Deploying script - User rights
Hi, I need to perform maintenance on an application. The requirement is to update a profile by following:- a) copy profiles to client's c:\program files\xxxxxx b) execute a command on the application folder to restart service c: \program files\qctray /start I have tried to use a third party runas (cpau.exe) to copy the specific files from netlogon to client's PC(using domain admin credential) using domain logon script and execute the command, no problem. However, I can't use domain user account to accomplish this - the files cannot be copied due to ntfs permission. What is the better approach to solve this? Can I create a service account and disable some user rights? Or can I runas a specific domain/ local account with higher credential? It is definitely not wise to use domain admin to deploy script, right? Currently the local admin account password is not standardized. Need advise. Thanks.
February 25th, 2009 7:13pm

Hi,Running the script using Group Policy will elevate the rights when running the script.The script can be run as a startup script or as a login script depending of the situation.Jens Ole Kragh MCITP, MCTS, MCT http://jensolekragh.spaces.live.com/
Free Windows Admin Tool Kit Click here and download it now
February 25th, 2009 9:42pm

Hi,If the files being copied are from the same machine itself (you are copying files locally), then a startup script should suffice (a login script runs under the user's context so you may have to incorporate a runas routine in your login script). Here's a link describing how to assign startup scripts using GPOs:http://technet.microsoft.com/en-us/library/cc779329.aspxFor the service part, you can use either SC.EXE (with the config command) or SubInACL.exe to assign users to be able to stop/start the service concerned.SC.EXE Description and Exampleshttp://technet.microsoft.com/en-us/library/bb490995.aspxSUBINACL Download and Descriptionhttp://www.microsoft.com/downloads/details.aspx?FamilyID=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=enRegards,Salvador Manaois IIIMCITP | Enterprise & Server AdminMCSE MCSA MCTS CIWA C|EHBytes & Badz: http://badzmanaois.blogspot.com
February 26th, 2009 6:54am

Hi,You can use GPO to configure the permission of every client's c:\program files\xxxxxx folder to give user necessary rights to copy profiles.Open GPO, navigate to:Computer Configuration/Windows Settings/Security Settings/File SystemRight-click right-panel, choose Add File, find c:\program files\xxxxxx folder, click OK. Give proper rights to User Groups.You can configure more specific rights of files in this folder to avoid accidently deletion. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
February 26th, 2009 11:25am

Hi,Thanks for the reply. I need to add the service account domain users to a local computer security groups(Power users/Local Administrators)However, if I use the GPO restricted group to do it, it will replace instead of adding the account. Is there a better way to do this?Thanks.
March 5th, 2009 12:19pm

Hi,You can add the following script in Computer Startup scripts to add Domain User to local groups. strComputer="COMPUTERNAME"Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators")Set objUser = GetObject("WinNT://DOMAINNAME/SERVICEACCOUNT")objGroup.Add(objUser.ADsPath)Note: Please replace COMPUTERNAME, DOMAINNAME and SERVICEACCOUNT based on your Domain information. For more information, please refer to the following article. How Can I Add a Domain User to a Local Administrators Group?http://www.microsoft.com/technet/scriptcenter/resources/qanda/oct04/hey1008.mspxHow Can I Add a Domain Group to the Local Administrators Group?http://www.microsoft.com/technet/scriptcenter/resources/qanda/sept05/hey0923.mspxThanks. This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
March 6th, 2009 8:41am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics