Permission denied when trying to delete file via vbscript

Question

We have a logon script that sets up default shortcuts on users desktop deployed via Group Policy. This script was used in our previous Windows XP environment. The problem is, the person who set this up copied the shortcuts to %ALLUSERSPROFILE$\Desktop. Now that we're in Windows 7, I'm trying to move the shortcuts to %USERPROFILE%\Desktop and I'm getting permission denied when I try to delete the shortcuts via vbscript. I can delete the shortcuts manually, the UAC prompt comes up, but it works.

Three questions come out of this:

1) In what user context does the script run when run from GPO?

2) In what user context does the script run when run when I run it from the command line and have run the command prompt as administrator?

3) Is there a way to delete these via vbscript in my situation?

Thanks in advance for any help.

I tried using the following script deployed through GP as a startup script to no avail.

'Startup Script

' Force explicit variable declaration.
Option Explicit

On Error Resume Next

Const sPhoneLnk = "Phone_List.lnk"
Const sDesktop = "\Desktop\"

Dim g_oShell, g_oFSO, sAllUsrPrf, sPhoneLink

Set g_oShell = CreateObject("Wscript.Shell")
Set g_oFSO = CreateObject("Scripting.FileSystemObject")

sAllUsrPrf = g_oShell.ExpandEnvironmentStrings("%ALLUSERSPROFILE%")
sPhoneLink = sAllUsrPrf & sDesktop & sPhoneLnk

If g_oFSO.FileExists (sPhoneLink) Then
'   wscript.echo sPhoneLnk & " Found."
    g_oFSO.DeleteFile (sPhoneLink)
'   wscript.echo sPhoneLnk & " Deleted."
Else
'   wscript.echo sPhoneLnk & " Not found."
End if

I also tried running the above script from a command prompt as Administrator with UAC turned off and received Access denied.

score 0 · Answer 1 · answered Feb 28 '14 at 15:58

1) In what user context does the script run when run from GPO?

The logon script activates with the security of the user logging on.

2) In what user context does the script run when run when I run it from the command line and have run the command prompt as administrator?

The script runs as administrator on the local machine.

3) Is there a way to delete these via vbscript in my situation?

Yes. But you should consider, how long do you need this script to be installed? Is it temporary or permanent. If it's temporary, you should write a simple computer startup script which remotes the shortcut links under the all users directory on boot. That way it is not tied to the User Accounts.

If you absolutely want to bypass security for all user accounts and perform actions on user logon no matter what. You can use a domain logon based vbscript:

' ======================================================================
'| name  :  DSMoveAs.vbs
'| author:  Remco Simons [nl] 2007
'|
'| ( http://www.petri.co.il/forums/showthread.php?t=18003 )
' ======================================================================
'
' this script accepts Credentials from command-line
' Usage with GPO:
' Scripts / LogonScript / scriptName       -> scriptname.vbs
' Scripts / LogonScript / ScriptParameters -> /u:"domain\user" /p:"password"
'(this user does not nessecarily have to be a member of the Domain Admins group, you can just delegate control over the OU's to it.   
'
' this script can move computer objects in active directory
' you have to copy 'dsmove.exe' to a central share


Set objSysInfo = CreateObject("ADSystemInfo")
 strComputerDN  = objSysInfo.ComputerName
 strComputerRDN = split(strComputerDN,",")(0)
 strCurrentOU   = Replace(strComputerDN, strComputerRDN & ",","")
 strCurrentSite = UCase(objSysInfo.SiteName)

'tool
pathDSMOVE = "\\domain.local\sysvol\domain.local\scripts\Dsmove.exe"

'Alternate Credentials
Set Named = WScript.Arguments.Named  'Read script parameters
   strUser = Empty
   strSecret = Empty
 If Named.Exists("u") Then
   strUser = Named.Item("u")
 If Named.Exists("p") Then _
   strSecret = Named.Item("p")
 End If
altCredentials = " -u """ & strUser & """ -p """ & strSecret & """" 

'variables
strSiteName1 = UCase("New-York")
strSiteName2 = UCase("washington")

'conditional run
If (strCurrentSite = strSiteName1) Then
  strNewOU = "CN=computers,DC=domain,dc=Local"
  If Not UCase(strCurrentOU) = Ucase(strNewOU) Then
    call MoveObject(pathDSMOVE, strComputerDN, strNewOU, altCredentials)
  End If
ElseIf (strCurrentSite = strSiteName2) Then
  strNewOU = "ou=workstations,DC=domain,dc=Local"
  If Not UCase(strCurrentOU) = Ucase(strNewOU) Then
    call MoveObject(pathDSMOVE, strComputerDN, strNewOU, altCredentials)
  End If
End If


Sub MoveObject(pathDsmove, strComputerDN, targetOU, credentials)
 With Wscript.CreateObject("WScript.Shell")
   strCommand = pathDsmove & " """ & strComputerDN & """ " _ 
                & "-newparent """ & targetOU & """ " _
                & credentials
   .Run "%comspec% /c @call " & strCommand,0,True
 End With
End Sub

It appears that although I run the script locally (for testing) and still receive Access denied that UAC is blocking the request. Is there a way to bypass this? — Shawn a.k.a. abd al Shakur, Mar 03 '14 at 14:00

score 0 · Answer 2 · answered Mar 01 '14 at 21:39

0

I'd recommend using Group Policy Preferences for modifying desktop shortcuts. Logon scripts are always running in the context of the user logging in. That user may or may not have sufficient privileges for deleting shortcuts from the All Users desktop.

answered Mar 01 '14 at 21:39

Ansgar Wiechers

193,178
25
254
328

Permission denied when trying to delete file via vbscript

2 Answers2