none
Windows 7 Logon Script

    Question

  • I am running Windows 7 client in the Domain Windows 2003 environment.  And we have some files needed to copy to C:\program files and C:\Windows folder in Windows 7.

    The user only have the Power User right in Windows 7.  And when we copy the files through logon script, it will have "Access denied"

    Does anyone has idea on how to run logon script for this case or through group policy?  Please advise.

    Thursday, May 12, 2011 1:25 PM

All replies

  • Hello,

    if your script require admin privileges then you will need UAC. Power users group no longer have elevated permissions so your user will not able to run the script using an elevated prompt.

    For more information:

    Permissions and rights have been removed from the Power Users group in Windows Vista

    Have you tried running script as a logon script via group policies?



    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration

    Thursday, May 12, 2011 1:42 PM
  • So how to run the logon script for the Power User who don't have elevated permission.

    Any advice? Through group policy can help?

     

    Thursday, May 12, 2011 2:46 PM
  • Using Power Users group, I don't see a way as they can not use elevated prompts.

    For logon scripts: http://technet.microsoft.com/fr-fr/library/cc722569.aspx

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration

    Thursday, May 12, 2011 3:13 PM
  • Just use the Group Policy Preferences File Extention to copy the file to the computer http://technet.microsoft.com/en-us/library/cc771102.aspx . Make sure you apply the setting to the computer object under the computer section so that it will copy it as the local system account.... however you will also need to add "Domain Computers" to have read access to the files on the network.... and yes Group Policy Preferences will work in a Windows 2003 Domain...

    Hope it helps

     


    Alan Burchill (MVP)
    http://www.grouppolicy.biz
    Follow me on twitter @alanburchill
    Friday, May 13, 2011 4:08 AM
  • So you mean through the Group Policy Prefernce File Extention to copy the file and no need to use Logon Script even the Windows 7 user is only Power User.

    And the file to copy is into "C:\Program files" and "C:\Windows" folder in Windows 7 at which Power user don't have any access right at all.

    And do you have any detail procedure for the Group Policy Prreference?

     

    Friday, May 13, 2011 1:45 PM
  • have a look at Alan's website to learn more about GPP, what you need to make it work, and example/tutorials for it!
    http://www.grouppolicy.biz/2010/12/group-policy-preferences-prerequisites/
    Don
    • Proposed as answer by iw7347438959 Thursday, January 24, 2013 11:13 AM
    Saturday, May 14, 2011 8:26 AM
  • After reviewing the above link, I cannot find an answer on it.

    My question is that Winwos 2003 or 2008 Group Policy Preference File extension can copy files in the C:\Windows and C:\Program Files in Windows 7 even the logon user is Power user which don't have access right on those two folders.

    Please advise.

     

    Saturday, May 14, 2011 12:53 PM
  • yes it can, as long as you configure the script or policy as a 'machine' or 'computer' setting (this means it will operate in the context of the computer account and not the user account)

    it needs to operate in the context of the computer account, if the user account does not have the necessary permissions.
    the computer account needs to have permission to the source file also, you can give 'Domain Computers' permissions to read the source file/folder.

    the computer account will already have permission to c:\


    Don
    Sunday, May 15, 2011 12:50 AM
  • Can you advise how to set "Domain Computer" permission to read the source file?

    Is it under the Trageting under the Common tab in the Computer Configuration Files Tab?

    Sunday, May 15, 2011 9:48 AM
  • the easiest way is with Windows Explorer (not GPO).
    you are just setting the security permissions of the file that everybody needs to have copied to their c:
    in this case, "everybody" means "Domain Computers" - you are granting "Read" permission, so the computers can copy the file to their c: when the GPP CSE runs.


    Don
    Sunday, May 15, 2011 10:18 AM
  • Do you mean adding everyone group to C:\windows and C:\program files folder.

    But when I add everyone into those folder, it will have access denied.  Do I need to take ownership to those two folder first before changing the permission.

    Please advise.

     

    Sunday, May 15, 2011 12:13 PM
  • Just use the Group Policy Preferences File Extention to copy the file to the computer http://technet.microsoft.com/en-us/library/cc771102.aspx . Make sure you apply the setting to the computer object under the computer section so that it will copy it as the local system account.... however you will also need to add "Domain Computers" to have read access to the files on the network.... and yes Group Policy Preferences will work in a Windows 2003 Domain...

    Hope it helps


    Alan Burchill (MVP)
    http://www.grouppolicy.biz
    Follow me on twitter @alanburchill


    Hi,

     

    Please check the link Alan provided on how to use the Group Policy Preferences File Extension to copy file. Use the following policy setting:

     

    Computer Configuration > Preferences > Windows Settings > Files

     

    I assume that you want to copy files from a network share (Source) to C:\Program files and C:\Windows (Destination) on Windows 7 clients, find the share folder, on its Security tab, add "Domain Computers" group, make sure the "Domain Computers" group has read access to the share folder.

     

    Another method, you can deploy the script via startup script via group policy, in this way, the script also runs with local system account. Refer to:

     

    Computer Configuration, Windows Settings, Scripts(Startup/Shutdown)

     

    If any trouble is encountered, please let us know.

     

    Thanks.

    Nina


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, May 16, 2011 9:28 AM
  • For the startup script, is it it just put under Computer Configuration, Windows Setting, Scripts (Startup/Shutdown), if can copy files from the network share to C:\Program Files and C:\Windows even the user is Power User who do not have acccess right on those two folders?

    How to set the startup scrip running with local system account?  And this setting is different from Logon script which has access denied before?

    Monday, May 16, 2011 2:01 PM
  • Hi,

     

    By default, Startup scripts run as Local System, and they have the full rights that are associated with being able to run as Local System. Logon script scripts run on the User account and not on the Administrator account. For more information, please check the following links:

     

    http://support.microsoft.com/kb/198642   

    http://technet.microsoft.com/en-us/library/cc779329(WS.10).aspx  

     

    Thanks.

    Nina


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, May 17, 2011 3:04 AM
  • Hi

    I have tried startup script, it is still got "Access denied" when copying into C:\program files and C:\Windows folder in Windows 7.

    Any idea on this?

    Tuesday, May 17, 2011 1:48 PM
  • Hi,

     

    Please first verify whether the script can be run manually on one Windows 7 client.

     

    Thanks.

    Nina


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, May 18, 2011 10:05 AM
  • The script run manually in the Power user account and it is "Acccess denied".

    And for your advice, it should be ok for running under startup script, but it is not.  Any advice?

    Wednesday, May 18, 2011 1:54 PM
  • are you getting access denied to read the source files, or access denied to save the target files?

    before you try this, did you confirm Read permissions were granted to "Domain Computers" as per Nina's advice?
    (NB: Domain Computers is *not* the Everyone group)
    you must grant both Share and File permissions on the source folder

    if you perform a test whilst logged in as LocalSystem (not a normal user) then you can diagnose the cause.


    Don
    Wednesday, May 18, 2011 9:33 PM
  • Hi,

     

    Please provide us more information on the "access denied" error as Don mentioned. Can you run the script manually as an administrator? If you want to copy files from a network share, have you verified the share and NTFS permissions?

     

    Thanks.

    Nina


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, May 19, 2011 2:01 AM
  • I tried to add everyone to the C:\Program files and C:\Windwos as advised for the granting right to "Domain Computers".

    But when I run the startup script, it will be access denied.

    And if I run manually, it will have access denied only for Power Users.

    Any idea?

    Thursday, May 19, 2011 2:05 PM
  • Hi,

     

    Please help collect the NTFS permissions on source folders (network share) and the destination folders (C:\Program files and C:\Windows on the Windows 7 client).

     

    Run “icacls <Directory> >>C:\permission.txt” and press Enter

     

    Please open permission.txt on C: drive, paste the contents here for research.

     

    For more information on how to use icacls, please refer to: http://technet.microsoft.com/en-us/library/cc753525(WS.10).aspx   

     

    By the way, did you check the results via remote desktop connection?

     

    Thanks.

    Nina


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, May 20, 2011 3:47 AM
  • Hi, all,

    I am having pretty similar problem. I am using Win 2008 R2 as domain and Win7 x64 SP1 as clients.

    I have assigned logon script for specific user with local admin rights (Profile tab from Properties of user). And when my user logs on, he can see "Access denied" error. I tried to use VBS and cmd scripts.

    Script is just to copy files from share source folder to %public%\desktop location. I've check if my user can run scripts with no errors, if I use "run as admin" option script works as expected.

    Please advise.

     


    Friday, July 01, 2011 10:19 PM