Hi, i configured Scheduled Task in GPO for 8D\Test user. This User is non-admin on PC or domain. This task must be run as user 8D\Alex, when 8D\Test is logon - but it is not working. That is wrong?

If user 8D\Test manually run cmd.exe with highest privileges as 8D\Alex and then run \\SERV-2008R2\script$\classid.cmd - script apply to system.

Thank you!

If the script needs to run if the user logs on, consider configuring it as a logon script.

Does the scheduled task run if started manually? Does the user has read/execute privileges on cmd.exe? Does the user have 'logon as batch' privileges?

If i tryed configure as logon script, i can't set "Run as"... it is possible only with scheduled task. User 8D\Alex have Domain Admins rights.

I think, UAC not allow run this task. Because, when 8D\Test manually run cmd.exe with highest privileges as 8D\Alex he push Ok for UAC window...

the scheduled task should have configuration option for 'run with highest privileges' to avoid UAC blocking the script. I've got no valid testing environment right now, but I think that option is not availabale for tasks scheduled by GPO

A startup script will allow running as "system", perhaps this security context has enough privileges?

However, I would strongly advise against running any scheduled task with a user that has domain admin privileges. Consider what could happen if the target script is maliciously replaced!

Also note from this KB:

"This password is stored as part of the GPO in SYSVOL and is discoverable, although obscured. If you choose to store passwords in preference items, you should consider creating dedicated accounts for this purpose, and never store administrative passwords in preference items."

If you tell us what exactly the script does, we might be able to help you to figure out how to apply the script or setting to all needed computers.

so, it is simple script:

ipconfig /setclassid "E*" my_class

this script must be run only when user login, because when other users logon they have different "my_classid" and changes previous classid.

Hi,

Any update?

Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.

Best Regards,

Andy Qi

TechNet Subscriber Support

If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

Hi,

as the classid is not (should not be) a user specific setting, you can configure the script as startup script (not login script). That way it runs in the 'system' security context with appropriate privileges.

Consider the computer will already have an assigned dhcp ip adress when running the login script, so the setting will not be visible to dhcp until the next renewal of the ip.

To be honest, I've not yet encountered a functional requirement that needs userclass id to be changed. Most environments use the 'router' option to determine client location and only differentiate upon preconfigured classid's of, for example, ip telephony devices. I'm pretty curious about your use for the classid?

http://technet.microsoft.com/en-us/library/cc737299(v=ws.10).aspx