GPO logon script needs admin privledges

Question

I'm using a logon batch script to copy some dll files into the c:\windows\system32 folder and register them with the regsrv32 command.

However, both actions fail.

I'm applying the script here: user configuration\policies\scripts (logon/logoff)/logon

The script itself does get executed. However, it just doesn't perform anything that requires admin credentials.

How can I fix this?

Can your script do what it needs to do on computer startup rather than login? — Dan, Jun 08 '12 at 17:57
This script isn't in the default domain GPO. It's in a GPO assigned to a user group. — Force Flow, Jun 08 '12 at 17:58

score 5 · Accepted Answer · answered Jun 08 '12 at 18:00

5

Using a User Logon Script policy will always run the script as the user. There's no getting around that. As an alternative, you could consider using a Computer Startup Script. These are excecuted as the Local System account, which will have privs roughly equivilent to a local administrator account.

answered Jun 08 '12 at 18:00

MDMarra

100,734
32
197
329

ok, I added it as a compupter startup script, rebooted the workstation, but the script didn't appear to run at all. The script creates a text file on the desktop when it runs (so that I know when it actually runs) – Force Flow Jun 08 '12 at 18:57
Did you wait for the group policy refresh interval to pass or run `gpupdate /force`? Also, is the script in a place where `Domain Computers` has read access? – MDMarra Jun 08 '12 at 19:31
Yes, I ran `gpupdate /force`. Yes, the script is freely accessible by domain computers in `mydomain.local\netlogon`. – Force Flow Jun 08 '12 at 19:37
What does `gpresult /H` tell you? Is the policy being applied? If so, is there anything useful in the event log? – MDMarra Jun 08 '12 at 19:54
All the policies for the user configuration summary appear. However, nothing appears under the computer configuration summary. In the workstation's event logs, there are no errors or warnings. – Force Flow Jun 08 '12 at 20:56
Seeing as this was originally a user based Logon script, under which user account/profile does it create the desktop file? I'm assuming it was set to create it under the context of the user account that was logging on and would be created on that users desktop. Since it's now a computer based Startup script you'll probably need to create the file in the All Users or Public desktop. – joeqwerty Jun 08 '12 at 21:55
I hard-coded the path as `echo test >> C:\users\testuser\desktop\test.txt`, since you brought up a good point with this, I went ahead and changed it to `echo test >> c:\test.txt`. After running `gpupdate /force` there was no next file, and the application that needs the dll files still threw error messages looking for them. I also viewed in task manager's processes tab for all users and I didn't see the cmd process execute. – Force Flow Jun 08 '12 at 22:30
Keep in mind that this GPO is assigned to an active directory user group, not a computer, computer group, or OU. I was under the assumption that anything under the `computer configuration` didn't function when the GPO was assigned to users or user groups. – Force Flow Jun 08 '12 at 22:32
What do you mean? You don't assign GPOs to users or groups. You assign them to OUs – MDMarra Jun 08 '12 at 22:33
I was using the `security filtering` on the GPO. – Force Flow Jun 08 '12 at 23:22
A couple of things: 1. Logon and Startup scripts don't run due to a gpupdate/force, they only run at startup or logon. 2. Startup scripts are Computer settings and thus need to be in a GPO linked to the Domain or OU where the computer object exists. 3. Group Policy isn't applied to groups (despite the name), GPO is applied to objects in the SCOM of the GPO and can be filtered (to apply or not apply) based on group membership as well as several other methods. – joeqwerty Jun 08 '12 at 23:41
1) I rebooted after applying gpupdate /force. 2) GPOs are linked to the domain, but in certain GPOs (like this one I posted about), in the `security filtering` section, I took out `authenticated users` and just list the groups or users I wish to target. So, I suppose I'm actually filtering, rather than assigning. – Force Flow Jun 09 '12 at 00:31
2

Right, but again, Startup scripts are Computer settings not user settings. By filtering on a user group you're essentially nullifying the Startup script because it's a computer setting... you can't filter a Computer setting based on a user or user group. You could filter it based on a computer object or computer group though. – joeqwerty Jun 09 '12 at 01:41

score 1 · Answer 2 · answered Aug 18 '16 at 17:56

1

Whenever I need to run a script at logon with a specific account or security context, I create it as a scheduled task that is triggered at logon.

answered Aug 18 '16 at 17:56

asdf

11
1

GPO logon script needs admin privledges

2 Answers2