#190302 - 2008-10-24 11:01 AM
What is the proper way to get logon script working with Vista?
|
MiGe
Fresh Scripter
Registered: 2005-06-24
Posts: 5
Loc: Denmark
|
Hello.
We are starting to have a look at Windows Vista, which is giving us a problem with the logon script.
Our script is working without any issues on Win2k and WinXP.
Each user in the AD has a "Global.bat" script defined as the "Logon script" in "User profile". The "Global.bat" runs an initial KIX script:
%0\..\Kix32.exe %0\..\AS.kix
The AS.kix then checks which global regional group the user is a member of, and then calls the local logon script for that user:
SELECT
CASE INGROUP ("Region - All Region Users") CALL @LSERVER+"\netlogon\<local DC>\LocalScript.KIX"
...
...
ENDSELECT
As mentioned, this is working fine with Win2k and WinXP. The script will also run on Vista, but I'm getting several "Access is denied" because we are both installing software and copying files to and from the client PC. I guess it's the UAC feature that is causing this, but disabling it is not an option.
I've browsed and searched this forum and Google'ed the topic, but I can't really find anything that says "This is how you do it!". I've come across "Launchapp.wsf", "Elevated permissions" and run it as a GPO.
I don't want to use a GPO to run the logon script - I'd like to keep it like we are running it now.
Regarding "Launchapp.wsf" - I've tried to create the following small script to handle the difference between XP and Vista.
cls
$LogonServer = @LSERVER
;Check for specific Vista folder
IF Exist("C:\Users\") = 1
;Running Vista - run the script the special way
RUN "\\LocalDC\netlogon\LocalDC\Launchapp.wsf \\LocalDC\NETLOGON\LocalDC\GoVista.bat"
ELSE
;Running Win2k or WinXP - run the script normally
CALL @LSERVER+"\netlogon\LocalDC\LocalScript.KIX"
EndIF
Note: I'm aware of the "@PRODUCTTYPE" variable, but we are currently using KIX V4.23 which doesn't known anything about Vista, and our Domain Admin isn't interested in updating to the latest KIX version at the moment!
The "GoVista.bat" file just calls the "LocalScript.kix".
\\LocalDC\netlogon\kix32.exe \\LocalDC\netlogon\LocalDC\LocalScript.KIX
As I understand, the "Launchapp.wsf" is supposed to create a "Scheduled Task" on the Vista client that will run the logon script, but nothing happens - the script is not run.
I've also tried to replace the call for "GoVista.bat" with the call for KIX directly, but then the command is just "echo'ed" instead!?
Am I missing something here, or have I just misunderstood the concept of this?
Thanks in advance.
/Michael
|
|
Top
|
|
|
|
#190307 - 2008-10-24 03:23 PM
Re: What is the proper way to get logon script working with Vista?
[Re: MiGe]
|
Shaun_Hill
Getting the hang of it
Registered: 2004-11-15
Posts: 50
Loc: JHB, South Africa
|
I've used kix scripts with VISTA without issues, but I did not configure it from the user profiles.
Is it possible for you to try launch your scripts from Group Policy? GPO run with system rights so this will get around the VISTA UAC issue you are having...
This worked for me, let us know how you progress.
|
|
Top
|
|
|
|
|
#190322 - 2008-10-27 03:04 PM
Re: What is the proper way to get logon script working with Vista?
[Re: Glenn Barnas]
|
MiGe
Fresh Scripter
Registered: 2005-06-24
Posts: 5
Loc: Denmark
|
Hi all.
Thank you for replying 
Launching the logon script via GPO is currently not an option.
I've now debugged the logon script to see which commands are causing the "Access is denied" errors.
* Copying files to the desktop of the "All users" profile
* Copying files to Windows folder (%systemroot%) and subfolders (e.g. HOSTS and SERVICES file)
* Editing the registry - HKLM - via "reg delete" command
* Setting the password for the local administrator account via "NET USER administrator MyPassword"
* Some software installations simply don't run (the process is not executed if you monitor via the Task Manager). Running the same command manually is working fine
|
|
Top
|
|
|
|
|
#190324 - 2008-10-27 03:16 PM
Re: What is the proper way to get logon script working with Vista?
[Re: MiGe]
|
Glenn Barnas
KiX Supporter
Registered: 2003-01-28
Posts: 4401
Loc: New Jersey
|
So, clearly, this isn't related to mapping drive/printers but customization of the workstation. Vista is much more securely configured than XP, and normal users can't write to C:\, C:\Windows\*, Anywhere in C:\Documents and Settings... By default, the local Administrator account is disabled, and the first user is given "administrator" rights, but - SURPRISE! - it's not the same as "THE administrator" account.
Honestly, the things you're trying to do are admin tasks, not user tasks. I'd find alternate ways to configure your workstations, such as GPO or central admin tasks using remote admin. A single Kix script, run from your workstation under a domain-wide admin account (any account with local admin rights, not necessarily a "Domain Admin" account) should be able to handle this in a few minutes. We had a description of this not too long ago with plenty of example code - the login script simply tests for a condition (all users have read access to most things) and then writes an action file to a central share. A process running detects the new file, performs the actions remotely and deletes the action file. Since the central task runs with admin rights, there's no issue with granting normal users local admin rights, or complicated Run-As processes.
Glenn
_________________________
Actually I am a Rocket Scientist! 
|
|
Top
|
|
|
|
|
#199146 - 2010-07-29 04:56 PM
Re: What is the proper way to get logon script working with Vista?
[Re: Glenn Barnas]
|
dude_d
Just in Town
Registered: 2010-07-29
Posts: 3
Loc: Ireland
|
Sorry for resurrecting an old thread. But this is the same issue I face. We have been using Kixtart for login scripts from Windows 95, 98, 2K, & XP. With Vista we encountered the issues mentioned above, particularly trying to edit the registry of workstations. In the end we switched off UAC as we were under pressure to deploy Vista. Now with more time to look at the exact same issue in Windows 7. I was hoping for some advice here.
Our login scripting worked fine until Vista. You say these are "admin tasks"? Would you have any recommendation on other methods, or links to them, on how best to resolve this?
Thanks!
|
|
Top
|
|
|
|
|
#199153 - 2010-07-29 06:06 PM
Re: What is the proper way to get logon script working with Vista?
[Re: dude_d]
|
Glenn Barnas
KiX Supporter
Registered: 2003-01-28
Posts: 4401
Loc: New Jersey
|
The general idea is that you have a client/server type of setup..
The user (without Admin rights) runs the login script. The script CHECKS if a program is missing, or some setting isn't present. It then writes a REQUEST to a central location - \\server\AdminTasks\@WKSTA.INI (for example) - that lists the things that need to be done.
A kix script runs as a service via SrvAny, with a domain account that has local admin access - not a DOMAIN ADMIN account!! This process monitors the folder every few seconds, finds the new file, and moves it to a Processed subfolder. It then kicks off a child task (run kix32 AdminTask.kix - for example). This child task has the proper rights to access the remote workstation, update its registry, copy files, etc. based on the requests in the config file. For more complex tasks, it can create a scheduled event on the remote PC (see tclib UDF library) and then issue an exec command. The remote task runs instantly with whatever local or domain credentials you want. If all of the remote tasks write logs to a central location, you can even collect that back to the central server.
Basically - you write a small script that says
Read this registry location, if the value is missing or less than X, write a code to the INI file.
The receiving script sees the code(s) in the INI file, knows which computer made the request, and performs the necessary tasks to resolve the issue - updating files or registry settings, or triggering an instllation.
We have a product that forms the framework of this process and it has been used to perform admin tasks on workstations in an environment of about 2500 users - nobody has local admin rights to their PC. Since it's a "framework", it provides the API calls to create and manage the requests, but you still need to write code to do the detection, make the calls, and then respond to the requests. This RunAdmin utility basically handles the request/response processing.
Glenn
_________________________
Actually I am a Rocket Scientist!
|
|
Top
|
|
|
|
Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart
|
0 registered
and 820 anonymous users online.
|
|
|
