locked
User logon script to run as System? RRS feed

  • Question

  • I am trying to create a GP User logon script to remove 1 specific registry key on login.  I have tested this using my administrator account, and it works fine, but when I test with a regular user account it will not run because of a GP that disables regedit.

    Is there any way to get this bat file to run as system so the registry editor will work.  And if not, is there any way that I can get this to work at all with regedit being blocked by a GPO?

    Monday, January 24, 2011 6:34 PM

Answers

  • Hello,

    in the field where you add the script in the left down corner is a button show files, this is the folder belonging to the logon script and contains the batch file and other required files, here add the regedit.exe to.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • Marked as answer by petergriffon Tuesday, January 25, 2011 2:34 PM
    Monday, January 24, 2011 11:24 PM

All replies

  • Hello,

    run it as a startup script, they run with system permission.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Monday, January 24, 2011 6:52 PM
  • I'd love to, but that will not work for our situation.  We are running a terminal server environment and a startup script will only run when the server is rebooted...which is only once a month.  We need the bat file to run every time a user logs in, no matter what server they hit.  It is deleting a specific registry key that is prone to corruption, so our theory is that if we delete it on user logon, the user will always be starting with a fresh key.
    Monday, January 24, 2011 7:21 PM
  • Hello,

    which registry key is it? What about setting the GPO to "enabled" with "disable regedit from running silently" to "no"? We use it that way to configure registry keys with logon script on our Terminal servers.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Monday, January 24, 2011 7:43 PM
  • The key is HKCU\Software\Citrix

    Where is that setting you mentioned and can you explain a little more on how you use it?

    Monday, January 24, 2011 7:49 PM
  • Hello,

    if you configure regedit with GPO under User configuration, Adminstrative templates, system, "Prevent access to registry editing tools" there is also the option if set to enabled, to allow silent runs.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Monday, January 24, 2011 7:55 PM
  • I just checked the GPO that is blocking the registry.  The section you mentioned, "Disable regedit from running silently" is set to NO.  So I'm assuming that means it IS ENABLED to run silently.  But the logon script will still not run.  With a pause in it, you can see that it is showing regedit being blocked.  Do I need a SILENT switch somewhere?
    Monday, January 24, 2011 8:28 PM
  • Hello,

    our script looks like this:

    \\domain.com\SysVol\domain.com\Policies\{GUInumber}\User\Scripts\Logon\regedit /s \\domain.com\SysVol\domain.com\Policies\{GUInumber}\User\Scripts\Logon\key.reg


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Monday, January 24, 2011 8:39 PM
  • maybe i'm missing something.

    My script is here:  \\domain.com\sysvol\domain.com\policies\GUID\user\scripts\logon

    Contents of script are: 

    @ECHO OFF

    reg delete hkey_current_user\software\citrix /f

     

    We have a GPO that is set to block registry editing, but allow it for silent installs.

     

    I'm now noticing in my sys logs, that I'm getting EventID 1058 with an error code of 5

    I am able to map to the share that has the script, but I cannot paste the address into my computer...which is strange.

    Monday, January 24, 2011 9:15 PM
  • Hello,

    reg is different from regedit.

    And as you can see we have also added regedit.exe into the logon script folder where the batch file contains the above mentioned command, sorry was not that clear about.

    Make sure that only domain DNS servers are used on the NIC of the machines. 1058 can belong to access problems also.

    I can not follow the "but I cannot paste the address into my computer", can you elaborate this more detailed, where you paste it in?


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Monday, January 24, 2011 9:30 PM
  • Sorry, I can map to the share, but if I paste the address into the address bar of my computer, it says access to this network resource is disallowed. 

    I know I can get to the share because the manual mapping works fine, so I'm not sure about that error either.

     

    As far as what you said about adding regedit.exe, I'm still a little unclear.  Where would I need to put regedit.exe and do I need to change my bat file at all?  This is all it reads:

    @ECHO OFF

    reg delete hkey_current_user\software\citrix /f

     

    Our last option is to turn off the policy that blocks regedit, but I'd rather not do that.

    Monday, January 24, 2011 9:49 PM
  • Hello,

    on a test OU with test machine and test user create another GPO and use the regedit.exe in the folder:

    regedit /d "<registry_key>"

    where registry_key is replaced with the key you wish to delete.

    regedit /d "HKEY_Current_User\software\citrix"

    See also "Deleting Registry Keys and Values" in http://support.microsoft.com/kb/310516


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Monday, January 24, 2011 10:05 PM
  • Thanks.  I'm following you except where you say "use regedit.exce in the folder.

    Which folder?

    Do I put a copy of it in the sysvol folder where the logon script is kept?  If so, how does the script know to use that .exe and not the one locally on the terminal server?

    Monday, January 24, 2011 11:12 PM
  • Hello,

    in the field where you add the script in the left down corner is a button show files, this is the folder belonging to the logon script and contains the batch file and other required files, here add the regedit.exe to.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • Marked as answer by petergriffon Tuesday, January 25, 2011 2:34 PM
    Monday, January 24, 2011 11:24 PM
  • Well I must say thank you....I got it working this morning.  I am not using a bat file anymore, but your tip of putting regedit.exe in the sysvol folder was the key.

    I'm now using regedit.exe to call to a reg file I created that removes the key....which is actually cleaner in my opinon.  No dos window popping up from the bat file.....it just deletes the key, nice and easy.

    So how does that work, if you put a program in the sysvol and call to it, does it run with elevated rights?

    Tuesday, January 25, 2011 2:33 PM