4

I have this code (.bat file) that I want to run by going to each computer that is logged in and executing it. However, not all users have admin rights. Is there anything I can do without logging off to change the IP's from static to DHCP?

netsh interface ip set address name="Local Area Connection" source=dhcp

netsh interface ip set dns name="Local Area Connection" source=dhcp
Markaway
  • 178
  • 1
  • 11

1 Answers1

8

You really want to do this with Group Policy. You can set this as a computer startup script and it will run as the local SYSTEM account, which has permission to change these settings.

Otherwise, you can use psexec to run it remotely on a machine as a privileged user.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
  • I tried it as a startup script but running gpresult seems to have it filtered out for some reason. – Markaway Dec 05 '12 at 16:27
  • 1
    You should try and track down why and fix it. Not being able to use Group Policy is crippling. – MDMarra Dec 05 '12 at 16:45
  • I added Auth Users, the name of the computer, and the user that logs in. None of it seems to make a difference. Is it safe to put the GPO directly under the domain name rather than in the OU ? – Markaway Dec 05 '12 at 16:51
  • Why are you adding those? The default security filters for a GPO is fine in this case. What you *do* need to to link a startup script to an OU where **computer** accounts are, since it's a computer policy and doesn't have anything do with with users. You also want to put the script somewhere that `Domain Computers` have read access to. If you're putting it in sysvol, it already has this permission. Also, it only runs at startup so reboot. If you link it at the domain level, it's going to apply to **every computer in the domain** including your servers. I doubt you actually want to do this. – MDMarra Dec 05 '12 at 16:54
  • I have my domain name listed, then below that I have: Domain Controllers, Employees, Servers, Group Policy Objects, WMIFilters, StarterGPOs. The computers are under the Computer OU, but it does not appear in the GPO Editor. Why doesn't it? – Markaway Dec 05 '12 at 16:57
  • The default `Computers` container is a special object. The top-level `Users` container is also the same way, if you notice. Neither of them are, technically, OUs (even though they look like it), they're default containers and cannot have a Group Policy directly linked to them. You should make an OU (or OU tree) for your computer objects and put your computers in there so that you can apply Group Policy Objects to them. – MDMarra Dec 05 '12 at 16:59
  • So I can create an OU called 'Workstations' and move the computers to that? Do I put it under Computers or under the domaiin? – Markaway Dec 05 '12 at 17:02
  • You *can't* put it under Computers, since Computers isn't an OU. You can put it wherever makes sense for you. If that's at the top level, directly underneath your domain, then put it there. That's a pretty common place for it. – MDMarra Dec 05 '12 at 17:03
  • Ok, is moving the computer out of Computers and into Workstations going to cause any issues with AD? Or can I ignore the default warning message? – Markaway Dec 05 '12 at 17:05
  • 1
    That warning message is because different GPOs may apply (which is actually what you want). It's not going to break authentication or anything. Generally, you can move objects freely between OUs with no ill effects other than the applied GPOs changing. Test it with one machine, do `gpupdate /force` on it to get the new policy immediately after moving it, then reboot and make sure you're good. If you are, move the rest. – MDMarra Dec 05 '12 at 17:08
  • I'm no longer getting it did not apply. However, it says it has not executed yet. I rebooted the computer twice and logged in both times. Any ideas? – Markaway Dec 05 '12 at 17:08
  • Have the relevant settings changed? If not, is the script in a location that's readable by the `Domain Computers` group? – MDMarra Dec 05 '12 at 17:10
  • Does the folder its in need to be shared? The security privs are allow Administrator, System, and Authenticated Users – Markaway Dec 05 '12 at 17:12
  • 2
    The `Domain Computers` group is not part of Authenticated users, and of course it needs to be shared. How else would the computers have access to the script if it isn't shared? A standard place to put this is the sysvol share for the domain. It sounds like you might need to read through some TechNet articles about Group Policy design and implementation before you go any farther. Group Policy is *very* powerful and you should have a much better understanding of how it works before you go any farther. It's a very dangerous thing if you don't know what you're doing. – MDMarra Dec 05 '12 at 17:22
  • I added Domain Computer to the share/security - gave it read permissions. Still doesn't execute. Do .bat files not execute during startup ? – Markaway Dec 05 '12 at 17:25
  • Of course they do. Are you presenting the path to the file in the GPO as a UNC path? – MDMarra Dec 05 '12 at 17:26
  • \\domain\DFSNAMESPACENAME\DFSFOLDER\Startup Scripts\StaticToDHCP.bat – Markaway Dec 05 '12 at 17:36
  • I can read it after I logged in, but it still has yet to execute on its own. – Markaway Dec 05 '12 at 17:38
  • You may have to wrap it in quotes, since you have a space in it. Assuming you have the correct permissions on the namespace and the shares, you should be able to do this. The event log should give you more details. At this point, you're probably on your own for troubleshooting your environment. That said, you can absolutely execute a batch file in a startup script from a DFS share using the UNC as long as everything is configured correctly. – MDMarra Dec 05 '12 at 17:38
  • Wrapping in quotes didn't help. I'll do 'Everyone' permission for now to see if its a permission error. – Markaway Dec 05 '12 at 17:44
  • Well it executed with Everyone. However, it didn't seem to change the DNS properties. – Markaway Dec 05 '12 at 17:48