none
Run with user privileges but write to restricted folder RRS feed

  • General discussion

  • In Windows Server 2008 R2 (and in an Active Directory domain), the login and logoff scripts are run with user privileges.

    Suppose that I run script1.ps1, when user1 logs in; I need that script1.ps1 is associated to user1, because it will write some informations about that user: it modifies a log file in a folder. Anyway, script1.ps1 will be run with user1 privileges.

    I obviously made that file and that folder accessible (readable/writable) to user1: but I actually don't want the user to modify that log file. I would like that only the script could do it.

    Is there a way to work around this problem? Maybe should I run script1.ps1 in a different way?


    Wednesday, March 11, 2015 8:56 PM

All replies

  • The logon script will run as the user, so the user must have permission to modify the file.

    One possible workaround is to use a startup script instead, which will run as system.

    What is it you're trying to accomplish?


    -- Bill Stewart [Bill_Stewart]

    Wednesday, March 11, 2015 9:37 PM
    Moderator
  • The logon script will run as the user, so the user must have permission to modify the file.

    One possible workaround is to use a startup script instead, which will run as system.

    What is it you're trying to accomplish?


    -- Bill Stewart [Bill_Stewart]

    The purpose is creating a log about user1 (login, logoff time and other informations): so, it would not make sense if the user could modify that log.

    If I run a startup script, it will be run by the system (that is, Windows Server 2008) but I should bind its execution to user1 and every user that connects to Active Directory.

    Is it possible?

    • Edited by Henry_8198 Thursday, March 12, 2015 11:26 AM
    Thursday, March 12, 2015 11:25 AM
  • Henry.  You can add a subscription to a server that subscribes t event log entries on user computers.  Subscribe to the logon/logoff events. Now you have a central repository of logon and  logoff events.

    There is no way to accomplish what you are asking to do.  Any file that can be written to in logon script or during a user session can be changed by the user.

    Bil is suggesting a "startup" script that runs when the user logs on and not when the computer starts.  A user startup script runs as the user and not system.

    Another method is to schedule a script that run at logon.  This can run as system and write to a file that the user cannot change.


    ¯\_(ツ)_/¯

    Thursday, March 12, 2015 1:27 PM
  • Henry.  You can add a subscription to a server that subscribes t event log entries on user computers.  Subscribe to the logon/logoff events. Now you have a central repository of logon and  logoff events.

    [...]

    Another method is to schedule a script that run at logon.  This can run as system and write to a file that the user cannot change.


    ¯\_(ツ)_/¯

    Thank you. By "add a subscription" you mean something like this?

    The script schedule can be a useful alternative.

    Monday, March 16, 2015 2:42 PM
  • That is a subscription.  Just build it and you have a log of all logins that users cannot change.

    ¯\_(ツ)_/¯

    Monday, March 16, 2015 3:57 PM