[gptalk] Re: Another Script Processing question...

  • From: "Tom Strader" <tstrader@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Fri, 9 Mar 2007 18:54:47 -0500

Thanks, I'll try that

Thanks, 
Tom Strader 
Server Systems Administrator 
Blumenthal Performing Arts Center 
704.379.1285 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Friday, March 09, 2007 5:45 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Another Script Processing question...

 

#3 is wrong. If the script resides in SYSVOL (in the GPO) and the GPO
has Authenticated Users with read access, that should be all you need to
let the computer account read it. 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Tom Strader
Sent: Friday, March 09, 2007 12:39 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Another Script Processing question...

 

Ok, I'm good with permissions, but now I feel like a NuBee.

 

Correct me if I am wrong...; To make this work:

 

I have to remove the batch file and...

 

Create one script with all of the commands for:

 

1.      Importing the information in the TZUpdate and

2.      Run the VBS commands from the second file, THEN

3.      To make it all work, I have to give the "Everyone" group access
rights to every workstations Admin$ share???

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Omar Droubi
Sent: Friday, March 09, 2007 3:24 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Another Script Processing question...

 

So to end the confusion- do not have the GPO computer startup script
call other scripts or files- make the script run all inclusive in a
single .vbs file  and when you specify the script- paste it right into
the default script location that comes up when you add a script in the
GP editor window. If you browse to the script location then you may have
issues with ACL's.

 

Omar

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of MONTGOMERY, RONALD [AG/1000]
Sent: Friday, March 09, 2007 12:11 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Another Script Processing question...

 

Ok, I'm confused.

Wouldn't the local system account need permissions to access a remote
share, not the computer account?

 

I did some googling and found an older discussion on a NT/W2K board:

http://groups.google.com/group/microsoft.public.win2000.general/browse_t
hread/thread/14b69b0dc8455c96/49eb6968cbf5cb88?lnk=st&q=system+account+a
ccess+network+resource&rnum=2&hl=en#49eb6968cbf5cb88

 

"I was part of a discussion in this NG some months back where I learned
that the local SYSTEM account can 
access remote network resources if the Everyone group on that remote
machine had been granted access to that network resource."

 

Do you have a link that details granting permissions to the computer
account to allow the local system account network access?

I'm embarrassed to say that I didn't know this.

 

 

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Nelson, Jamie R Contr 72 CS/SCBNF
Sent: Friday, March 09, 2007 1:09 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Another Script Processing question...

 

Sure it can. You grant permissions to the computer account just like you
would a user.

 

//signed//
Jamie R Nelson
Systems Engineer
Ingenium Corporation
72 CS/SCBNF
405.739.2811 (DSN 339)

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of MONTGOMERY, RONALD [AG/1000]
Sent: Friday, March 09, 2007 1:01 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Another Script Processing question...

 

I thought the local system account couldn't access network resources? So
if you have a batch file that calls a network resource running under the
system context it'll fail?

 

I found this tool poking around:

http://www.robotronic.de/runasspcEn.html

I wonder if it's any good...

 

 

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Tom Strader
Sent: Friday, March 09, 2007 12:43 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Another Script Processing question...

 

I have a batch file calling the script.

Its listed under the "Computer Configuration", "Windows Settings",
"Scripts", Startup area.

Thanks, 
Tom Strader 
Server Systems Administrator 
Blumenthal Performing Arts Center 
704.379.1285 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Nelson, Jamie R Contr 72 CS/SCBNF
Sent: Friday, March 09, 2007 1:27 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Another Script Processing question...

 

A computer startup script. Since they are processed under the SYSTEM
account permissions won't be an issue.

 

//signed//
Jamie R Nelson
Systems Engineer
Ingenium Corporation
72 CS/SCBNF
405.739.2811 (DSN 339)

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Tom Strader
Sent: Friday, March 09, 2007 12:22 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Another Script Processing question...

 

What's the best method to push this out without giving them local admin
rights?

 

Thanks for the help and no problem on the delay.

Thanks, 
Tom Strader 
Server Systems Administrator 
Blumenthal Performing Arts Center 
704.379.1285 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Friday, March 09, 2007 12:53 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Another Script Processing question...

 

Tom-

I apologize for the delay. I've been out for the past couple of days.
So, if I look at the reg file below, the immediate thing I see is that
if this is running as a logon script, and the user is not an
administrator on their system, the reg file is going to fail because
normal users don't have write access to those reg keys.

 

Darren

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Tom Strader
Sent: Wednesday, March 07, 2007 4:59 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Another Script Processing question...

 

The script in the policy calls this batch file:

 

@echo off

c:

cd\

regedit /s \\domain.com\NETLOGON\TZupdate.reg

cscript \\domain.com\NETLOGON\refreshTZinfo.vbs
<file:///\\domain.com\NETLOGON\refreshTZinfo.vbs> 

 

TZUpdate.reg has all of the corrected time zones such as:

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time
Zones\AUS Eastern Standard Time]

"Display"="(GMT+10:00) Canberra, Melbourne, Sydney"

"Dlt"="AUS Eastern Daylight Time"

"Std"="AUS Eastern Standard Time"

"MapID"="20,21"

"Index"=dword:000000ff

"TZI"=hex:a8,fd,ff,ff,00,00,00,00,c4,ff,ff,ff,00,00,03,00,00,00,05,00,03
,00,00,\

  00,00,00,00,00,00,00,0a,00,00,00,05,00,02,00,00,00,00,00,00,00

 

RefreshTZInfo.vbs includes these commands:

 

Set objSh = CreateObject("WScript.Shell")

 

'Get the StandardName key of the current time zone

szStandardName =
objSh.RegRead("HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
\StandardName")

 

'Enumerate the subkeys in the time zone database

const HKEY_LOCAL_MACHINE = &H80000002

Set
objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\def
ault:StdRegProv")

szTzsKeyPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones"

objReg.EnumKey HKEY_LOCAL_MACHINE, szTzsKeyPath, arrTzSubKeys

 

'Step through the time zones to find the matching Standard Name

szTzKey = "<Unknown>"

For Each subkey In arrTzSubKeys

    If (objSh.RegRead("HKLM\" & szTzsKeyPath & "\" & subkey & "\Std") =
szStandardName) Then

        'Found matching StandardName, now store this time zone key name

        szTzKey = subkey

    End If

Next 

 

If szTzKey = "<Unknown>" Then

       'Write entry to the Application event log stating that the update
has failed to execute

       objSh.LogEvent 1, "DST 2007 Registry Update and Refresh failed to
execute on this computer.  Time zones failed to enumerate properly or
matching time zone not found."

       Wscript.Quit 0

End If

 

'Launch control.exe to refresh time zone information using the TZ key
name obtained above 

objSh.Run "control.exe timedate.cpl,,/Z" & szTzKey

 

'Get current display name of refreshed time zone

szCurrDispName = objSh.RegRead("HKLM\" & szTzsKeyPath & "\" & szTzKey &
"\Display")

 

'Write entry to the Application event log stating that the update has
executed

objSh.LogEvent 4, "DST 2007 Registry Update and Refresh has been
executed on this computer." & chr(13) & chr(10) & chr(13) & chr(10) &
"Current time zone is: " & szCurrDispName & "."

All of the above were taken from Microsofts KB article:
http://support.microsoft.com/kb/914387/en-us

Thanks in advance Darren.

Thanks, 
Tom Strader 
Server Systems Administrator 
Blumenthal Performing Arts Center 
704.379.1285 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Tuesday, March 06, 2007 4:35 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Another Script Processing question...

 

The logon script wouldn't stop GP scripts from running. Can you post
your batch file here? Also note that I've seen several other posts in
other places about problems with delivering this timezone fix via GP
scripts, so you are not alone.

 

Darren

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Tom Strader
Sent: Tuesday, March 06, 2007 1:29 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Another Script Processing question...

 

I have a logon batch file that calls a KIXtart script that maps drives
according to the users group membership. That is the only cmd prompt I
see appearing. Could it be the logon script is causing the GP to fail or
not run at all?

I've rebooted several different W2K machines, same results. 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Tuesday, March 06, 2007 4:22 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Another Script Processing question...

 

Tom-
Do you see the batch file running at all? In other words, do you get a
visible command shell when it pops up?

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Tom Strader
Sent: Tuesday, March 06, 2007 1:18 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Another Script Processing question...

 

Simple question, probably a simple answer.

 

Other than the Default GPO, I have an OU that has a modified Policy.

 

Under THAT OU I have another OU than has Windows 2000 PC's and the only
change is I added a batch file that calls a VBS to update W2K machines
for DST.

 

It isn't running, what am I doing wrong?

 

Thanks in advance.

This e-mail message may contain privileged and/or confidential
information, and is intended to be received only by persons entitled to
receive such information. If you have received this e-mail in error,
please notify the sender immediately. Please delete it and all
attachments from any servers, hard drives or any other media. Other use
of this e-mail by you is strictly prohibited.

All e-mails and attachments sent and received are subject to monitoring,
reading and archival by Monsanto. The recipient of this e-mail is solely
responsible for checking for the presence of "Viruses" or other
"Malware". Monsanto accepts no liability for any damage caused by any
such code transmitted by or accompanying this e-mail or any attachment.

This e-mail message may contain privileged and/or confidential
information, and is intended to be received only by persons entitled to
receive such information. If you have received this e-mail in error,
please notify the sender immediately. Please delete it and all
attachments from any servers, hard drives or any other media. Other use
of this e-mail by you is strictly prohibited.

All e-mails and attachments sent and received are subject to monitoring,
reading and archival by Monsanto. The recipient of this e-mail is solely
responsible for checking for the presence of "Viruses" or other
"Malware". Monsanto accepts no liability for any damage caused by any
such code transmitted by or accompanying this e-mail or any attachment.

Other related posts: