Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Using Runas VB Script under Logon section in Group Policy 1

Status
Not open for further replies.

GCFG

Technical User
Dec 4, 2007
13
GB
I have created a VBS Script that Removes accounts from the Local Admin Group of a users machine, but runs the script as a Domain User. I have tested the script and can run it from the SYSvol folder fine on the machines I need to apply this to. However when I apply this script to the logon policy for the user under GPO the Script will not run. I have ran a gpresult and the Policy is not showing in here as getting applied, what have I done wrong, what do i need to change?

Many Thanks
 
Thanks for the reply, i have applied it to a couple of users for testing at the moment. If i logon to the machine as one of the users and run the script from the server it works fine, it runs the VB Script as a Domain Admin and removes users from with the Local Admin Group. The Policy is located under Group Policy Objects folder.
 
Can you get any other scripts to run at logon or is this the only one failing?

Could you not run this as a startup script this way it will be run under local system at bootup.
 
Thanks for your replies. Porkchopexpress, I have tried the startup script and this also fails, however i dont want it to run under the machine policy, i need it to run under the user policy. GrimR I have already got the script and it works fine, Here is the Script file:-

'Start of Script
Option explicit

Dim oShell

set oShell= Wscript.CreateObject("WScript.Shell")

'Replace the path with the program you wish to run c:\program files...

oShell.Run "runas /noprofile /user:domain\user ""cscript.exe \""\\granet\SysVol\GRANET.COM\Policies\{40A5B14C-6E3F-417F-90F4-6BE11FEB1014}\User\Scripts\Logon\Replace LocalAdmin Group.vbs\"

WScript.Sleep 100

'Replace the string --> yourpassword~ with the

'password used on your system. Include the tilde "~"

oShell.Sendkeys "password~"

Wscript.Quit
 
Why are you even trying to deploy this script via GPO?

Use and execute a script remotely against all of the target computers at one time.

Here is a simple sample that removes the user bsmith from the local admins group on the workstation "xpworkstation12".

Code:
On Error Resume Next
strComputer = "xpworkstation12"
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")
Set objUser = GetObject("WinNT://SpidersParlor/bsmith")
objGroup.Remove(objUser.ADsPath)


Take a look at my FAQ faq329-4871 for ways to put a wrapper around this to execute against all of the target machines.




I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
 
Thanks for the reply markdmac but as stated in my previous comments i need this to run against a user NOT a machine hence why i am using GPO.
 
You said you need to remove a user from the local admin group. That does not require a user to be logged on. You either are not explaining your need sufficiently or could be working towards a goal you don't need to.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
 
The solution i want to achieve is to remove the ability for users to install software onto a machine. No matter what machine the user logs onto they will not have the ability to install software. The solution i have come up with is create a script to remove users from the Local Admin Group on the machine they have logged into, but retain the local admin group and a couple of Domain Admin groups. I need this to be applied once the user logs onto the machine. The script works fine and does what i want it to do. The problem i am having is getting it to work under the logon policy section under GPO. I need for it to apply for the user as many users use many machines, if i applied it to machine it may effect a user who we may wish to install software. Hope this makes it clearer
 
It really does not make it any clearer GCFG.

it was suggested to you earlier to use Restrictive Groups. Maybe you just are not aware of what those are and how they could help you, so I would recommend you do a little reading up on that topic.

You should have a list of who is authorized to install software on machines, all you need to do is set up a GPO with restrictive groups and it will put all the users and domain admins you WANT to be able to local admins into the local administrators group. When implemented, restrictive groups remove all other members of the local admins group. So you could very easily clean up every PC in your domain and not have to mess with the stuff you are trying to accomplish now.





I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
 
Thanks markdmac I HAVE read about the Restrictive Groups and I could not apply to the machines. Back to the same summary "I NEED IT FOR USERS NOT MACHINES". We have over 3000 users of which we may need to allow for 300 users to be able to apply software. Hence why I came up with the script. The process is simple and I cannot see what it is you cannot understand. Script runs and removes all users apart from local admin user, domain admin user and another admin user. This will be applied to specific users who we DO NOT want to install software. Those who we want to have software will NOT have this applied to them. I would like to use GPO to roll out the script when the user's log onto the machine.
 
We seem to have a fundamental difference of opinion on how to apply this.

You should get ALL users IDs out of the local admin groups. Add ALL 2700 allowed to install software to a group and make that group part of what you push down from Restrictive Groups.

When you setup a new user you decide then if they get to be part of that group or not and you don't need to mess with local workstation permissions.

The way you are managing this now is more work for you, especially in an environment as large as your is.

I am a huge proponent of scripted solutions but this is just not a good circumstance to use one.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
 
So from what I have read, the user logging on has enough permission to install software but not enough permission to run the script, and they are roaming users?
 
This is from a script I use to run explorer on my machine, maybe you can modify it to suite what your try to accomplish.

Code:
Dim oShell
Set oShell = CreateObject("WScript.Shell")
strAdminUser = "administrator"
strAdminPass = "password"

ReturnCode = oShell.Run ("net use \\" & Machine & "\c$ " & strAdminPass & " /user:" & strAdminUser,0,True)

I'm sure mark will have a better solution, being so good at scripting
 
I've already given my suggestion GrimR. Scripting should not be a part of this solution in my opinion.

Best practice states you should only make groups members of the local administrators groups. That way you don't have to deal with this very issue. The cleanup on this can and should be easy.

I'd be happy to assist with the creation of a script that would add all users EXCEPT the ones not allowed to install software into a Global Group for deployment with Restrictive Groups. All that would be needed is a text file with the login names for the no installation people.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
 
Thanks for the reply GrimR but like i said the script works fine. It's GPO that is not deploying the script during logon. Mark, I agree with your priciples but this is what i am adding during the script, the Domain Admin Group and another Admin Group. The only user account that will remain in the Local admin group will be either the local administrator account and the local user account(of the user who we want to have access to install software).

Just tried Restrictive Groups again and it still does not apply to the user, ran gpresult and my Group Policy is not getting applied.
 
AGHHHHHHHHH.

Just tried Restrictive Groups again and it still does not apply to the user, ran gpresult and my Group Policy is not getting applied.

Apply it to the computer! Forget about the user.

Restrictive groups will remove EVERYONE from the local admin group and allow you to add in the Domain Admin Group, The other Admin Group and INSTEAD OF ADDING A PARTICULAR USER ADD A GROUP THAT THAT USER BELONGS TO.

I don't understand where I am failing to get this point across but I have reached the end of my frustration level.

If you do manage to resolve this issue in the backwards manner you are determined to do it in, you will not have corrected the problem, only the symptom.

By creating a domain group for users allowed to install software and making that group a member of the local admins group on the local PCs you will be able to restrict those users int he future if need be by removing them from the group. If they had logged on to 10 machines it would not matter because their user ID is not in the local group, only the Global Group is and if they are no longer a member of that group, then their access has been restricted locally.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
 
Mark, sorry but i dont see why you are getting so het up. I have tried the Restrictive Groups like you have mentioned but still it does not work. I have added 2 ADMIN GROUPS (not users) to the restrictive group which I have called Administrators. Can you please explain why it would not work now using your solution?????
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top