Home / server / Questions / 279077
Accepted
Phil
Asked: 2011-06-11 01:20:31 +0800 CST

Group policy startup script needs elevated priviledges

  • 772

I have a script that I want to run at startup but that requires elevated priviledges. Is there a way of doing this with Group Policy?

I tried adding it in as a startup script using GPO but it doesn't appear to run. If I run it from a standard cmd prompt then it gives access denied but if I right click the command prompt and select "Run as Administrator" then it works fine so I suspect it is a permission issue.

The script is setting the MTU on each NIC to be 1400 as follows

Dim strDNSDomain  
Dim strComputer  
Dim strID  
Dim strKeyPath  
Dim strValueName  
Dim strDWValue  

Const HKEY_LOCAL_MACHINE = &H80000002  
Const DEFAULT_MTU_Size = 1400  
const KEY_SET_VALUE = &H0002

'====  Gets the Setting for MTU from the command line in the form of /MTU:1500 ====  

Set colNamedArguments = Wscript.Arguments.Named  

strComputer = "." 
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")  
set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

strDWValue = DEFAULT_MTU_SIZE

Set colAdapters = objWMIService.ExecQuery ("SELECT * FROM Win32_NetworkAdapterConfiguration")  
For each objAdapter in colAdapters  
   strDNSDomain = objAdapter.DNSDomain  
   if Instr(1, strDNSDOmain, strTemp) >0 then  
       strID = objAdapter.SettingID  
       strKeyPath = "SYSTEM\CurrentControlSet\Services\TCPIP\Parameters\Interfaces\" & strID  
       strValueName = "MTU" 

    oReg.CheckAccess HKEY_LOCAL_MACHINE, strKeyPath, KEY_QUERY_VALUE, bHasAccessRight
    If bHasAccessRight = True Then
        oReg.GetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
        WScript.Echo strKeyPath & " value " & strValueName & " contains " & dwValue
        oReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strDWValue  
        WScript.Echo strKeyPath & " value " & strValueName & " changing to " & strDWValue
        oReg.GetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
        WScript.Echo strKeyPath & " value " & strValueName & " changed to " & dwValue
    Else
        WScript.Echo "Cannot set registry value - access denied"
    End if
   End if  
Next
group-policy permissions user-permissions startup-scripts

2 Answers

  1. Best Answer

    Scripts placed in Computer Configuration\Windows Settings\Scripts (Startup/Shutdown) are run as Local System which is usually all that's required for installing programs etc. The same is true of MSIs deployed using Group Policy.

    Do you know what privileges your script requires? What is your script doing that requires these privileges?

    Grab a copy of Process Monitor from Sysinternals and, using a standard user account, monitor your script to find out what it's doing and what extra privileges it needs to be able to run. You can then use that information to find out why the Local System account isn't able to run it.

    EDIT: An option available to you is for you to use your Startup script to run a net shell command

    netsh interface ipv4 set subinterface interface="Local Area Connection" mtu=1400

    It's a single liner you need in your script. Any use?

    Lewis

    • 2

  2. You can accomplish the registry updates via Group Policy Preferences. There is a nice subset of the GPP options for registry changes as outlined in this TechNet doc - http://technet.microsoft.com/en-us/library/cc753092.aspx

    • 0