Logon scripts not running in windows 8 if user is local admin
-
Monday, November 12, 2012 7:21 PM
So this is a very strange problem I've run across while testing the few windows 8 machines we have in the office. We have a small company, and most of us are power users, so we have always created a local admin account using the AD credentials for their user so me, the lone IT guy, wouldn't have to babysit all of their software applications.
I have a really simple .bat (net use) that runs at logon to mount our 2 network drives that everyone needs access too, but if the user has a local administrator account logon script doesn't run. If it's a local basic account, the script runs fine. This also doesn't happen on any of our windows 7 machines.
Any help would be greatly appreciated, I'm pulling my hair out over here.
All Replies
-
Monday, November 12, 2012 7:35 PM
Hi,
Am 12.11.2012 20:21, schrieb tyson.nordgren:
but if the user has a local administrator account logon script doesn't run.
it´s because UAC. Your Accesstoken is changed. Your script does the connections with the elevated token and after login, your account is working with the reduced one. So your credentials for mapping drives and the ones from the actual session do not match.
Deploy "EnableLinkedConnections" with Group Policy Preferences
and it will work, if xou can not get rid of the admins.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;937624Mark
Mark Heitbrink - MVP Windows Server - Group Policy
Homepage: www.gruppenrichtlinien.de - deutsch
GPO Tool: www.reg2xml.com - Registry Export File Converter
NetworkTrayTool www.gruppenrichtlinien.de/tools/Networktraytool.htm- Marked As Answer by tyson.nordgren Wednesday, November 14, 2012 8:35 PM
-
Monday, November 12, 2012 7:47 PMThanks, but now a secondary question: Is there a way to give users admin access to their own computers without having a local admin account?
-
Monday, November 12, 2012 8:18 PM
Hello,
Is there a way to give users admin access to their own computers without having a local admin account?
Just add the AD user account to the group "Administrators" on the computer.
MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!
-
Monday, November 12, 2012 8:20 PM
Am 12.11.2012 20:47, schrieb tyson.nordgren:
Thanks, but now a secondary question: Is there a way to give users
admin access to their own computers without having a local admin
account?Can you go into water, without getting wet?
The question is: Why should they have admin access?
- you deploy all the software they need
- you patch all the software they need
- it´s their company computer, not their private one
- Software does not run as user? Extend permissions in the specific place in filesystem or registry, easy with group policySo give me one reason, why they need it? Only because they are used to it?
Mark
Mark Heitbrink - MVP Windows Server - Group Policy
Homepage: www.gruppenrichtlinien.de - deutsch
GPO Tool: www.reg2xml.com - Registry Export File Converter
NetworkTrayTool www.gruppenrichtlinien.de/tools/Networktraytool.htm -
Wednesday, November 14, 2012 7:23 PM
Yeah, it's mostly because they are used to it, and until a few months ago, we didn't have a dedicated IT guy. We're a really small company (about 25 in office), we don't use volume licensing for anything, we don't have any sort of software policy about what employees can and cannot install, and since there was no dedicated IT guy until I decided to take up the job, we just let them install/manage everything so our one guy who new about IT didn't have to go around and do everything. Now that I'm kind of taking control of that side of things, and it's my full time responsibility, it makes sense to start looking at central management. Most of the employees know their way around a computer enough so as to not screw it up, so at least that's not a huge concern. I'm mostly just looking for ways to integrate this stuff with our existing culture, and go from there.
But speaking again on the issue, I'm only having problems with the scripts running in windows 8. A windows 7 computer with a given user as a local admin on that machine has no issues, but in windows 8 the script does not run. We only use two scripts (drive mapping, and updating software via ninite). drive mapping can be done easily enough in the GP prefs, and it seems the ninite script works running as a startup script, except for programs like Chrome which install to the user directory.
-
Wednesday, November 28, 2012 10:46 PM
Thanks, but now a secondary question: Is there a way to give users admin access to their own computers without having a local admin account?
Yes. Two ways.
1. Add the local hidden "interactive" group name to the local "administrators" group via Computer Management. Just type in the word "interactive" as the name to add. Be sure to select name from the local machine and not the domain as it will try to do by default.
2. Using group policy, add "interactive" via (Computer Configuration\Windows Settings\Security Settings\Restricted Groups\Administrators).
In either case, a username of "NT Authority\Interactive (S-1-5-4)" will appear in the local administrator group. At that point, any user or domain user that logs on physically to a machine (and only logs on physically) is automatically granted admin privileges on the machine. Permissions do not traverse the network. As an example, this prevents them from mapping network drives to other machine's hard drives via the C$ admin share.
-John
- Edited by Tech Patriot Wednesday, November 28, 2012 10:49 PM Fix formatting
.png)
