Re: Logon Script Elevated Privileges
- From: tsalciccia <tsalciccia@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 30 May 2007 16:34:01 -0700
I agree with Rob. You should be able to provide credentials for a logon
script within the GPO if you want, such as selecting from between user
context/other context and providing username & password in the GPO itself for
the other context.
Since the permissions I need to deploy are too complex, and I can't use the
OWNER/CREATOR because I don't want the users to be owners... doesn't work in
our environment. I'm using XCacls.vbs to create the permissions structure.
Even XCacls.vbs has its shortcoming for my needs, but I've been able to
adjust for them using a FOR loop nested in a FOR loop running XCacls.vbs.
I don't know why there is no REALLY good command-line permissions tool.
Unfortunately, I will now have to have an administrator run scripts to
create directories and apply permissions.
"Rob" wrote:
Microsoft said they were tring to make administration with Vista much more.
easy. So far this is a major problem. If I can't make a simple script and
deploy it that is not a good deal for my company nor MS. This could mean us
turning to aditional non MS solutions in other areas that we have not already
done so.
This should be a simple task, yet my understanding is it must become
complex, just to deploy some what has always been easy, scripts and
information security polices. ...That you don't intend to fix it ether.
...Thats how I feel about the so called new easy of administration in Vista.
"Jeremy" wrote:
The only way to do this would be to wrap the script up in an MSI then deploy
it with GPO software deployment.
Although it occurs to me that you could give the users enough permissions on
the root folder to create the folder, then specify the ACTUAL permissions
you want them to have on the subfolder via a CREATOR/OWNER entry. The
permissions would be:
Users: List Folder/Read Data, Create Folders/Append Data: This folder only
CREATOR/OWNER: Read, Execute and Write (AKA Modify minus Delete): Subfolders
and files only.
This way I think your script would work when run in the user's context.
Then again it might not be suitable for your needs.
Cheers,
Jeremy.
"tsalciccia" <tsalciccia@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:EB081EC8-46A2-4C69-85F0-A89BDDCC2C72@xxxxxxxxxxxxxxxx
I am trying to find out if I can run a logon script for a low-level users
out
of a GPO using elevated privileges. The purpose of the script is to
determine
if the user has a directory in a local folder hierarchy, create the
directory
and sub directories for that user if those folders don't exist, and then
secure that user's folders/subfolders using xcacls.vbs.
At the root of the folder hierarchy the user will only have the ability
only
to see the first level of subdirectories under the root. In other words,
they
will only have read permissions, read attriutes, traverse folder, read
extended attributes, and list folder only on the top level of the folder
hierarchy.
The point is to run the script with sufficient privileges to create a
users
folder and subfolders (%username%, %username%\work, %username%\backup,
%username%\personal) and secure those folders. The permissions model is
tight
- the users don't have delete privileges in the work directory, etc.
Is there any way to have that logon script run with local admin privileges
(or some other elevated level) without any interaction by the user logging
on?
- Follow-Ups:
- Re: Logon Script Elevated Privileges
- From: Jeremy
- Re: Logon Script Elevated Privileges
- References:
- Re: Logon Script Elevated Privileges
- From: Jeremy
- Re: Logon Script Elevated Privileges
- From: Rob
- Re: Logon Script Elevated Privileges
- Prev by Date: Re: Logon Script Elevated Privileges
- Next by Date: Gpedit on Stand Alone Win XP Computer
- Previous by thread: Re: Logon Script Elevated Privileges
- Next by thread: Re: Logon Script Elevated Privileges
- Index(es):
Relevant Pages
|
