Run batch file elevated through group policies

I have a batch file that I wrote to upgrade a software package on my systems. This batch files makes a registry change so needs to run with admin privileges. I can run it manually from and elevated command prompt with no problem. When I place the script in my Domain Group policy to run at startup it twill not run.
Jerry AtkinsIT TechAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Shaun VermaakTechnical SpecialistCommented:
When I place the script in my Domain Group policy to run at startup it twill not run.
This issue is not admin rights. Startup scripts start with that. Can you post script?
Jerry AtkinsIT TechAuthor Commented:
Here is the batch file. renamed it to a text file for upload purposes
Firerms.txt
DonNetwork AdministratorCommented:
On the folder that the script needs access to, do you have Read & Execute permissions  granted to the Domain Computers group ?
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Jerry AtkinsIT TechAuthor Commented:
Authenticated users have permissions to the share and security to the folder to read and execute, I can add domain computers as well
DonNetwork AdministratorCommented:
Found this

http://skatterbrainz.blogspot.ie/2009/04/login-scripts-vs-start-up-scripts.html

With start-up scripts, the processing occurs after the Windows kernel is loaded and initialized, but prior to the CTRL-ALT-DEL prompt. It runs under the local "SYSTEM" account context, so it has local administrative rights. However, by default, it does not have any rights outside of the computer. Whereas a user account typically is domain-based, it has rights to at least some remote resources (shares, folders, files) over the network. The SYSTEM account does not. There is another local account which is intended for such uses, named "Network" or "Network Service" (depending upon which Windows version you're using).

 

From the perspective of an Active Directory or NetBIOS (workgroup) environment, when a task runs as SYSTEM and tries to reach out to remote resources, it is seen as COMPUTER$ (where COMPUTER is the NetBIOS name of the computer). This account exists in Active Directory for the purposes of establishing and maintaining trusts and delegation rights to enable the computer to participate within the domain. Computer accounts are only added to the "Domain Computers" group, which in turn is NOT added to any other groups - by default. Therefore, it has no inherent (explicit or implicit) rights to anything over the network. This is the single-most often troublesome issue for people wanting to use start-up scripts. They forget to grant permissions to remote shares/folders for either the explicit COMPUTER$ account, or the "Domain Computers" group. Once that's done, things usually work well.
Jerry AtkinsIT TechAuthor Commented:
I have given Domain Computers group access to the shared folder, but it still is not running
Shaun VermaakTechnical SpecialistCommented:
Just a question, why use script?

Do this with GPO Registry Preferences and item level filter
REM // Set Registry Key for SQL Server
IF !OS_64!==1 (
	reg add HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ODBC\ODBC.INI\RMS5SQL_DSN   /v Server /t REG_SZ /d XXXX  /f 
	) ELSE (
	reg add HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\RMS5SQL_DSN   /v Server /t REG_SZ /d XXXX  /f 
	)

Open in new window


Deploy this as a software package
		>>!rms_updatelog! ECHO Installing new version...
		>>!rms_updatelog! ECHO Log: !rms_setuplog!
		>>!rms_updatelog! msiexec.exe /X {524EE37E-4E8E-42F1-A92E-0C1E8398F747} /qn /L* !rms_setuplog!
		>>!rms_updatelog! msiexec /i "c:\temp\FireRMS\FireRMS.msi" ALLUSERS=2" /L* !rms_setuplog!
		>>!rms_updatelog! ECHO Errorlevel: %ERRORLEVEL%

Open in new window


Do this with GPO Environmental variables and item level filter
	FOR /F %%F IN (' ipconfig/all ^| find /i /c "Default Gateway . . . . . . . . . : 10.139.30" ') DO (
		IF %%F GEQ 1 (
			SET ServerLocation="\\XXXX\IT\Deploy\FireRMS"
		)
	)

Open in new window

Jerry AtkinsIT TechAuthor Commented:
I am using script because this is what I am familiar with, and was able to modify the script  from one an associate had written in the past.
McKnifeCommented:
https://www.experts-exchange.com/articles/25279/Overcoming-software-deployment-pitfalls-on-modern-Windows.html describes issues with fast startup. Those include your problem. Read it thoroughly.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jerry AtkinsIT TechAuthor Commented:
Thanks I have read this, I need to go but I will try it tomorrow.
Jerry AtkinsIT TechAuthor Commented:
I was out at a remote site this morning I tried setting the HiberbootEnabled to 0 in the registry on a windows 10 computer with no luck, It also does not run on windows 7 computers either
McKnifeCommented:
This is a very basic thing and cannot go wrong. Either what Don says is true and your permission entries are not allowing the system account (=the group domain computers) access to the script or resources that script calls or I don't know what.
To test, download psexec from Microsoft, and on an elevated command shell which runs as system account, launch
psexec -s -i cmd
On the new shell which will appear after that command, launch your start script so that you can see it running interactively as system account and will get aware of errors.
McKnifeCommented:
You found a solution? Please share it, so other scan benefit.
Jerry AtkinsIT TechAuthor Commented:
The solution for Windows 10 was the registry change as mentioned above to disable the fast startup when shutdown. The Windows 7 machine I was using for testing had not been online for a while for some reason it was not syncing properly with the network. I tried a different windows 7 machine and it worked right away. So the second computer I forced some updates and got it active, after that the script ran properly.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software

From novice to tech pro — start learning today.