Re: Logon Script Elevated Privileges

---

• From: "Jeremy" <jeremy@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Sun, 27 May 2007 07:38:50 +1000

---

The only way to do this would be to wrap the script up in an MSI then deploy it with GPO software deployment.

Although it occurs to me that you could give the users enough permissions on the root folder to create the folder, then specify the ACTUAL permissions you want them to have on the subfolder via a CREATOR/OWNER entry. The permissions would be:

Users: List Folder/Read Data, Create Folders/Append Data: This folder only
CREATOR/OWNER: Read, Execute and Write (AKA Modify minus Delete): Subfolders and files only.

This way I think your script would work when run in the user's context.

Then again it might not be suitable for your needs.

Cheers,
Jeremy.

"tsalciccia" <tsalciccia@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:EB081EC8-46A2-4C69-85F0-A89BDDCC2C72@xxxxxxxxxxxxxxxx

I am trying to find out if I can run a logon script for a low-level users out
of a GPO using elevated privileges. The purpose of the script is to determine
if the user has a directory in a local folder hierarchy, create the directory
and sub directories for that user if those folders don't exist, and then
secure that user's folders/subfolders using xcacls.vbs.

At the root of the folder hierarchy the user will only have the ability only
to see the first level of subdirectories under the root. In other words, they
will only have read permissions, read attriutes, traverse folder, read
extended attributes, and list folder only on the top level of the folder
hierarchy.

The point is to run the script with sufficient privileges to create a users
folder and subfolders (%username%, %username%\work, %username%\backup,
%username%\personal) and secure those folders. The permissions model is tight
- the users don't have delete privileges in the work directory, etc.

Is there any way to have that logon script run with local admin privileges
(or some other elevated level) without any interaction by the user logging on?

.

---

• Follow-Ups:
  • Re: Logon Script Elevated Privileges
    • From: Rob

• Prev by Date: Re: Power Management GPO?
• Next by Date: Re: Users Don't Have Access to My Documents in Office Applications
• Previous by thread: Re: No GP plugin on MMC 3.0 ??!!??
• Next by thread: Re: Logon Script Elevated Privileges
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: "Recovered Files" Always in Trash ... What the script did was to set the permissions correctly on your invisible ... Temporary Items folder. ... Thanks for the advice and the script. ... (microsoft.public.mac.office.word) Problem Creating HomeDirectories and Permissions using VBScript ... and assigning permissions to it in a VBScript script. ... it creates the setting for the folder inside the ... (microsoft.public.win2000.active_directory) Re: Logon Script Elevated Privileges ... script within the GPO if you want, such as selecting from between user ... I'm using XCacls.vbs to create the permissions structure. ... the root folder to create the folder, ... (microsoft.public.windows.group_policy) Re: Logon Script Elevated Privileges ... script within the GPO if you want, such as selecting from between user ... I'm using XCacls.vbs to create the permissions structure. ... > the root folder to create the folder, ... >> of a GPO using elevated privileges. ... (microsoft.public.windows.group_policy) Re: Deny _WRITE_ access to a file ... > trying to talk about was a STARTUP script (if I'm not mistaken, ... > script runs as BUILTIN\SYSTEM). ... If it is possible to script a permissions change such that the ... folder remains read/write for everyone except for the restricted group who ... (microsoft.public.windows.server.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)