[gptalk] Re: Another Script Processing question...
- From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Fri, 9 Mar 2007 14:45:23 -0800
#3 is wrong. If the script resides in SYSVOL (in the GPO) and the GPO has
Authenticated Users with read access, that should be all you need to let the
computer account read it.
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Tom Strader
Sent: Friday, March 09, 2007 12:39 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Another Script Processing question...
Ok, I'm good with permissions, but now I feel like a NuBee.
Correct me if I am wrong.; To make this work:
I have to remove the batch file and.
Create one script with all of the commands for:
1. Importing the information in the TZUpdate and
2. Run the VBS commands from the second file, THEN
3. To make it all work, I have to give the "Everyone" group access rights
to every workstations Admin$ share???
_____
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Omar Droubi
Sent: Friday, March 09, 2007 3:24 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Another Script Processing question...
So to end the confusion- do not have the GPO computer startup script call
other scripts or files- make the script run all inclusive in a single .vbs
file and when you specify the script- paste it right into the default
script location that comes up when you add a script in the GP editor window.
If you browse to the script location then you may have issues with ACL's.
Omar
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of MONTGOMERY, RONALD [AG/1000]
Sent: Friday, March 09, 2007 12:11 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Another Script Processing question...
Ok, I'm confused.
Wouldn't the local system account need permissions to access a remote share,
not the computer account?
I did some googling and found an older discussion on a NT/W2K board:
http://groups.google.com/group/microsoft.public.win2000.general/browse_threa
d/thread/14b69b0dc8455c96/49eb6968cbf5cb88?lnk=st
<http://groups.google.com/group/microsoft.public.win2000.general/browse_thre
ad/thread/14b69b0dc8455c96/49eb6968cbf5cb88?lnk=st&q=system+account+access+n
etwork+resource&rnum=2&hl=en#49eb6968cbf5cb88>
&q=system+account+access+network+resource&rnum=2&hl=en#49eb6968cbf5cb88
"I was part of a discussion in this NG some months back where I learned that
the local SYSTEM account can
access remote network resources if the Everyone group on that remote machine
had been granted access to that network resource."
Do you have a link that details granting permissions to the computer account
to allow the local system account network access?
I'm embarrassed to say that I didn't know this.
-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Nelson, Jamie R Contr 72 CS/SCBNF
Sent: Friday, March 09, 2007 1:09 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Another Script Processing question...
Sure it can. You grant permissions to the computer account just like you
would a user.
//signed//
Jamie R Nelson
Systems Engineer
Ingenium Corporation
72 CS/SCBNF
405.739.2811 (DSN 339)
_____
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of MONTGOMERY, RONALD [AG/1000]
Sent: Friday, March 09, 2007 1:01 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Another Script Processing question...
I thought the local system account couldn't access network resources? So if
you have a batch file that calls a network resource running under the system
context it'll fail?
I found this tool poking around:
http://www.robotronic.de/runasspcEn.html
I wonder if it's any good.
-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Tom Strader
Sent: Friday, March 09, 2007 12:43 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Another Script Processing question...
I have a batch file calling the script.
Its listed under the "Computer Configuration", "Windows Settings",
"Scripts", Startup area.
Thanks,
Tom Strader
Server Systems Administrator
Blumenthal Performing Arts Center
704.379.1285
_____
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Nelson, Jamie R Contr 72 CS/SCBNF
Sent: Friday, March 09, 2007 1:27 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Another Script Processing question...
A computer startup script. Since they are processed under the SYSTEM account
permissions won't be an issue.
//signed//
Jamie R Nelson
Systems Engineer
Ingenium Corporation
72 CS/SCBNF
405.739.2811 (DSN 339)
_____
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Tom Strader
Sent: Friday, March 09, 2007 12:22 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Another Script Processing question...
What's the best method to push this out without giving them local admin
rights?
Thanks for the help and no problem on the delay.
Thanks,
Tom Strader
Server Systems Administrator
Blumenthal Performing Arts Center
704.379.1285
_____
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Friday, March 09, 2007 12:53 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Another Script Processing question...
Tom-
I apologize for the delay. I've been out for the past couple of days. So, if
I look at the reg file below, the immediate thing I see is that if this is
running as a logon script, and the user is not an administrator on their
system, the reg file is going to fail because normal users don't have write
access to those reg keys.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Tom Strader
Sent: Wednesday, March 07, 2007 4:59 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Another Script Processing question...
The script in the policy calls this batch file:
@echo off
c:
cd\
regedit /s \\domain.com\NETLOGON\TZupdate.reg
cscript \\domain.com\NETLOGON\refreshTZinfo.vbs
<file:///\\domain.com\NETLOGON\refreshTZinfo.vbs>
TZUpdate.reg has all of the corrected time zones such as:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time
Zones\AUS Eastern Standard Time]
"Display"="(GMT+10:00) Canberra, Melbourne, Sydney"
"Dlt"="AUS Eastern Daylight Time"
"Std"="AUS Eastern Standard Time"
"MapID"="20,21"
"Index"=dword:000000ff
"TZI"=hex:a8,fd,ff,ff,00,00,00,00,c4,ff,ff,ff,00,00,03,00,00,00,05,00,03,00,
00,\
00,00,00,00,00,00,00,0a,00,00,00,05,00,02,00,00,00,00,00,00,00
RefreshTZInfo.vbs includes these commands:
Set objSh = CreateObject("WScript.Shell")
'Get the StandardName key of the current time zone
szStandardName =
objSh.RegRead("HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation\Sta
ndardName")
'Enumerate the subkeys in the time zone database
const HKEY_LOCAL_MACHINE = &H80000002
Set
objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default
:StdRegProv")
szTzsKeyPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones"
objReg.EnumKey HKEY_LOCAL_MACHINE, szTzsKeyPath, arrTzSubKeys
'Step through the time zones to find the matching Standard Name
szTzKey = "<Unknown>"
For Each subkey In arrTzSubKeys
If (objSh.RegRead("HKLM\" & szTzsKeyPath & "\" & subkey & "\Std") =
szStandardName) Then
'Found matching StandardName, now store this time zone key name
szTzKey = subkey
End If
Next
If szTzKey = "<Unknown>" Then
'Write entry to the Application event log stating that the update has
failed to execute
objSh.LogEvent 1, "DST 2007 Registry Update and Refresh failed to
execute on this computer. Time zones failed to enumerate properly or
matching time zone not found."
Wscript.Quit 0
End If
'Launch control.exe to refresh time zone information using the TZ key name
obtained above
objSh.Run "control.exe timedate.cpl,,/Z" & szTzKey
'Get current display name of refreshed time zone
szCurrDispName = objSh.RegRead("HKLM\" & szTzsKeyPath & "\" & szTzKey &
"\Display")
'Write entry to the Application event log stating that the update has
executed
objSh.LogEvent 4, "DST 2007 Registry Update and Refresh has been executed on
this computer." & chr(13) & chr(10) & chr(13) & chr(10) & "Current time zone
is: " & szCurrDispName & "."
All of the above were taken from Microsofts KB article:
http://support.microsoft.com/kb/914387/en-us
Thanks in advance Darren.
Thanks,
Tom Strader
Server Systems Administrator
Blumenthal Performing Arts Center
704.379.1285
_____
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Tuesday, March 06, 2007 4:35 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Another Script Processing question...
The logon script wouldn't stop GP scripts from running. Can you post your
batch file here? Also note that I've seen several other posts in other
places about problems with delivering this timezone fix via GP scripts, so
you are not alone.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Tom Strader
Sent: Tuesday, March 06, 2007 1:29 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Another Script Processing question...
I have a logon batch file that calls a KIXtart script that maps drives
according to the users group membership. That is the only cmd prompt I see
appearing. Could it be the logon script is causing the GP to fail or not run
at all?
I've rebooted several different W2K machines, same results.
_____
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Tuesday, March 06, 2007 4:22 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Another Script Processing question...
Tom-
Do you see the batch file running at all? In other words, do you get a
visible command shell when it pops up?
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Tom Strader
Sent: Tuesday, March 06, 2007 1:18 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Another Script Processing question...
Simple question, probably a simple answer.
Other than the Default GPO, I have an OU that has a modified Policy.
Under THAT OU I have another OU than has Windows 2000 PC's and the only
change is I added a batch file that calls a VBS to update W2K machines for
DST.
It isn't running, what am I doing wrong?
Thanks in advance.
This e-mail message may contain privileged and/or confidential information,
and is intended to be received only by persons entitled to receive such
information. If you have received this e-mail in error, please notify the
sender immediately. Please delete it and all attachments from any servers,
hard drives or any other media. Other use of this e-mail by you is strictly
prohibited.
All e-mails and attachments sent and received are subject to monitoring,
reading and archival by Monsanto. The recipient of this e-mail is solely
responsible for checking for the presence of "Viruses" or other "Malware".
Monsanto accepts no liability for any damage caused by any such code
transmitted by or accompanying this e-mail or any attachment.
This e-mail message may contain privileged and/or confidential information,
and is intended to be received only by persons entitled to receive such
information. If you have received this e-mail in error, please notify the
sender immediately. Please delete it and all attachments from any servers,
hard drives or any other media. Other use of this e-mail by you is strictly
prohibited.
All e-mails and attachments sent and received are subject to monitoring,
reading and archival by Monsanto. The recipient of this e-mail is solely
responsible for checking for the presence of "Viruses" or other "Malware".
Monsanto accepts no liability for any damage caused by any such code
transmitted by or accompanying this e-mail or any attachment.
Other related posts:
