Solved

elevated privileges not working in VB logon script

Posted on 2015-01-02
6
193 Views
Last Modified: 2015-01-04
I found myself unable to modify the registry or any other function that requires elevated privileges via a VB logon script at a client’s network however I can use the logon script to map network drives and other functions that can be executed by local users and do not require elevated privileges.

For Example when I map the attached code as logon script I get the error message "The operation failed.0" at logon
When I execute the same script manually after the logon I get the message that it worked and it dos create the key.

I got the same results after removing the Symantec Anti-Virus Client, is there any software restriction policy in Windows 7 that would explain this behavior?

(The Account I am using has local Admin Privileges)

HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."

Set ObjRegistry = _
    GetObject("winmgmts:{impersonationLevel = impersonate}!\\" _
    & strComputer & "\root\default:StdRegProv")

strPath = "SOFTWARE\ScriptLogic\Device Agent\Global Settings\TEST"

Return = objRegistry.CreateKey(HKEY_LOCAL_MACHINE, strPath)

If Return <> 0 Then
    WScript.Echo "The operation failed." & Err.Number
    WScript.Quit
Else
    wScript.Echo "New registry key created" & VBCRLF _
        & "HKLM\SOFTWARE\MYKey\"

End If

Open in new window

0
Comment
Question by:David
  • 4
  • 2
6 Comments
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 250 total points
ID: 40528745
The login script will run under the context of the user, but the login script isn't elevated. From your script it looks like you are trying.to modify part of HKLM of the registry, in which case I recommend that you run it as a startup script instead. Startup scripts run in the context of the localsystem account and will be able to modify that part of the registry.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 40528746
I do not recommend that you turn off UAC.
0
 
LVL 32

Assisted Solution

by:Robberbaron (robr)
Robberbaron (robr) earned 250 total points
ID: 40528894
kevin is correct.
but also for a startup script, all files that are referenced in that script need to be available to an 'unauthenticated' user.  So store them under NETLOGON share on the login server. (and be aware they are unsecured !)
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 42

Expert Comment

by:kevinhsieh
ID: 40529287
None of my startup scripts are under netlogon. They are in the normal location with the group policy files, which by default any can be read by at least every computer and user.
0
 
LVL 32

Expert Comment

by:Robberbaron (robr)
ID: 40529597
clarification.... what i meant is that any files other than the script itself.

one of my scripts copies and  installs a DLL into each PC: the source location of the DLL has to be accessible by all.

another logs its actions to a network file: the log file is in NetLogon.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 40530938
The other files placed alongside the startup script are accessible to the script. I do it all the time. I have startup scripts that copy DLL, EXE, etc. without issue. That area isn't generally WRITEABLE, however. Writing to NETLOGON might be less than ideal if you have more than one domain controller as your logs will end up on multiple servers.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Not long ago I saw a question in the VB Script forum that I thought would not take much time. You can read that question (Question ID  (http://www.experts-exchange.com/Programming/Languages/Visual_Basic/VB_Script/Q_28455246.html)28455246) Here (http…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now