMX or ADML files....You would use GPP
0
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 37722517
That's purely a matter of preference (pun intended). Since there are already three policies removing other icons in the default settings (My Documents, My Computer, Recycle Bin), I'd prefer to find this together with the rest.
Plus, as I said, the /policies/ keys are meant for real policies, not for manual manipulation, and GPP is basically Yet Another Registry Editor.
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 37722532
The whole point of GPP is to rid of registry edits, scripts, and importing templates! I'm sure everyone's "Preference" would be to do it the easier way.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now