Re: logon/logoff scripts and runas

Well, perhaps the word "Profile" means too many different things depending
on context. Usually, Profile to me means the content of a user's profile
folder, which includes all kinds of stuff including the list of things to
include in the Start Menu, Quick Launch bar, user specific configuration
information for various applications, Temporary Internet files and so on.
These don't get "loaded", but rather read from disk as and when required.
Since there is no second Windows Session and thus no second desktop, most of
this stuff is irrelevant.

The Profile also includes a Registry Hive (the ntuser.dat file in the user's
profile folder). When a user logs on, this registry hive is loaded into the
active (in memory) Registry.

>From experiments, it would appear that the "profile" referred to in the
runas Help really means this registry hive. When /profile (the default) is
used, the registry hive for the user account named in the runas command is
loaded into the in memory registry; the contents are then available to
applications via normal registry access APIs. If /noprofile is used, the
registry hive for the user named in the runas command does not get "loaded"
into the active (in memory) registry and is therefor not avaiable to normal
registry APIs.

The user's registry hive includes such information as the User's Environment
variables (as opposed to the System Environnment variables) and the location
of the "special folders" (e.g. Desktop, Favorites, My Documents etc.).

If the /env option is used, the new "context" uses this information from the
user launching the command as opposed to those used for the user named in
the runas command. You can see this by using the "set" command in a Command
Prompt window launched using runas.

--
Bruce Sanderson MVP

It's perfectly useless to know the right answer to the wrong question.


"Lars Nyman" <larsnyman@xxxxxxxxxxxxx> wrote in message
news:et7Xy22eFHA.3012@xxxxxxxxxxxxxxxxxxxxxxx
> Thanks for your and lee_mre's replies which confirm the behavior I was
> seeing was indeed correct.
>
> I think the runas command does load the user profile unless /noprofile is
> used, correct?
>
> I am no expert in this area, and I think because GPOs do seem to get
> processed and applied by runas and the appearance of events of category
> Logon/Logoff (with logon type 2, meaning interactive logon) in the event
> viewer, I had perhaps expected the logon and logoff scripts specified in a
> GPO to be executed.
>
> Lars
>
> "Bruce Sanderson" <Bruce.Sanderson@xxxxxxxxx> wrote in message
> news:eXwKur1eFHA.2128@xxxxxxxxxxxxxxxxxxxxxxx
>> Logon scripts run as part of the "Windows Session" setup process that,
> among
>> other things, loads the user "profile" and provides the Desktop.
>>
>> Applications that you run, whether using the "Run As" or not, all run in
> the
>> Windows Session. The only way to launch a Windows Session is to logon
>> locally at a computer or via Terminal Services (Remote Desktop). The
> runas
>> command (or the Run As conext menu item) merely specifies a different
>> security context for the application inside the Windows Session.
>>
>> --
>> Bruce Sanderson MVP
>>
>> It's perfectly useless to know the right answer to the wrong question.
>>
>>
>> "Lars Nyman" <larsnyman@xxxxxxxxxxxxx> wrote in message
>> news:uuu2oaFeFHA.3808@xxxxxxxxxxxxxxxxxxxxxxx
>> > Windows Server 2003.
>> > I have a GPO that specifies a logon script in User
>> > Configuration/Windows
>> > Setting/Scripts (Logon/Logoff)/Logon (and similarly a logoff script).
> The
>> > GPO is linked to a OU that contains a user mydomain\userA.
>> >
>> > When logging on as mydomain\userA the logon script is executed and when
>> > logging off the logoff script is executed as expected.
>> >
>> > However, if I am logged on as another user, mydomain\userB and use
> "runas
>> > /user:mydomain\userA cmd.exe"
>> > to start a command prompt as userA then the logon script for userA is
> not
>> > executed (and the logoff script for userA is not executed when the
> command
>> > prompt is exit-ed). Is this the expected behavior? If so, is there
>> > any
>> > documentation and/or helpfile that describes the differences between a
>> > "full" logon from ctrl-alt-del and a "logon" using runas.
>> >
>>
>>
>


.

Relevant Pages

  • Re: users cant change password
    ... user tries to logon it says they have to change their password ... Have a look at the user's profile. ... There is a tick box there that ... the same information by typing this command at a Command ...
    (microsoft.public.win2000.general)
  • Re: logon script not working - need hlep
    ... > I am trying to use the properties in the Profile of an account. ... > script as folows: ... The physical location of your logon script is not important. ... Placing the "exit" command after the "net use" command is not ...
    (microsoft.public.win2000.general)
  • RE: POP3 fail to start on SBS 2003
    ... Outlook issue such as a corrupted profile. ... I suggest that we create a new Outlook profile. ... At the Microsoft Telnet command prompt, ...
    (microsoft.public.windows.server.sbs)
  • Re: Help with a configuration of profiles
    ... I assume that you are talking about the user's TS-specific profile, ... There are many ways to define a logon script for all users on a TS. ... Note that if you start the frontend in the environment tab of the ... MCSE, CCEA, Microsoft MVP - Terminal Server ...
    (microsoft.public.windows.terminal_services)
  • Re: File ownership been changed
    ... These "MachineName\UserName" folders often/usually appear when user profile corruption is encountered. ... When a user tries to logon if the Security Account Manager recognizes the user name and password at logon and if it has no valid reason to refuse the logon, it allows the user to logon with a new profile, it creates a new profile folder from the Default User profile and names it as you see. ... As to how to do a "wholesale" change of all security attributes from "Fred" to "David" the only easy way to do that is with the SubInACL tool. ...
    (microsoft.public.windowsxp.help_and_support)