Logon Script Requires Local Admin

Posted on 2013-10-16
Medium Priority
Last Modified: 2013-10-17
I am trying to run a logon script that maps LPT1 to the user logging onto the server 2008 R2 server. The command in the logon script field of the active directory user object is

net use lpt1 \\clientcomputer\printer /persistent:yes

The only way the logon script succeeds is if the user logging into the server is a local administrator.

Disabling the UAC does not work.

How can I allow the user to not be an administrator and still have the lpt1 created?
Is there a registry setting I need to modify permissions on?
Question by:kwoznica732
  • 2
  • 2
  • 2
  • +4

Author Comment

ID: 39576774
This doesn't seem to work with LPT1. Maybe with normal printers it works but our application requires LPT1.
Group policy printer deployment isn't possible either because a UNC path isn't possible.

Why does net use lpt1 \\clientsystem\printer require administrator permissions?
LVL 25

Expert Comment

by:Ron Malmstead
ID: 39578641
LVL 25

Expert Comment

by:Ron Malmstead
ID: 39578643
Do they have permissions on the client machine/printer share?
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

LVL 38

Expert Comment

by:Jim P.
ID: 39578683
Have you tried making them Printer Operators?
LVL 25

Expert Comment

ID: 39578689
Take a look at an article that I wrote explaining this.
It illustrates how to deploy a shared printer, but you can select Local Printer instead and get the results.
Hope it helps
This also eliminates the need for scripts and will overcome the UAC issue.

LVL 65

Accepted Solution

RobSampson earned 2000 total points
ID: 39578708
The only blocker that I know of (stemming from an old Windows XP issue) with non-admins not being able to map LPT1, is that the LPT1 port needed to be "disabled" from the "Device Manager" on the computer.  Once the port was disabled, the net use worked for non-admins.


LVL 78

Expert Comment

by:Rob Williams
ID: 39578717
Net use Lpt1 is limited to admin users, and has been for many years.  There is a workaround using Devcon that used to work with 2000 and XP, and I suspect may still:
LVL 65

Expert Comment

ID: 39578731

LVL 44

Expert Comment

by:Davis McCarn
ID: 39579400
You need to run it as a STARTUP script one time which will the use the system account and work.

Author Closing Comment

ID: 39579470
Yes, right on the money with your solution RobSampson.

I can confirm this is also true for Server 2008 R2 now. I actually went into the device manager and uninstalled it. Logged onto the server via RDP as a non admin and was able to add the lpt1 port via the logon script and print to the client system successfully.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Scripts are great for performing batch jobs against users, however sometimes the GUI is all you need.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question