Re: Logon Script Elevated Privileges

You can embed credentials in a vbscript and encrypt it, but I imagine that a vbe would be pretty easy to crack.
"tsalciccia" <tsalciccia@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:3F050176-8E53-490D-9311-FC06678EC9BF@xxxxxxxxxxxxxxxx
I agree with Rob. You should be able to provide credentials for a logon
script within the GPO if you want, such as selecting from between user
context/other context and providing username & password in the GPO itself for
the other context.

Since the permissions I need to deploy are too complex, and I can't use the
OWNER/CREATOR because I don't want the users to be owners... doesn't work in
our environment. I'm using XCacls.vbs to create the permissions structure.
Even XCacls.vbs has its shortcoming for my needs, but I've been able to
adjust for them using a FOR loop nested in a FOR loop running XCacls.vbs.

I don't know why there is no REALLY good command-line permissions tool.

Unfortunately, I will now have to have an administrator run scripts to
create directories and apply permissions.
"Rob" wrote:

Microsoft said they were tring to make administration with Vista much more
easy. So far this is a major problem. If I can't make a simple script and
deploy it that is not a good deal for my company nor MS. This could mean us
turning to aditional non MS solutions in other areas that we have not already
done so.

This should be a simple task, yet my understanding is it must become
complex, just to deploy some what has always been easy, scripts and
information security polices. ...That you don't intend to fix it ether.

...Thats how I feel about the so called new easy of administration in Vista.



"Jeremy" wrote:

> The only way to do this would be to wrap the script up in an MSI then > deploy
> it with GPO software deployment.
>
> Although it occurs to me that you could give the users enough > permissions on
> the root folder to create the folder, then specify the ACTUAL > permissions
> you want them to have on the subfolder via a CREATOR/OWNER entry. The
> permissions would be:
>
> Users: List Folder/Read Data, Create Folders/Append Data: This folder > only
> CREATOR/OWNER: Read, Execute and Write (AKA Modify minus Delete): > Subfolders
> and files only.
>
> This way I think your script would work when run in the user's context.
>
> Then again it might not be suitable for your needs.
>
> Cheers,
> Jeremy.
>
> "tsalciccia" <tsalciccia@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:EB081EC8-46A2-4C69-85F0-A89BDDCC2C72@xxxxxxxxxxxxxxxx
> >I am trying to find out if I can run a logon script for a low-level > >users
> >out
> > of a GPO using elevated privileges. The purpose of the script is to
> > determine
> > if the user has a directory in a local folder hierarchy, create the
> > directory
> > and sub directories for that user if those folders don't exist, and > > then
> > secure that user's folders/subfolders using xcacls.vbs.
> >
> > At the root of the folder hierarchy the user will only have the > > ability
> > only
> > to see the first level of subdirectories under the root. In other > > words,
> > they
> > will only have read permissions, read attriutes, traverse folder, > > read
> > extended attributes, and list folder only on the top level of the > > folder
> > hierarchy.
> >
> > The point is to run the script with sufficient privileges to create a
> > users
> > folder and subfolders (%username%, %username%\work, > > %username%\backup,
> > %username%\personal) and secure those folders. The permissions model > > is
> > tight
> > - the users don't have delete privileges in the work directory, etc.
> >
> > Is there any way to have that logon script run with local admin > > privileges
> > (or some other elevated level) without any interaction by the user > > logging
> > on?
>

.

Relevant Pages

  • Re: "Recovered Files" Always in Trash
    ... What the script did was to set the permissions correctly on your invisible ... Temporary Items folder. ... Thanks for the advice and the script. ...
    (microsoft.public.mac.office.word)
  • Problem Creating HomeDirectories and Permissions using VBScript
    ... and assigning permissions to it in a VBScript script. ... it creates the setting for the folder inside the ...
    (microsoft.public.win2000.active_directory)
  • Re: Logon Script Elevated Privileges
    ... script within the GPO if you want, such as selecting from between user ... I'm using XCacls.vbs to create the permissions structure. ... the root folder to create the folder, ...
    (microsoft.public.windows.group_policy)
  • Re: Deny _WRITE_ access to a file
    ... > trying to talk about was a STARTUP script (if I'm not mistaken, ... > script runs as BUILTIN\SYSTEM). ... If it is possible to script a permissions change such that the ... folder remains read/write for everyone except for the restricted group who ...
    (microsoft.public.windows.server.security)
  • Re: Deny _WRITE_ access to a file
    ... > trying to talk about was a STARTUP script (if I'm not mistaken, ... > script runs as BUILTIN\SYSTEM). ... If it is possible to script a permissions change such that the ... folder remains read/write for everyone except for the restricted group who ...
    (microsoft.public.security)