Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Wanet Telecoms Ltd on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

local admin rights and logon scripts....

Status
Not open for further replies.
downloadkid

downloadkid

IS-IT--Management
Dec 12, 2004
71
GB
Afternoon people...
i an the network manager at a large school. i have 1000+ users. Last year i rolled out to a whole school network, replacedthe servers, updated the network etc.
i have in place 4 Dell poweredge servers running Windows 2003 standard edition and all xp clients.
When originally creating the client images for deployment all users were made members of the administrators of the local machine. The reasons for this was to ensure primarily that the login kix script ran correctly. The kix script is called by a logon.bat file.
The script creates a series of reg pokes, maps drives etc.
All had been working well until the end of last term when some students had discovered that if they remove the network cable after logging on they gain full access to the local machine bypassing desktop restrictions through the default profile.
In the students GPO i selected the polocies to delete the roaming cached profile and to log users off when the network profile is not available or corrupt.
Unfortunately this didn't work. The reason is that a members of the local admin group by default in no profile is availabe they are assigned the default administrator.

In order to get this to work i had to remove the students from the local admin group - the consequence of this however is now the scripts don't run at all.

I understand that scripts that run during logon are run under the rights assigned to the user, which in a students case is not much. as adding a printer is restricted via GPO, not even the printer script will work.

Is there a way of running the logon script with elevated privilages ? or is there another work around?

Many thanks
 
Sort by date Sort by votes
You can try this setting to prevent users from logging on when the network cable is unplugged.


As for scripts i use VB logon scripts to add printers at logon and all of my users are ordinary domain users, allow add printers for local users by removing the GPO and then ban the add printers wizard. This should allow your kix scripts too run but i would recommend VB script for managing XP clients you can manage a huge amount of features.
 
Upvote 0 Downvote
You can try this setting to prevent users from logging on when the network cable is unplugged.


As for scripts i use VB logon scripts to add printers at logon and all of my users are ordinary domain users, allow add printers for local users by removing the GPO and then ban the add printers wizard. This should allow your kix scripts too run but i would recommend VB script for managing XP clients you can manage a huge amount of features this way.
 
Upvote 0 Downvote
Hello mate ,thanks for the reply, i have set this value to 0 already. the problem is that as local admins the default profile is applied by passing the gpo applied during logon.

The printer script i use is in vb and is applied through the gpo logon scripts option.

The kix script is the one that performs the reg pokes and maps drives.

It seems to be a permissions issue, but i cant seem to find a work around - little darlings, ifthere's a hole they'll find it!!!!!
 
Upvote 0 Downvote
The scripts should work as restricted users, all of my users are restricted as i say and they can add drives and printers at logon. There must be a policy preventing them adding printers.

I would recommend not putting them back as local admins they will be able to install anything they like, especially toolbars like that damn smiley central. Also in it's possible to get around any group policy if they have admin rights.
 
Upvote 0 Downvote
Take a look at my FAQ for the vbscript code you need. this will run via GPO and handle the mappings for you etc and users do not need to be Admin.

faq329-5798

I hope you find this post helpful.

Regards,

Mark
 
Upvote 0 Downvote
Porkchopexpress, thanks
i will experiment on Monday when i'm in work, but i'm not sure as restricted users the script will work. Yes there is in gpo a policy to stop users adding printers, because if you don't all sorts of pooh gets printed out in the heads office.......
markdmac, thanks. i voted and of course gave you 10. vbs is a subject i am getting 'into' as a matter of course. However it's not a script issue so much as a permission issue. i have all sorts of reg pokes going on etc but just aren't being applied under the restricted user gpo's.
i have learnt my lesson and don't want to expose the network to the kind of abuse kids can dish out......
You are olbviously good at scripting, a trait i admire, but is there a way of elevating priveleges during logon to run the script?
Cheers
 
Upvote 0 Downvote
well when they bring up the print box to print there is a find printers tab that allows them to search for other network printers....
 
Upvote 0 Downvote
Sound slike you are getting one issue confused regarding printer. Any user should be able to connect to a printer. What takes elevated rights is getting the drivers installed.

Roll out your drivers first and the users won't need those rights. Take a look at this KB for how you can accomplish this goal.
Also, do some digging in your GPO, there is a setting to always run with elevated rights.



I hope you find this post helpful.

Regards,

Mark
 
Upvote 0 Downvote
Thanks markdmac
the elevated privilages in the gpo is a blanket policy that effects all apps that are using the windows installer so that won't work.
i was hoping that there was away to perhaps add the login credentials onthe script for it to run.
The printer script looks interesting and is in fact similar to the one i use.
Cheers
 
Upvote 0 Downvote
I think i will try and add them to the power users group on the local machine to see if that will allow the script to run.
Ultimately i need the student's script to run locally whilst at the same time kick them back to the log on screen if they pull the plug.
I've searched all over and there are quite a few people suffering the 'permissions' issue.
As a local admin it works, as a local user it doesn't, bit of a catch 22.
I'll report back tomorrow to let you know the out come.
thanks for the guidance.
 
Upvote 0 Downvote
Hide the printers in Active Directory and then ban network neighborhood they will not be able too see printers in the add printers box then. I have setup several colleges this way and they cannot add printers or browse for them.
 
Upvote 0 Downvote
What's the problem with them adding printers anyway? GPO's only really adjust registry settings - they are not a replacement for good security.

NTFS permissions on the printers will stop unauthorised use of printers - that should be the primary defence.

GPO's just make it a hell of a lot harder to get access to the UI tools to do things - but they can be overcome.

Lock down access to the add new printers wizard, hide network places and the printers folder (if they don't need it) and make sure that the printers are not published in AD.

Logon scripts are designed for adding new printers and drives. However as part of the Windows sandbox security model (which is crap and only part works...) any application ran will by default run under the users account and therefore their permissions other than system services. This includes logon scripts - if you deny access to a printer or folder using NTFS then regardless of their script they will no longer be able to access the printer.

GPO's are really just GUI lockdown tools - real security is from NTFS.

Bit of advice - don't give them local admin. For students I wouldn't even give power user access. Adding printers is not a security privilege; any user can do it by default as there is no security risk involved. (As NTFS locks it down)

Ta,



Steve.

"They have the internet on computers now!" - Homer Simpson
 
Upvote 0 Downvote
Hello chaps,
resolved the issue.
The kix script called by the login bat required that the kixform.dll is registered on the local machine, with local admin rights removed it couldn't do it. created a staff account and made a member of the admin group. logged onto the machines affected to install/register the dll. logged on as student and the script now works.
As far as the printer script was concerned, again a permissions issue. i removed the script from the gpo and used the netlogon bat to call the script instead. Again it worked. so problem resolved.
as far as NTFS permissions/ACLs are concerned i use it extensively. The gpo is used as a combination of 'added' security and to set user environment.
most other things are done via script to 'poke' the registry.
Like i said at the begining, it was a permissions issue, i needed a solution that would leave everything in tact as designed whilst removing the issue of local admin rights.
As it stands now all users on the local machine are just that 'users'.
Thanks all for your input.
Regards
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
398
ADB100
ADB100
tscstl
  • Locked
  • Question
access to local folder
Replies
1
Views
399
hairlessupportmonkey
hairlessupportmonkey
goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
986
goombawaho
goombawaho
bechna
  • Locked
  • Question
Windows Server and VPN Setup
Replies
1
Views
355
DrB0b
DrB0b
shmoes
  • Locked
  • Question
Delegating file admin permission
Replies
3
Views
321
SamBones
SamBones

Part and Inventory Search

Sponsor

Back
Top