Page 1 of 1 1
Topic Options
#199692 - 2010-08-30 10:31 AM Problem with login script on Windows 7 run as scheduled task
Sam_B Offline
Getting the hang of it

Registered: 2005-10-25
Posts: 68
Loc: Bern, Switzerland
Hello all,

first of all, I don't think that I am the first person on this planet having the issue I'll describe below, I tried to search for solutions in the board, but was not clever enough to find it... Sorry for that.

My problem: we move to Windows 7 from XP and as you all know, the kix login script on windows 7 doesn't run with elevated right causing problems with our legacy scripts during some file operations that need admin rights on users workstation. We need to rework the complete login process in a way that such kind of operations won't needed in the near future, but as a workaround I'm searching for a solution to run the login script with elevated rights.

I found one: creating a scheduled tasks that triggers the login script at users logon, having the possibility to run the script with elevated rights a perfect solution! But it's causing me some headache...

The login script should run under the user account of the user currently login in. To be able to this in a generic way, I added a AD group as user account to run the script under. All my users are member of this group. And local admins on the workstations they're login. This means that each time any user that is member of this group logs on to the machine, the login script should run with admin rights.

I tested this and it worked great! Until i rebooted the machine... Then, the script wasn't fired anymore at login. I found an error in the task scheduler history: Task Scheduler failed to load tak "my Login" at service startup. Additional Data: Error Value 214744189.

When I remove the group and replace it by a dedicated user account and do tests with this configuration, everything seems to work. So the group seems to cause the issue with the task scheduler at startup of the machine.

Now my question: Do you know a way to schedule a login script with task scheduler and trigger it to run under the user account of the current user with elevated rights?

many thanks for your feedback!

Top
#199694 - 2010-08-30 12:33 PM Re: Problem with login script on Windows 7 run as scheduled task [Re: Sam_B]
Glenn Barnas Administrator Offline
KiX Supporter
*****

Registered: 2003-01-28
Posts: 4396
Loc: New Jersey
How are you creating / running the scheduled task?

Do all user's have the correct local policy rights? (Log on as a batch job)

Take a look at tcLib - the Task Control UDF library - which allows you to define the admin task on all workstations right from your admin workstation. There is a trigger action "At logon" that may be useful. If that works, you don't need to do anything in your login script.

UAC may also be getting involved - there are policy settings which will allow admins to perform tasks without being prompted by UAC for approval.

BTW - login scripts don't run with elevated rights even on XP. There is now a significant difference between "the administrator", administrative rights, and local non-admin accounts which is likely your real issue. In the past, if a user was a member of the local administrators group, they had the same rights as the administrator. Not any more...

Glenn
_________________________
Actually I am a Rocket Scientist! \:D

Top
#199695 - 2010-08-30 03:36 PM Re: Problem with login script on Windows 7 run as scheduled task [Re: Glenn Barnas]
Sam_B Offline
Getting the hang of it

Registered: 2005-10-25
Posts: 68
Loc: Bern, Switzerland
Hi Glenn,

many thanks for your post and the correction regaring the differen rights. I think I need to learn a lot regarding this... Will do that and also check the tcLib stuff

Regards

Samuel

Top
#199698 - 2010-08-30 06:58 PM Re: Problem with login script on Windows 7 run as scheduled task [Re: Sam_B]
Glenn Barnas Administrator Offline
KiX Supporter
*****

Registered: 2003-01-28
Posts: 4396
Loc: New Jersey
Actually, our tsAdm utility would be just the ticket to test & deploy the At Logon task capability. Unfortunately, the user registration on our web site broke during our recent upgrade, and we've been too busy to recode it. If you PM me with your email, I'l send you the link to download it.

You can install the tsAdm utility on your PC - it's a GUI interface for managing scheduled events on computers. It exposes all of the control options - you can create a simple At Logon task and verify that it works. If it does, you can use the same tool to "blast" the task out to many (hundreds, even) remote computers by simply employing a plain text file that defines the names of the target computers where you want the task installed.

Glenn
_________________________
Actually I am a Rocket Scientist! \:D

Top
#199699 - 2010-08-31 01:02 AM Re: Problem with login script on Windows 7 run as scheduled task [Re: Glenn Barnas]
Bryce Offline
KiX Supporter
*****

Registered: 2000-02-29
Posts: 3167
Loc: Houston TX
If i recall, running your logon scripts via a GPO will give you the elevated rights that you need....

Or i think they will....

Top
#199700 - 2010-08-31 12:04 PM Re: Problem with login script on Windows 7 run as scheduled task [Re: Bryce]
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1894
Loc: Hilversum, The Netherlands
As Bryce pointed out, using GPO can give you elevated rights,just beware of the following:

In the User section of a GPO you can put scripts in the Logon and LogOff sections, the scripts will run using the User account token, so won't have elevated rights.

In the Computer section of the GPO you can put scripts in the Startup and Shutdown sections. The scripts will run using the SYSTEM account token, so they will have elevated rights BUT you can't use Current User settings in the register, or any user based file operations.

Top
#199701 - 2010-08-31 12:19 PM Re: Problem with login script on Windows 7 run as scheduled task [Re: Arend_]
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1894
Loc: Hilversum, The Netherlands
Btw, if you are using the logonscript in the classic way, using Netlogon, please set this key prior to running the logonscript:

 Code:
$=WriteValue("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections","1","REG_DWORD")

Top
#199704 - 2010-08-31 02:36 PM Re: Problem with login script on Windows 7 run as scheduled task [Re: Arend_]
Glenn Barnas Administrator Offline
KiX Supporter
*****

Registered: 2003-01-28
Posts: 4396
Loc: New Jersey
 Originally Posted By: apronk
Btw, if you are using the logonscript in the classic way, using Netlogon, please set this key prior to running the logonscript:

 Code:
$=WriteValue("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections","1","REG_DWORD")
But not until after you read this article.

I for one don't use this as it changes the local security model. I have no problem mapping drives with a standard Kix logon script on XP, Vista, or Windows 7. This is handy for admins who often use RunAs to obtain an elevated process and need the same drives mapped, but I would not do this for all users.

Just my two drachmas...

Glenn
_________________________
Actually I am a Rocket Scientist! \:D

Top
#199705 - 2010-08-31 02:46 PM Re: Problem with login script on Windows 7 run as scheduled task [Re: Arend_]
Allen Administrator Online   shocked
KiX Supporter
*****

Registered: 2003-04-19
Posts: 4545
Loc: USA
Unfortunately, using the EnableLinkedConnections is not supported by MS.

If you are using a GPO Login Script, their suggested method was to use something called lanchapp.wsf, which basically creates a scheduled task that runs as the current user. This way you can map drives, printers, access their desktop, registry, etc in the context of the user, while still having admin privs for other things.

I tried converting lauchapp.wsf to kix, but have had little response as to how well it works.

RunAsInteractiveUser() -
http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Main=26830&Number=199093#Post199093

Top
#199706 - 2010-08-31 04:16 PM Re: Problem with login script on Windows 7 run as scheduled task [Re: Allen]
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1894
Loc: Hilversum, The Netherlands
Here is MS's own provided solution link
Top
#199707 - 2010-08-31 04:38 PM Re: Problem with login script on Windows 7 run as scheduled task [Re: Arend_]
Glenn Barnas Administrator Offline
KiX Supporter
*****

Registered: 2003-01-28
Posts: 4396
Loc: New Jersey
Yes, with the same disclaimer:
 Quote:
Important This workaround may make your system unsafe. Microsoft does not support this workaround. Use this workaround at your own risk.
Glenn
_________________________
Actually I am a Rocket Scientist! \:D

Top
#199708 - 2010-08-31 05:08 PM Re: Problem with login script on Windows 7 run as scheduled task [Re: Glenn Barnas]
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1894
Loc: Hilversum, The Netherlands
Windows = Unsafe :P
Top
#199709 - 2010-08-31 09:42 PM Re: Problem with login script on Windows 7 run as scheduled task [Re: Arend_]
Allen Administrator Online   shocked
KiX Supporter
*****

Registered: 2003-04-19
Posts: 4545
Loc: USA
For what it's worth... here is the technet article discussing, amongst other things, the launchapp.wsf...

http://technet.microsoft.com/en-us/library/cc766208%28WS.10%29.aspx
 Quote:
To get around this issue, administrative users should map network drives under the limited user token. This mapping is accomplished by using the launchapp.wsf script shown in Appendix A, which works by scheduling the commands using the task scheduler. The task scheduler launches the script under the administrative full token, thereby allowing Windows Explorer, other limited token processes, and the elevated token process to view the mapped network drives.



Full Context
 Quote:

Consumption of Windows Vista settings
Group Policy Scripts can fail due to User Account Control

The main goal of User Account Control (UAC) is to lessen the exposure and attack surface of the operating system. UAC does this by requiring all users to run in standard user mode. This limit minimizes the ability for users to make changes that could destabilize their computers or unintentionally expose the network to viruses through undetected malicious software (also called malware) that has infected their computer.

With UAC, you can run most applications, components, and processes with a limited privilege, but have "elevation potential" for specific administrative tasks and application functions. Windows accomplishes this by using two access tokens for each user: limited and elevated access tokens. Access tokens identify the user, the user's groups, and the user's privileges. The system uses access tokens to control access to securable objects and to control the ability of the user to perform various system-related operations on the local computer.

An elevated token, for a local administrator, includes and enables all of the administrative privileges. UAC requires local administrators to use their elevated token when attempting to perform a system-only task or administrative task. A limited token, for a local administrator, includes all of the administrative privileges; however, these privileges are disabled. This allows Windows to view the administrative user and a normal user, with the option to elevate their privileges.

By default, all users logging on to Windows Vista use their full token to process Group Policy and logon scripts. However, they use their limited user token to load the desktop and all subsequent processes. Nonadministrative limited and elevated tokens are mostly identical, with regard to privileges and groups. Therefore, a process started with a nonadministrative limited user token can view processes started with a nonadministrative elevated token. Windows allows this because the viewing application does not require any elevation to view the process started with the elevated token.

Windows processes a locally logging on administrator the same way. Group Policy and logon scripts process using the elevated user token, and the desktop and all subsequent processes use the limited token. However, there is a privilege difference between the limited and elevated user token. Therefore, Windows restricts processes started with a limited token from the ability to share information with processes started with the elevated token.

UAC may prevent Group Policy logon scripts from appearing to work properly. For example, a domain environment contains a GPO that includes a logon script to map network drives. A nonadministrative user logs on to the domain from a Windows Vista computer. After Windows Vista loads the desktop, the nonadministrative user starts Windows Explorer. The user sees their mapped drives. Under the same environment, an administrative user logs on to the domain from a Windows Vista computer. After Windows Vista loads the desktop, the administrative user starts Windows Explorer. The user does not see their mapped drives.

When the administrative user logs on, Windows processes the logon scripts using the elevated token. The script actually works and maps the drive. However, Windows blocks the view of the mapped network drives because the desktop uses the limited token while the drives were mapped using the elevated token.

To get around this issue, administrative users should map network drives under the limited user token. This mapping is accomplished by using the launchapp.wsf script shown in Appendix A, which works by scheduling the commands using the task scheduler. The task scheduler launches the script under the administrative full token, thereby allowing Windows Explorer, other limited token processes, and the elevated token process to view the mapped network drives.

Top
#199710 - 2010-09-01 09:00 AM Re: Problem with login script on Windows 7 run as scheduled task [Re: Allen]
Arend_ Moderator Offline
MM club member
*****

Registered: 2005-01-17
Posts: 1894
Loc: Hilversum, The Netherlands
Thanks Allen, that provides the sufficient information I should have posted when I brought up that Registry Value.

However, I feel that the launchapp.wsf is crap.
I want my Loginscript to work, wether or not the user is also a Local Admin or not. That registry value solves that issue.

Top
#199737 - 2010-09-02 07:55 PM Re: Problem with login script on Windows 7 run as scheduled task [Re: Arend_]
Lonkero Administrator Offline
KiX Master Guru
*****

Registered: 2001-06-05
Posts: 22346
Loc: OK
amen
_________________________
!

download KiXnet

Top
Page 1 of 1 1


Moderator:  Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart 
Hop to:
Shout Box

Who's Online
1 registered (Allen) and 466 anonymous users online.
Newest Members
gespanntleuchten, DaveatAdvanced, Paulo_Alves, UsTaaa, xxJJxx
17864 Registered Users

Generated in 0.048 seconds in which 0.017 seconds were spent on a total of 13 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org