Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Startup Script Permissions

Status
Not open for further replies.
Tama

Tama

MIS
Jun 6, 2001
121
0
0
NZ
I'm currently halfway through a Windows 2000 rollout and have discovered a number of small issues that need to be repaired. Rather than making Desktop Support suffer and sending them out to manually fix each machine (150 PCs) I have written a CMD script that will alter and patch the PCs using KIXtart and regini. The script is implemented through A.D.S. Group Policy.

My understanding is that Startup Scripts (as opposed to Logon Scripts) run under Local Machine SYSTEM privileges. The script alters keys in the LOCAL_MACHINE section of the registry and changes files in "Program Files"

The script runs, but the changes do not happen. The script can be run under Administrator, and then the changes happen...

Is there something about Startup Script Permissions I've missed?
Am I going nuts?
Why did they put Jar-Jar Binks in Star Wars I?

Any ideas?
 
Sort by date Sort by votes
Do the other users have the read and apply group policy permissions? Maybe this is your problem.
 
Upvote 0 Downvote
The startup scripts should be assigned to machines not people and then it should run under the machine system account. Kevin Mattson
MCP
 
Upvote 0 Downvote
Hi guys,

In my opininon, none of the two previous.

If I understand well, you're speaking about startup scripts, not login scripts ...

So your cmd batch file run with curent user permissions.
If you really want your batch to be executed with Local Machine SYSTEM privileges, you'd have to make your batch running as a service.

For that you'll need the ressource kit. (I guess you have one if you're using Kix and Regini ;-*)). Then use that two programs to make your batch running as a service :

SRVANY.EXE
INSTSRV.EXE

If you don't have the ressource kit, you can rerieve those utilities at :


Then, either keep the SYSTEM account, or create a service account with enougth trustees for that newly created service.

Hope that helps, let me know ...
@+
Benj Le Kangooru.
 
Upvote 0 Downvote
Ok sorry guys I had not read the beginning carefully, I thought you were talking about local startup scripts.

That don't make sense for remotely distributed startup scripts

Sorry !

@+

Benj Le Kangooru.
 
Upvote 0 Downvote
greg - All other Group Policy assignments are working as far as I can tell. The Startup script is tied to machines rather than users and a box does appear saying that the Startup script is running on boot.

Kevin - they are - that's what confusing me. In theory everything should be sweet...

Kangooru - You're right I am talking about Startup script - rather than Login scripts. Which are supposed to run with SYSTEM permissions after the machine boots (But before the user logs in.)

The Startup script is delivered via the Group Policy on an OE which the rollout is part of.

The machines boot up and a box flicks up saying "Running Startup Scripts" (or similar) but the functions in the scripts which require SYSTEM or ADMIN security permissions don't run through.

Has anyone got suggestions for trouble shooting Startup Scripts? (Not Login Scripts which run after the user logs in.)

Cheers for the suggestions.
 
Upvote 0 Downvote
Been looking into the problem this morning and getting a "Hitting head against brick wall" feeling.

Can anyone tell me in English what "Run startup scripts asynchronously" means in Group Policy -> Computer Configuration -> System -> Logon

My one Startup script is one CMD file calls kix32, and then it calls regini - would switching this policy have any effect whatsoever?

Or am I just grasping at straws?
 
Upvote 0 Downvote
If you have multiple start up scripts assigned, by default one will exectute and finish or time out before the next one starts. If you choose to run them asynchronously then they will all run at the same time. Kevin Mattson
MCP
 
Upvote 0 Downvote
Thanks for the help. Have got the little buggers running sweetly. This might be a bit clunky but I've made the first line of the CMD file map Y: to the NETLOGON share. It then executes the KIXtart and regini.exe scripting from Y: (also have the KIX script call Robocopy - excellent copying utility.) The last line of the script deletes the NETLOGON drive map.

Still not sure why it wouldn't work before, but it's working now. Cheers for the input
Tama
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

kurio71
  • Locked
  • Question
Clean Install of 2016 - NTFS permissions
Replies
1
Views
46
hairlessupportmonkey
hairlessupportmonkey
gbaughma
  • Locked
  • Question
Shared folder permissions
Replies
0
Views
25
gbaughma
gbaughma
justkool
  • Locked
  • Question
Script to switch primary SMTP proxyaddress
Replies
0
Views
41
justkool
justkool
mezta21
  • Locked
  • Question
My iPXE or gPXE does not read my script file on my iscsi target server (Windows Server 2012 R2)
Replies
0
Views
42
mezta21
mezta21
kurio71
  • Locked
  • Question
Restrict Permissions on Parent Directory
Replies
2
Views
38
kurio71
kurio71

Part and Inventory Search

Sponsor

Back
Top