Re: Multiple Questions

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Torgeir Bakken \(MVP\) (Torgeir.Bakken-spam_at_hydro.com)
Date: 07/24/04 

Date: Sat, 24 Jul 2004 21:18:10 +0200

Adrian Marsh wrote:

> [snip]
> 2) Admin of local Clients - I've a Domain "Lab", under that I've the
> standard Container for Builtin, and a labadmin user defined. Then theres
> a test OU, with its own test\testlaptop1,2,3 computers and test\testuser
> user.
>
> I want the testuser user to be local Administrator of the testlaptops
> themselves, but not of the Domain or test OU itself. If I make
> test\testuser part of the Lab\Builtin\Administrator group then won't
> they be "admins" of the whole Domain?? How can I do what I want here ? I
> think the answer is something to do with Restricted groups, but haven't
> quite got the concept..

We add "NT Authority\Interactive" in the local Administrators group
to let all domain users automatically be local admins when they log
on to a computer interactively.

This is more secure than adding "Authenticated Domain users",
"Domain Users" or "NT AUTHORITY\Authenticated Users" because you
avoid the issue with cross network admin rights (remote access)
that these groups introduces.

> 3) Login scripts - I've a bunch of various apps I need installed on
> each testlaptop, everything from Office 2k to mcafee to DrTcpIp. I've
> written some .bat login scripts that will do the job of installing,
> logging and uninstalling/running the setup.exe, etc. But I'm wondering
> if its worth my while trying to put these into .zap scripts. I don't
> have any 95/98/NT4 clients, 2000 and XP only. Opinions??
> BTW: When do .msi/.zap installations run - at login only ??

Paul described the msi part. Note that .zap installations are much
more limited, it can only be published to users (the user needs to
go to Add/Remove Program and select the program for installation.

231747 How to Publish Non-MSI Programs with .Zap Files
http://support.microsoft.com/?id=231747

> 4) Start vs CMD - My initial script will be "hidden" so that I can
> guarantee the sub-scripts run. My Logon scripts execute Start "with
> params" to install the above apps, actually running another .bat script
> first. This leaves the CMD window open at a prompt (because Start calls
> CMD with a /K option). If I put an "exit" at the end of the Start'ed
> .bat script then the window closes in error (I hear a beep when Login
> finishes). I want my master login script to kick off "about to
> install..." messages windows before kicking off the actual setup.exe
> runs- whats the best method? I can live with the beeps, but I must be
> missing something...

Use a VBScript based logon script. From this vbscript, you can launch
batch files so they are "invisible":

Set oShell = CreateObject("WScript.Shell")
oShell.Run "some.bat", 0, True

WSH 5.6 documentation (local help file) can be downloaded from here
if you haven't got it already:
http://msdn.microsoft.com/downloads/list/webdev.asp

> 5) Protected Windows - When the above .bat scripts are running, I see
> that they can actually be "closed" by the user, prior to completion. Any
> way of disabling the "close window" buttons during Logon ?

See my response to 4)

> [snip] 

-- 
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx
Quantcast