|
|
|||||||
I am calling a script from within a logon script. The called script won't run powercfg. It runs fine when I logon as admin, but it says "You do not have permission...." if I logon as a user. In my network only admins are allowed to adjust the power configuration. here is some of the logon script Code: call "\\server\share\power.kix" then power.kix runs but gives me the permission error Code: shell 'powercfg /CREATE Power_Scheme' |
||||||||
|
|
|||||||
ok. That sounds right, what is the problem? |
||||||||
|
|
|||||||
I'm guessing the Question you meant to ask was, "How can I get a script to run with admin priviledges?" http://www.kixtart.org/ubbthreads/showflat.php?Cat=0&Number=81559&an=0&page=4#81559 |
||||||||
|
|
|||||||
The script processes but doesn't change anything. How can I get this script to run as admin when the users are logging on? I thought all logon scripts ran with admin permissions. |
||||||||
|
|
|||||||
nope, all scripts run as the user that logs on... that is how a user gets their network drives. Hoops must be gone through to give a user admin privledges for installing apps and such |
||||||||
|
|
|||||||
There are some examples here on this board that show how to run a script as an admin. One of the least secure is to use runas (provided by MS in Win2K and up). Users can read the username and password this way. There are also topics on how to do it more secure. Do a search on runas (gave me 361 hits) and sanur and you'll get some hits. Tokenizing the script is also an option. But afaik there are no 100% secure ways to run a logon script as an admin when a regular user logs on. Logon scripts always run with the credentials of the user logging on and not as an admin of any kind unless some it is told to do so. Start-up scripts run under the system account and therefore have elevated privileges compared to a regular user but it still is not the same as a domain admin. |
||||||||
|
|
|||||||
If I understand well, you want to change the power scheme of a user. I think there are two easy ways to do this.
|
||||||||
|
|
|||||||
WHen you run under alternate creds, the HKCU is not that of the intended. You need to get fancy and navigate through HKU\SIDofIntendedUser\... |
||||||||
|
|
|||||||
True. But why would I need alternate credentials As far as I know, a normal user can change "HEY_CURRENT_USER\Control Panel\PowerCfg","CurrentPowerPolicy". |
||||||||
|
|
|||||||
No, not true. There has been much said about that and the consensus is that perms need to be opened up on the key. |
||||||||
|
|
|||||||
I think just using runas is they way to go for me. Code:
But when I run this a box flashes on the screen to quick for me to read and the power scheme remains unchanged. The output in the original dosbox is: C:\drive>pwrcfg.kix Enter the password for USERNAME: Attempting to start powercfg /SETACTIVE POWER_SCHEME as user "COMPUTERNAME\USERNAME"... C:\drive> |
||||||||
|
|
|||||||
You are obviously still in denial. |
||||||||
|
|
|||||||
sorry still learnin |
||||||||
|
|
|||||||
This works: Code: RUN "runas /user:USERNAME notepad.exe" But not this: Code: Run "runas /user:USERNAME powercfg /SETACTIVE POWER_SCHEME" |
||||||||
|
|
|||||||
have you read up on RUNAS? make a bat file and RUNAS it. |
||||||||
|
|
|||||||
When you RUNAS another user, you set the powercfg for that OTHER user. This has already been said. |
||||||||
|
|
|||||||
OOHHH!!! I must have missed that one. OK, I'll have to go about this a different way. |
||||||||
|
|
|||||||
You need to set rights on one HKEY_LOCAL_MACHINE key. This should get you on your way: http://blogs.msdn.com/aaron_margosis/archive/2005/02/09/370263.aspx |
||||||||
|
|
|||||||
Thanks everyone and thanks to drillsergeant for the link. Here is how I finally made it work. The login script calls runas.kix Code: RUN "runas /user:Admin cmd" runas.kix calls pwrcfg.bat Code: setacl.exe -on "\\%computername%\HKLM\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Controls Folder\PowerCfg\GlobalPowerPolicy" -ot reg -actn ace -ace "n:%computername%\users;p:full" I just need to have pwrcfg.bat, runas.kix, and SetACL.exe in the same directory. I'm also going to have the script to remove the permissions once the changes have been made. P.S. Before I deploy runas.kix I plan on kixcrypting it so no one can trace it down and view the password. |