Kix not running for logon scripts using win7. but work OK for winXp - KiXtart.org - official site

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Basic Scripting » Kix not running for logon scripts using win7. but work OK for winXp

Page 1 of 2

1

Topic Options

#207138 - 2013-04-20 06:19 AM Kix not running for logon scripts using win7. but work OK for winXp
Easter_bunny Easter_bunny Fresh Scripter Registered: 2013-04-11 Posts: 18 Loc: hong kong	We have a fully functioning system using windows Xp clients. Our issue is we need to run something similar to get windows 7 clients to loogon like the winXp clients. We are Using Linux server, based on Ubuntu 10.04 [Karoshi] This server base gives us all the features we need. The part failing is when we logon to a windows 7 workstation, the logon scripts are run in 3 main parts and we find the part not working is where we alter the registry <HKEY_CURRENT_USER\> Here is a small sample of the keys that wont work from within the Logon ; Set Registry Variables $keysys="HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" $keynet="HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network" $keyexp="HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" $keyapp="HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp" $keyexa ="HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" $keyiec ="HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel" $keyidr ="HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions" $keyisc ="HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache" $keyies ="HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" $keyier ="HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions" $keycon ="HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Network Connections" $keymmc ="HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC" $keycmd ="HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\system" $keyswr ="HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\" ;Disable Command Prompt $ret=writevalue($keycmd,"DisableCMD","2","REG_DWORD") ;Disable MMC Plugins $ret=writevalue($keymmc,"RestrictToPermittedSnapins","1","REG_DWORD") ;Disable Microsoft Management Console $ret=writevalue($keymmc,"RestrictAuthorMode","1","REG_DWORD") ;Disable Lan connection properties $ret=writevalue($keycon,"NC_LanProperties","0","REG_DWORD") ;Disable New Connection Wizard $ret=writevalue($keycon,"NC_NewConnectionWizard","0","REG_DWORD") ;Disable Task Manager using C+A+D $ret=writevalue($keysys,"DisableTaskMgr","1","REG_SZ") ;Disable Locking Workstation Locking using C+A+D $ret=writevalue($keysys,"DisableLockWorkstation","1","REG_SZ") ;Disable Properties Menu selection - Recycle Bin $ret=writevalue($keyexp,"NoPropertiesRecycleBin","1","REG_DWORD") ;Do not move deleted files to the recycle bin $ret=writevalue($keyexp,"NoRecycleFiles","1","REG_DWORD") ;Disable automatic update $ret=writevalue($keyexp,"NoAutoUpdate","1","REG_DWORD") ;Disable DFS Security Tab $ret=writevalue($keyexp,"NoDFSTab","1","REG_DWORD") ;Disable Security Tab $ret=writevalue($keyexp,"NoSecurityTab","1","REG_DWORD") ;Remove Hardware Tab $ret=writevalue($keyexp,"NoHardwareTab","1","REG_DWORD") I also tested these key changes with a local run of the file and everything functioned correctly. It is only when we run the script at logon. We don't want to use Samba4 just yet as it is still mostly experimetal. The main reason we are using Linux servers is the cost of running 6-7 MS Servers is high and we found some very good (for schools) server base [http://www.linuxgfx.co.uk/] If anyone has any ideas I would like to hear them. Regards Bernai Edited by Easter_bunny (2013-04-20 06:22 AM)
Top

#207139 - 2013-04-20 01:26 PM Re: Kix not running for logon scripts using win7. but work OK for winXp [Re: Easter_bunny]
ChristopheM ChristopheM Hey THIS is FUN Registered: 2002-05-13 Posts: 311 Loc: STRASBOURG, France	I see you try to write in many keys that are dedicated to policies. if you test the script with a local admin account, it can work but when executed during login script, this script can't write keys for non admin users because all these keys are read-only. these values should be set by gpo _________________________ Christophe
Top

#207145 - 2013-04-20 10:45 PM Re: Kix not running for logon scripts using win7. but work OK for winXp [Re: ChristopheM]
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	uhm... my take is that you have UAC on, if your script gives you the expected results after logon, when ran manually. during logon, the security 'token' is different. if your users are local admins, they have admin token, that is separate from the UAC limited one. this unlimited token is where logonscript gets executed. to test it out, just disable UAC on the computer, reboot and login again. _________________________ ! download KiXnet
Top

#207147 - 2013-04-21 04:50 AM Re: Kix not running for logon scripts using win7. but work OK for winXp [Re: Lonkero]
Easter_bunny Easter_bunny Fresh Scripter Registered: 2013-04-11 Posts: 18 Loc: hong kong	These keys are only about 1/4 of what we set. Using Win Xp is fine, it is when we use win7 that we have problems. I have turned the UAC to the lowest setting. the script is normally containing HKEY_CURRENT_USER & HKEY_LOCAL_MACHINE the Local Machine keys are run on startup and the Current user are run from logon If I put all keys into the startup script the keys will load (but as local user) and function, showing they are valid keys. They just wont apply during logon as they dont have rights. I believe we need to elevate the scripts to administrator level. I don't want to use RunAs as this is a security risk. Looking for suggestions. Regards Berni
Top

#207148 - 2013-04-21 06:35 AM Re: Kix not running for logon scripts using win7. but work OK for winXp [Re: Easter_bunny]
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	lowest setting is not the same as off. UAC on changes how windows works. just humor me and turn UAC off for a pc and see the light. _________________________ ! download KiXnet
Top

#207149 - 2013-04-21 07:42 AM Re: Kix not running for logon scripts using win7. but work OK for winXp [Re: Lonkero]
Easter_bunny Easter_bunny Fresh Scripter Registered: 2013-04-11 Posts: 18 Loc: hong kong	This might sound stupid. I dont see a setting to turn it off? Berni
Top

#207150 - 2013-04-21 08:00 AM Re: Kix not running for logon scripts using win7. but work OK for winXp [Re: Easter_bunny]
Easter_bunny Easter_bunny Fresh Scripter Registered: 2013-04-11 Posts: 18 Loc: hong kong	OK I got the Registry setting and turned off the UAC. I will test later the server is offline for maintenance (upgrading the ram and Hard Drives) I will post the results after I test. Regards Berni
Top

#207151 - 2013-04-21 09:54 AM Re: Kix not running for logon scripts using win7. but work OK for winXp [Re: Easter_bunny]
Easter_bunny Easter_bunny Fresh Scripter Registered: 2013-04-11 Posts: 18 Loc: hong kong	OK with the UAC setting (Registry) turned off. I logon and stall no difference the last script with all the registry keys did not complete the required tasks. Here is the line I used to switch off the UAC in registry C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f berni
Top

#207156 - 2013-04-22 06:21 AM Re: Kix not running for logon scripts using win7. but work OK for winXp [Re: Easter_bunny]
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	you ran this command manually and then restarted the computer? _________________________ ! download KiXnet
Top

#207157 - 2013-04-22 06:25 AM Re: Kix not running for logon scripts using win7. but work OK for winXp [Re: Lonkero]
Easter_bunny Easter_bunny Fresh Scripter Registered: 2013-04-11 Posts: 18 Loc: hong kong	yes. Then logon as a user on the server. No visible change to the user access. Berni
Top

#207158 - 2013-04-22 06:46 AM Re: Kix not running for logon scripts using win7. but work OK for winXp [Re: Easter_bunny]
Easter_bunny Easter_bunny Fresh Scripter Registered: 2013-04-11 Posts: 18 Loc: hong kong	I just re-run the script. Restart the Pc and seems most of the keys are changed. There are just a couple of items such as Local drives and USB ports. I add these into the script but did nort work. This might be due to location of the scripts, I will re-work them today. Thanks for the tip on the UAC, I always thought the lowering of the bar was turning off the service, however it only switches off the messages. I will update this post after further testing today. Berni
Top

#207159 - 2013-04-22 08:08 AM Re: Kix not running for logon scripts using win7. but work OK for winXp [Re: Easter_bunny]
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	yea. I've been bit by UAC ever since it was introduced with vista. if you had a real AD, you could leave it on, but now you are rather limited with your options. personally I have never seen the benefit of UAC. I don't remember it never stopping anything that I didn't tell to run but it annoys me 10 times a day, when I run a program. one more huge mistake by MS. _________________________ ! download KiXnet
Top

#207160 - 2013-04-22 08:29 AM Re: Kix not running for logon scripts using win7. but work OK for winXp [Re: Lonkero]
Easter_bunny Easter_bunny Fresh Scripter Registered: 2013-04-11 Posts: 18 Loc: hong kong	we are hoping to roll-out Samba 4 with AD. the people doing Karoshi are working on it now, once out it will solve some of these problems. The one thing I am stuck on is the hiding of the drives for some users when they nlogin. I have seen several pages showing how to set it using local admin, this is not suitable as I don't want to go visit each machine when users move. Ms has made many mistakes over the past couple of years, win 8 is their latest blunder. Not easy to configure and tablet users are not secure. Berni
Top

#207162 - 2013-04-22 03:34 PM Re: Kix not running for logon scripts using win7. but work OK for winXp [Re: Easter_bunny]
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	you running logon scripts in sync? does the hiding occur if you taskkill explorer.exe and start it up again? _________________________ ! download KiXnet
Top

#207172 - 2013-04-23 08:53 AM Re: Kix not running for logon scripts using win7. but work OK for winXp [Re: Lonkero]
Easter_bunny Easter_bunny Fresh Scripter Registered: 2013-04-11 Posts: 18 Loc: hong kong	sorry i don't understand about running in Sync.... I am running the taskkill explorer. Berni
Top

#207173 - 2013-04-23 09:42 AM Re: Kix not running for logon scripts using win7. but work OK for winXp [Re: Easter_bunny]
Easter_bunny Easter_bunny Fresh Scripter Registered: 2013-04-11 Posts: 18 Loc: hong kong	another new issue is that I can not run the kix file that resides on the server. \\server_name\netlogon\local.kix this is being called from a task schedule. set to run at startup. General run the task as SYSTEM Trigger startup action start a program c:\kix\wkix32.exe \\server_name\netlogon\local.kix The script I am running is Code: ; Set Registry Variables $keyies ="HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" ;Disable Reda Write from USB ports $ubstor = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor" $ret=writevalue($ubstor,"Start","4","REG_DWORD") ; "Start"=dword:00000004 ;Disable add/delete sites from Security Zone $ret=writevalue($keyies,"Security_zones_map_edit","1","REG_DWORD") ;Disable Changing Policies for any Security Zone $ret=writevalue($keyies,"Security_options_edit","1","REG_DWORD") ;Use Only Machine Settings for Security Zone $ret=writevalue($keyies,"Security_HKLM_Only","1","REG_DWORD") ;Reload explorer shell shell "taskkill /f /im explorer.exe & start explorer.exe" RETURN seems it can not access the server netlogon directory if I point to local drive the script works fine. Berni Edited by Mart (2013-04-24 09:22 AM) Edit Reason: Please use code tags when posting code.
Top

#207174 - 2013-04-23 03:11 PM Re: Kix not running for logon scripts using win7. but work OK for winXp [Re: Easter_bunny]
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	hmm... it might not have rights to access netlogon. computer that is member of the domain is included in domain computers group. _________________________ ! download KiXnet
Top

#207181 - 2013-04-24 04:27 AM Re: Kix not running for logon scripts using win7. but work OK for winXp [Re: Lonkero]
Easter_bunny Easter_bunny Fresh Scripter Registered: 2013-04-11 Posts: 18 Loc: hong kong	in the smb.conf i have the following. I thought this would give access to startup process. [netlogon] path = /var/lib/samba/netlogon create mask = 0664 guest ok = Yes locking = No oplocks = No level2 oplocks = No I set this so that the Kix files could work / access files in netlogon folder. Am I wrong with this.?? I tend to feel my logic is not on track... The full smb.conf is below. # Global parameters [global] workgroup = IMSTH server string = Samba Server %v log level = 1 log file = /var/log/samba/log.%m max log size = 100 deadtime = 15 max smbd processes = 1000 socket options = SO_KEEPALIVE TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = cups logon home = "" logon script = logon.bat logon path = \\oceanides\applications\profiles\%G domain logons = Yes os level = 255 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap ssl = no printing = cups acl check permissions = No security = user passdb backend = ldapsam:ldap://localhost/ obey pam restrictions = yes ldap admin dn = cn=admin,dc=karoshi,dc=local ldap suffix = dc=karoshi, dc=local ldap group suffix = ou=Group ldap user suffix = ou=People ldap machine suffix = ou=Hosts ldap idmap suffix = ou=Users ; Do ldap passwd sync ldap passwd sync = Yes passwd program = /usr/sbin/smbldap-passwd %u passwd chat = Newpassword* %n\n Retypenewpassword %n\n allauthenticationtokensupdated* add user script = /usr/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes delete user script = /usr/sbin/smbldap-userdel "%u" #add machine script = /usr/sbin/smbldap-useradd -w "%u" add machine script = /opt/karoshi/"useful scripts"/ldap_add_machine %u add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" [homes] comment = Home Directories invalid users = root read only = No create mask = 0600 directory mask = 0700 browseable = No # veto files = /.exe/.msi/.mp3/.wma/.ram/.mov/.mpg/.mpeg/.bat/.lnk/.zip/"Folder Settings"/desktop.ini/ [applications] comment = Data path = /home/applications invalid users = root read only = No create mask = 0664 directory mask = 0775 guest ok = Yes browseable = No fake oplocks = Yes locking = No oplocks = No level2 oplocks = No [ADMIN_files] path = /home/ADMIN_files read only = No force group = staffADM create mask = 0660 directory mask = 0770 browseable = Yes [GENERAL_files] path = /home/GENERAL_files read only = No force group = staff create mask = 0660 directory mask = 0770 writeable = yes browseable = Yes [FACULTY_files] path = /home/FACULTY_files read only = No force group = staff create mask = 0660 directory mask = 0770 browseable = Yes [TH_files] path = /home/TH_files read only = No force group = staffTH create mask = 0660 directory mask = 0770 writeable = yes browseable = Yes [SH_files] path = /home/SH_files read only = No force group = staffSH create mask = 0660 directory mask = 0770 writeable = yes browseable = Yes [ML_files] path = /home/ML_files read only = No force group = staffML create mask = 0660 directory mask = 0770 writeable = yes browseable = Yes [itadmin] path = /home/itadminshare invalid users = root read only = No create mask = 0660 directory mask = 0770 force directory mode =0770 browseable = Yes [staffshare] path = /home/staffshare force group = +staff invalid users = root read only = No create mask = 0660 directory mask = 0770 force directory mode =0770 browseable = Yes [subjects] path = /home/subjects force group = +staff invalid users = root +exams read only = No create mask = 0664 directory mask = 0775 force directory mode =0775 browseable = Yes [temp] path = /home/temp force group = +temparea invalid users = root read only = No create mask = 0660 directory mask = 0770 force directory mode =0770 # veto files = /.exe/.msi/.mp3/.wma/.ram/.mov/.mpg/.mpeg/.bat/.lnk/.pif/.rar/ browseable = No [netlogon] path = /var/lib/samba/netlogon create mask = 0664 guest ok = Yes locking = No oplocks = No level2 oplocks = No [officeshare] path = /home/officeshare force group = +officestaff invalid users = root read only = No create mask = 0660 directory mask = 0770 force directory mode =0770 browseable = Yes [logging] comment = Data path = /var/log/karoshilogs invalid users = root read only = No create mask = 0666 guest ok = No # veto files = /.exe/.msi/.mp3/.wma/.ram/.mov/.mpg/.mpeg/.bat/.lnk/.pif/*.rar/ browseable = No locking = No
Top

#207196 - 2013-04-25 02:04 AM Re: Kix not running for logon scripts using win7. but work OK for winXp [Re: Easter_bunny]
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	you have wait for network enabled? it's one of those pesky policies that default to off. Under Computer Configuration\Administrative Templates\System\Logon Always wait for the network at computer startup and logon not sure how scheduled task differs from actual startup script though. _________________________ ! download KiXnet
Top

#207214 - 2013-04-27 06:46 AM Re: Kix not running for logon scripts using win7. but work OK for winXp [Re: Lonkero]
Easter_bunny Easter_bunny Fresh Scripter Registered: 2013-04-11 Posts: 18 Loc: hong kong	Tried it with actual startup scripts, still nothing. I can run the scripts manually so I know the scripts are good(maybe) I tried to use the following registry mods. again my scripts don't seem to run. ____________________________________________________ Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup\0] "GPO-ID"="LocalGPO" "SOM-ID"="Local" "FileSysPath"="C:\\Windows\\System32\\GroupPolicy\\Machine" "DisplayName"="Local Group Policy" "GPOName"="Local Group Policy" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown\0] "GPO-ID"="LocalGPO" "SOM-ID"="Local" "FileSysPath"="C:\\Windows\\System32\\GroupPolicy\\Machine" "DisplayName"="Local Group Policy" "GPOName"="Local Group Policy" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup\0\0] "Script"="C:\\script1.bat" "Parameters"="" "ExecTime"=hex(b):00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 ________________________________________________________ seems I am missing some little item.
Top

Page 1 of 2

1

Previous Topic

Previous Topic View All Topics

View All Topics

Index Next Topic

Next Topic

Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart

Hop to:

Shout Box

Who's Online

0 registered and 2419 anonymous users online.

Newest Members

batdk82, StuTheCoder, M_Moore, BeeEm, min_seow
17885 Registered Users

Generated in 0.09 seconds in which 0.033 seconds were spent on a total of 14 queries. Zlib compression enabled.

click tracking