XP and netlogon script privilages

Hi All,

My original setup for logon, was to make Domain Users a member of
Restricted Group (Administrators), so that each user was an admin of
their own machine.

The side effect of this is that any user is an admin of *any* machine -
not so desirable.

I'm trying to migrate users away from this and stop adding new users by
default.

So I'm thinking to add all current users to a new Sec Group, and make
that part of the Administrators instead.

Then as new users come in, I'll add them locally as admins on their own PCs.

I'll have to have two GPO policies I think, one with the Restricted
Group in it, and one without, and figure out a filter to split the
Computers, otherwise the GPO will kick out any local-administrators setup.

Heres my questions though:
- This seems a crappy way of giving users local admin rights. So there
must be a better way ?
- Most of my deployment applications work via Netlogon scripts. If I
take admin rights away, the scripts break. I've seen references to
escalating privilages for GPO software installs. Can this be done for
logon scripts too ?

Then I get onto Windows 7 and Vista compatibility.

Advice appreciated.

Thanks

Adrian

 

"Adrian Marsh" <adrian.marsh@removemeubiquisys.com> wrote in message
news:eI%23qiqWUKHA.3404@TK2MSFTNGP04.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Hi All,
>
> My original setup for logon, was to make Domain Users a member of
> Restricted Group (Administrators), so that each user was an admin of their
> own machine.
>
> The side effect of this is that any user is an admin of *any* machine -
> not so desirable.
>
> I'm trying to migrate users away from this and stop adding new users by
> default.
>
> So I'm thinking to add all current users to a new Sec Group, and make that
> part of the Administrators instead.
>
> Then as new users come in, I'll add them locally as admins on their own
> PCs.
>
> I'll have to have two GPO policies I think, one with the Restricted Group
> in it, and one without, and figure out a filter to split the Computers,
> otherwise the GPO will kick out any local-administrators setup.
>
> Heres my questions though:
> - This seems a crappy way of giving users local admin rights. So there
> must be a better way ?
> - Most of my deployment applications work via Netlogon scripts. If I take
> admin rights away, the scripts break. I've seen references to escalating
> privilages for GPO software installs. Can this be done for logon scripts
> too ?
>
> Then I get onto Windows 7 and Vista compatibility.
>
> Advice appreciated.
>
> Thanks
>
> Adrian<!--colorc--><!--/colorc-->


I don't really agree with giving all of your users local admin rights. I
know you are trying to get your scripts to run in context of the user
accounts, but this scenario also leads to the possibilities that spyware,
malware and viruses can all install under the user account when they visit a
web page and unexpectedly and unknowingly, get something installed that will
cause problems.

To get a script to run with admin rights on a machine when a user doesn't
have local rights, would need an account credential specified in the batch
file that can install it. The credentials, however, can be viewed by anyone
in the domain, since the Netlogon share has Read on it for all users, which
allows all users when logging on to be able to access the share in order to
run logon scripts.

Using a GPO for software installation, such as for computer-based software
installations (Assigning rather than publishing), which runs it in the
context of the machine and not the user, would be your better bet. This will
allow you to get away from providing users with local admin rights. And if
any applications need write access to a folder or reg setting that a
non-local admin user can't change, logon as administrator, or remotely
connect to the drive or registry, and change the permissions so Auth Users
has Modify or Change on it. I've done this successfully with all of my
customers, none of which are local admin rights on their machines, even the
boss. No viruses, malware, nothing...

Related links that may help.

Group Policy Software Deployment Background: Group PolicyMar 28, 2003 ... To
deploy software using Group Policy, you must have an Active Directory–based
domain and Windows 2000 or Windows Server 2003 domain ...


Use Group Policy Software Installation to deploy the 2007 Office ...Mar 9,
2007 ... Group Policy-based software deployment also enables administrators
to publish software for users only. When this method is used, ...



Also, Vista adds complications with the UAC...
================================================
Using a GPO Software Installation for Vista and the UAC

It's the UAC causing it to not run. Running a bat file on a Vista machine
may need to have it run with elevated privledges. You would have to use the
runas command in the batch, but the problem with that is it exposes the
credentials. Maybe an MSI file would be better off?

See if this helps:

Use a VBScript to launch the .BAT file elevated. Example:


Deploying Group Policy Using Windows Vista (search for 'elevated')


Deploying Group Policy Using Windows Vista: (Look for the Launchapp.wsf code
to launch .BAT files as logon script.)

================================================


I hope that helps!


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
for regional support phone numbers.

 

Hi Ace,

Thanks very much for the reply.
Would completely agree with the philosophy, however the day-to-day jobs
of the engineers here require that they be able to change the layout of
their own PCs with regards to things like Networking and Software
packages. I looked into Power Users, but even on some of the basic
packages we use, they complained about Admin rights then failed to install.

I intend to split the users into groups, those that do need Admin
rights, and then Finance/HR etc, who really dont. But until the package
deployments sorted then I'm kind of stuck.

GPO would be my preferred choice. However if the package isn't an MSI,
then theres very little support for it. ZAP files go so far but don't
help with upgrades, logs of installations etc.

Hence I've stuck with the logon scripts which I can control to the n'th
degree.

So there isnt an escalate-privileged setting for netlogon outside of a
"runas" type setup /?
I was thinking that maybe I could wrap the starting .bat into a .exe
with bat2exec type-tools if need be. But hoped GPO would have something
better.

Again - thanks for the reply

Adrian


On 20/10/2009 17:14, Ace Fekay [MCT] wrote:<!--coloro:blue--><span style="color:blue <!--/coloro-->
> "Adrian Marsh"<adrian.marsh@removemeubiquisys.com> wrote in message
> news:eI%23qiqWUKHA.3404@TK2MSFTNGP04.phx.gbl...<!--coloro:green--><span style="color:green <!--/coloro-->
>> Hi All,
>>
>> My original setup for logon, was to make Domain Users a member of
>> Restricted Group (Administrators), so that each user was an admin of their
>> own machine.
>>
>> The side effect of this is that any user is an admin of *any* machine -
>> not so desirable.
>>
>> I'm trying to migrate users away from this and stop adding new users by
>> default.
>>
>> So I'm thinking to add all current users to a new Sec Group, and make that
>> part of the Administrators instead.
>>
>> Then as new users come in, I'll add them locally as admins on their own
>> PCs.
>>
>> I'll have to have two GPO policies I think, one with the Restricted Group
>> in it, and one without, and figure out a filter to split the Computers,
>> otherwise the GPO will kick out any local-administrators setup.
>>
>> Heres my questions though:
>> - This seems a crappy way of giving users local admin rights. So there
>> must be a better way ?
>> - Most of my deployment applications work via Netlogon scripts. If I take
>> admin rights away, the scripts break. I've seen references to escalating
>> privilages for GPO software installs. Can this be done for logon scripts
>> too ?
>>
>> Then I get onto Windows 7 and Vista compatibility.
>>
>> Advice appreciated.
>>
>> Thanks
>>
>> Adrian<!--colorc--><!--/colorc-->
>
>
> I don't really agree with giving all of your users local admin rights. I
> know you are trying to get your scripts to run in context of the user
> accounts, but this scenario also leads to the possibilities that spyware,
> malware and viruses can all install under the user account when they visit a
> web page and unexpectedly and unknowingly, get something installed that will
> cause problems.
>
> To get a script to run with admin rights on a machine when a user doesn't
> have local rights, would need an account credential specified in the batch
> file that can install it. The credentials, however, can be viewed by anyone
> in the domain, since the Netlogon share has Read on it for all users, which
> allows all users when logging on to be able to access the share in order to
> run logon scripts.
>
> Using a GPO for software installation, such as for computer-based software
> installations (Assigning rather than publishing), which runs it in the
> context of the machine and not the user, would be your better bet. This will
> allow you to get away from providing users with local admin rights. And if
> any applications need write access to a folder or reg setting that a
> non-local admin user can't change, logon as administrator, or remotely
> connect to the drive or registry, and change the permissions so Auth Users
> has Modify or Change on it. I've done this successfully with all of my
> customers, none of which are local admin rights on their machines, even the
> boss. No viruses, malware, nothing...
>
> Related links that may help.
>
> Group Policy Software Deployment Background: Group PolicyMar 28, 2003 ... To
> deploy software using Group Policy, you must have an Active Directory–based
> domain and Windows 2000 or Windows Server 2003 domain ...
>
>
> Use Group Policy Software Installation to deploy the 2007 Office ...Mar 9,
> 2007 ... Group Policy-based software deployment also enables administrators
> to publish software for users only. When this method is used, ...
>
>
>
> Also, Vista adds complications with the UAC...
> ================================================
> Using a GPO Software Installation for Vista and the UAC
>
> It's the UAC causing it to not run. Running a bat file on a Vista machine
> may need to have it run with elevated privledges. You would have to use the
> runas command in the batch, but the problem with that is it exposes the
> credentials. Maybe an MSI file would be better off?
>
> See if this helps:
>
> Use a VBScript to launch the .BAT file elevated. Example:
>
>
> Deploying Group Policy Using Windows Vista (search for 'elevated')
>
>
> Deploying Group Policy Using Windows Vista: (Look for the Launchapp.wsf code
> to launch .BAT files as logon script.)
>
> ================================================
>
>
> I hope that helps!
>
><!--colorc--><!--/colorc-->

 

"Adrian Marsh" <adrian.marsh@removemeubiquisys.com> wrote in message
news:OkM1FgaUKHA.844@TK2MSFTNGP05.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Hi Ace,
>
> Thanks very much for the reply.
> Would completely agree with the philosophy, however the day-to-day jobs of
> the engineers here require that they be able to change the layout of their
> own PCs with regards to things like Networking and Software packages. I
> looked into Power Users, but even on some of the basic packages we use,
> they complained about Admin rights then failed to install.
>
> I intend to split the users into groups, those that do need Admin rights,
> and then Finance/HR etc, who really dont. But until the package
> deployments sorted then I'm kind of stuck.
>
> GPO would be my preferred choice. However if the package isn't an MSI,
> then theres very little support for it. ZAP files go so far but don't help
> with upgrades, logs of installations etc.
>
> Hence I've stuck with the logon scripts which I can control to the n'th
> degree.
>
> So there isnt an escalate-privileged setting for netlogon outside of a
> "runas" type setup /?
> I was thinking that maybe I could wrap the starting .bat into a .exe with
> bat2exec type-tools if need be. But hoped GPO would have something better.
>
> Again - thanks for the reply
>
> Adrian
>
><!--colorc--><!--/colorc-->


You are welcome, Adrian.

The only other thing that comes to mind is SMS or SCOM. You can create your
own packages wtih the built-in tools. You can possibly (been awhile since
I've done this), use the SMS Installer (from SMS 2003) to create a self
installing packager, too. I believe you can provide credentials within the
package prior to compiling it. Like I said, it's been quite a few years, but
it rings a bell.

Check it out...

Installing and Starting SMS InstallerSMS Installer is only available by
download and is not included with the SMS 2003 product. To download SMS
Installer, see the Microsoft SMS Web site at ...


Systems Management Server 2.0 Tools and UtilitiesOn this page you'll find
downloadable tools and utilities for SMS 2.0 and its ... Download the SMS
Installer with Installer Step-up Utility (ISU), ...


Ace

 

Adrian,

Microsoft does have an official Windows 7 Support Forum located here . It is supported by product specialists as well as engineers and support teams. You may want to also check the threads available there for additional assistance and feedback.

Jessica
Microsoft Windows Client Team

 

On Tue, 20 Oct 2009 18:08:59 +0100, Adrian Marsh
<adrian.marsh@removemeubiquisys.com> wrote:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
>Hi Ace,
>
>Thanks very much for the reply.
>Would completely agree with the philosophy, however the day-to-day jobs
>of the engineers here require that they be able to change the layout of
>their own PCs with regards to things like Networking and Software
>packages. I looked into Power Users, but even on some of the basic
>packages we use, they complained about Admin rights then failed to install.
>
>I intend to split the users into groups, those that do need Admin
>rights, and then Finance/HR etc, who really dont. But until the package
>deployments sorted then I'm kind of stuck.
>
>GPO would be my preferred choice. However if the package isn't an MSI,
>then theres very little support for it. ZAP files go so far but don't
>help with upgrades, logs of installations etc.
>
>Hence I've stuck with the logon scripts which I can control to the n'th
>degree.
>
>So there isnt an escalate-privileged setting for netlogon outside of a
>"runas" type setup /?
>I was thinking that maybe I could wrap the starting .bat into a .exe
>with bat2exec type-tools if need be. But hoped GPO would have something
>better.<!--colorc--><!--/colorc-->
AutoIt may help
It can be compiled to an EXE.
<!--coloro:blue--><span style="color:blue <!--/coloro-->
><!--colorc--><!--/colorc-->
<!--coloro:blue--><span style="color:blue <!--/coloro-->
>Again - thanks for the reply
>
>Adrian
>
>
>On 20/10/2009 17:14, Ace Fekay [MCT] wrote:<!--coloro:green--><span style="color:green <!--/coloro-->
>> "Adrian Marsh"<adrian.marsh@removemeubiquisys.com> wrote in message
>> news:eI%23qiqWUKHA.3404@TK2MSFTNGP04.phx.gbl...<!--coloro:darkred--><span style="color:darkred <!--/coloro-->
>>> Hi All,
>>>
>>> My original setup for logon, was to make Domain Users a member of
>>> Restricted Group (Administrators), so that each user was an admin of their
>>> own machine.
>>>
>>> The side effect of this is that any user is an admin of *any* machine -
>>> not so desirable.
>>>
>>> I'm trying to migrate users away from this and stop adding new users by
>>> default.
>>>
>>> So I'm thinking to add all current users to a new Sec Group, and make that
>>> part of the Administrators instead.
>>>
>>> Then as new users come in, I'll add them locally as admins on their own
>>> PCs.
>>>
>>> I'll have to have two GPO policies I think, one with the Restricted Group
>>> in it, and one without, and figure out a filter to split the Computers,
>>> otherwise the GPO will kick out any local-administrators setup.
>>>
>>> Heres my questions though:
>>> - This seems a crappy way of giving users local admin rights. So there
>>> must be a better way ?
>>> - Most of my deployment applications work via Netlogon scripts. If I take
>>> admin rights away, the scripts break. I've seen references to escalating
>>> privilages for GPO software installs. Can this be done for logon scripts
>>> too ?
>>>
>>> Then I get onto Windows 7 and Vista compatibility.
>>>
>>> Advice appreciated.
>>>
>>> Thanks
>>>
>>> Adrian<!--colorc--><!--/colorc-->
>>
>>
>> I don't really agree with giving all of your users local admin rights. I
>> know you are trying to get your scripts to run in context of the user
>> accounts, but this scenario also leads to the possibilities that spyware,
>> malware and viruses can all install under the user account when they visit a
>> web page and unexpectedly and unknowingly, get something installed that will
>> cause problems.
>>
>> To get a script to run with admin rights on a machine when a user doesn't
>> have local rights, would need an account credential specified in the batch
>> file that can install it. The credentials, however, can be viewed by anyone
>> in the domain, since the Netlogon share has Read on it for all users, which
>> allows all users when logging on to be able to access the share in order to
>> run logon scripts.
>>
>> Using a GPO for software installation, such as for computer-based software
>> installations (Assigning rather than publishing), which runs it in the
>> context of the machine and not the user, would be your better bet. This will
>> allow you to get away from providing users with local admin rights. And if
>> any applications need write access to a folder or reg setting that a
>> non-local admin user can't change, logon as administrator, or remotely
>> connect to the drive or registry, and change the permissions so Auth Users
>> has Modify or Change on it. I've done this successfully with all of my
>> customers, none of which are local admin rights on their machines, even the
>> boss. No viruses, malware, nothing...
>>
>> Related links that may help.
>>
>> Group Policy Software Deployment Background: Group PolicyMar 28, 2003 ... To
>> deploy software using Group Policy, you must have an Active Directory–based
>> domain and Windows 2000 or Windows Server 2003 domain ...
>>
>>
>> Use Group Policy Software Installation to deploy the 2007 Office ...Mar 9,
>> 2007 ... Group Policy-based software deployment also enables administrators
>> to publish software for users only. When this method is used, ...
>>
>>
>>
>> Also, Vista adds complications with the UAC...
>> ================================================
>> Using a GPO Software Installation for Vista and the UAC
>>
>> It's the UAC causing it to not run. Running a bat file on a Vista machine
>> may need to have it run with elevated privledges. You would have to use the
>> runas command in the batch, but the problem with that is it exposes the
>> credentials. Maybe an MSI file would be better off?
>>
>> See if this helps:
>>
>> Use a VBScript to launch the .BAT file elevated. Example:
>>
>>
>> Deploying Group Policy Using Windows Vista (search for 'elevated')
>>
>>
>> Deploying Group Policy Using Windows Vista: (Look for the Launchapp.wsf code
>> to launch .BAT files as logon script.)
>>
>> ================================================
>>
>>
>> I hope that helps!
>>
>><!--colorc--><!--/colorc--><!--colorc--><!--/colorc-->
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.