robklubs
asked on
Group Policy (GPO) Scripts run from 2012 domain run as admin/elevated
Hello all!
We are using a a Powershell script that maps a drive. Running the script locally (non-elevated) works perfectly. Running the script using group policy does not work as expected.
I've put the script in User Configuration | Policies | Windows Settings | Scripts | Logon
When running the script from the GPO, the script completes but does not map drives in an accessible manner. No errors come up. Looking in Windows Explorer the mapped drive is not there. However, if I run "net use" from an elevated command prompt I see the drive. For some reason that I can't put my finger on, the script is running with an admin token when running from GPO. It maps the drive, but elevated, so I can't access it without elevating everything.
The script is just a batch file that runs this command:
The Powershell script runs a net use command (among other things) to map the drive. Again, if it is run locally (without any elevation) the drive maps with no issue, accessible from Windows Explorer, etc.
The script is running on a Win8.1x64 machine on a Windows 2012 AD domain.
We are using a a Powershell script that maps a drive. Running the script locally (non-elevated) works perfectly. Running the script using group policy does not work as expected.
I've put the script in User Configuration | Policies | Windows Settings | Scripts | Logon
When running the script from the GPO, the script completes but does not map drives in an accessible manner. No errors come up. Looking in Windows Explorer the mapped drive is not there. However, if I run "net use" from an elevated command prompt I see the drive. For some reason that I can't put my finger on, the script is running with an admin token when running from GPO. It maps the drive, but elevated, so I can't access it without elevating everything.
The script is just a batch file that runs this command:
powershell.exe -NoProfile -ExecutionPolicy bypass -command ScriptName.ps1
The Powershell script runs a net use command (among other things) to map the drive. Again, if it is run locally (without any elevation) the drive maps with no issue, accessible from Windows Explorer, etc.
The script is running on a Win8.1x64 machine on a Windows 2012 AD domain.
UAC strikes again. Don't use logon scripts. Use group policy preferences instead. It's designed for such things.
ASKER
Thanks for the comment. Can you point me in the right direction with group policy preferences? I'm not sure what you mean.
Technet has blogs on the subject. They've been around since Vista. They are easy to figure out.
ASKER
I think you're referring to User Configuration | Preferences | Windows Settings | Drive Maps
If so, I don't think that would work as the Powershell script we run enumerates the path based on information for which the script prompts. It also generates a user specific location with other variables as well for Office365.
If so, I don't think that would work as the Powershell script we run enumerates the path based on information for which the script prompts. It also generates a user specific location with other variables as well for Office365.
ASKER
Just to be clear, the method provided will not work. It's for predetermined network shares.
Really my question boils down to this - how does one run a script at login via GPO that does not run with an admin token?
Really my question boils down to this - how does one run a script at login via GPO that does not run with an admin token?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No expert solutions were given that were reasonable, found this workaround on my own. Gave plenty of time for experts to chime in - question do not receive all that much attention.