Logon script as administrator.

Similar Messages

• How do I have an exe in a logon script run as a different user (either a domain admin or even the local system account)

  So, I'm having some problems getting a logon script to work.  I need a way to deploy the agent that we use via login/startup scripts and what I have works fine if the user has admin rights, or if UAC is disabled.  I've tried to convert the .exe
  to an .msi to make it easier, but the .msi never works and it's only distributed as an .exe.  We deploy this to different clients, I can't disable UAC in their environment unless they specifically tell us to.  Can anyone think of a way around this? 
  I've been searching for days and I'm just lost.  If we could execute the file as the system account, or connect to shares using a startup script instead of logon, that would be perfect.  Basically what it does is check to see if the process for the
  agent is running (agentmon.exe) so we don't attempt to install it if it is already installed, if it's not, then it calls on a different agent installer depending on the IP address of the system (for clients that have more than one location).  Here's what
  I've got written that works for me in my test environment:
  Const strAgent1 = "\\home.wiginton.local\SysVol\home.wiginton.local\Policies\{CD4ED3BD-0709-4E3D-A303-C9E3B0F5198D}\User\Scripts\Logon\Test-KcsSetup1.exe"
  Const strAgent2 = "\\home.wiginton.local\SysVol\home.wiginton.local\Policies\{CD4ED3BD-0709-4E3D-A303-C9E3B0F5198D}\User\Scripts\Logon\Test-KcsSetup2.exe"
  Const strAgent3 = "\\home.wiginton.local\SysVol\home.wiginton.local\Policies\{CD4ED3BD-0709-4E3D-A303-C9E3B0F5198D}\User\Scripts\Logon\Test-KcsSetup3.exe"
  Const strFolder = "C:\Temp\"
  Const Overwrite = True
  dim objFSO, objNIC1, arrNIC, strIP, strMask, objShell, objWMIService
  dim
  'Checks for Kaseya agent process, AgentMon.exe, exits if running
  Set objWMIService = GetObject ("winmgmts:")
  Set proc = objWMIService.ExecQuery("select * from Win32_Process Where Name='agentmon.exe'")
  If proc.count > 0 Then
      WScript.Quit
  End If
  'Instantiate a NIC configuration object
  Set objNIC1 = GetObject("winmgmts:").InstancesOf("Win32_NetworkAdapterConfiguration")
  'Instantiate a shell object
  Set objShell = CreateObject("wscript.shell")
  Set objFSO = CreateObject("Scripting.FileSystemObject")
  'Create Temp Dir if it doesn't exist
  If Not objFSO.FolderExists(strFolder) Then
      objFSO.CreateFolder strFolder
  End If
  For Each arrNIC in objNIC1
      if arrNIC.IPEnabled then
          StrIP = arrNIC.IPAddress(i)
          strMask = arrNIC.IPSubnet(i)
          Set WshNetwork = WScript.CreateObject("WScript.Network")
      end if
  next
  Function NetworkID(Address, Mask)
      Dim AddressOctets, MaskOctets, Result, N
      AddressOctets = Split(Address, ".")
      MaskOctets = Split(Mask, ".")
      ReDim Result(UBound(AddressOctets))
      For N = 0 To UBound(AddressOctets)
          Result(N) = AddressOctets(N) And MaskOctets(N)
      Next
      NetworkID = Join(Result, ".")
  End Function
  Select Case NetworkID(strIP,strMask)
      Case "192.168.0.0"
      ' Kaseya install commands for 192.168.0.0 subnet
      objFSO.CopyFile strAgent1, strFolder, Overwrite
      Wscript.Sleep 1*60*1000
      objShell.run "C:\Temp\Test-KcsSetup1.exe"
      Case "192.168.1.0"
      ' Kaseya install commands for 192.168.1.0 subnet
      objFSO.CopyFile strAgent2, strFolder, Overwrite
      Wscript.Sleep 1*60*1000
      objShell.run "C:\Temp\Test-KcsSetup2.exe"
      Case "192.168.2.0"
      ' Kaseya install commands for 192.168.2.0 subnet
      objFSO.CopyFile strAgent3, strFolder, Overwrite
      Wscript.Sleep 1*60*1000
      objShell.run "C:\Temp\Test-KcsSetup3.exe"
      Case Else
      ' Some sort of error checking. Maybe a BLAT SMTP command to send an email
  End Select
  Set objWMIService = Nothing
  Set objNIC1 = Nothing
  Set objShell = Nothing
  Set WshNetwork = Nothing
  Wscript.quit

  You need to read the documentation carefully:
  The Deploy Agents install package is created using a Configure Automatic Account Creation wizard. The wizard copies agent settings from an existing machine ID or machine ID template and generates an install package called
  KcsSetup.All settings and pending agent procedures from the machine ID you copy from—except the machine ID, group ID, and organization ID—are applied to every new machine ID created with the package.
  Including Credentials in Agent Install Packages
  If necessary, an agent install package can be created that includes an administrator
  credentialto access a customer network. Credentials are only necessary if users are installing
  packages on machines and do not have administrator access to their network. The administrator credential is encrypted, never available in clear text form, and bound to the install package.
  ¯\_(ツ)_/¯

• VBS logon script and AppLocker

  Hello
  I have setup applocker with "Automatically Generate Rules" for "Script Rules".
  When i try to execute a vbs logon script from a GPO it fails with the error below.
  Execution of the Windows Script Host failed. (This program is blocked by group policy. For more information, contact your system administrator.)
  I have tried to generate a new rule where I allow
  \\%logonserver%\sysvol\*, without any luck.
  Does anyone have a solution for this problem?.
  Thanks,
  /Jesper

  Hello Again
  OK, I figured it out. I made a new allow rule with the path below.
  \\domain.com\SysVol\domain.com\Policies\*
  Now my domain VBscript is running.
  /Jesper

• Group Policy Logon Script to create folder based on username, run as admin

  Hello,
  I'm at a loss as to how to make this work.  I wrote the following PowerShell script that will check to see if the currently logged in user has a folder on a share, and if not it will create the folder and set appropriate permissions.  I want to
  run it as a Group Policy Logon Script, however I need to run this script as an administrator because users don't have any write/create access at the folder level of the file share.  The problem with that then becomes $ENV:Username resolves to the admin
  account the script is running under.
  Any ideas?
  Thanks!
  Ryan
  # Declare Variables
  $strName = $env:USERNAME
  $strDomain = $env:USERDOMAIN
  If ($strDomain -eq "domain.org") {
  # Split Username into 2 variables
  $data = $strName.Split("_")
  $fname = $data[0]
  $lname = $data[1]
  #Find first character of last name
  $firstcharacter = $lname[0]
  # Figure out if last name begins with A-M or N-Z
  $A_M=$firstcharacter -match "[a-m]"
  $N_Z=$firstcharacter -match "[n-z]"
  # Checks to see if folder exists
  If ($A_M -eq $true){$FolderExists = Test-Path "\\staff-files\staff\Last Name A-M\$strName"}
  elseif ($N_Z -eq $true){$FolderExists = Test-Path "\\staff-files\staff\Last Name N-Z\$strName"}
  # Creates folder if it doesn't exist
  If (($FolderExists -eq $false) -and ($A_M -eq $true)){
  New-Item "\\staff-files.domain.org\Staff\Last Name A-M\$strName" -type directory
  $DirPath = "\\staff-files.domain.org\Staff\Last Name A-M\$strName"
  elseif (($FolderExists -eq $false) -and ($N_Z -eq $true)){
  New-Item "\\staff-files.domain.org\Staff\Last Name N-Z\$strName" -type directory
  $DirPath = "\\staff-files.domain.org\Staff\Last Name N-Z\$strName"
  ElseIf ($strDomain -eq "students.domain.org") {
  # Pull 2 digit year from username and make 4 digit year
  $4digityear = "20" + $strName.Substring(0,2)
  # Checks to see if folder exists
  $FolderExists = Test-Path "\\files.domain.org\students\$4digityear\$strName"
  # Creates folder if it doesn't exist
  If ($FolderExists -eq $false) {
  New-Item "\\files.domain.org\students\$4digityear\$strName" -type directory
  $DirPath = "\\files.domain.org\students\$4digityear\$strName"
  # Assign Permissions
  If ($FolderExists -eq $false){
  $target = $DirPath
  $acl = Get-Acl $target
  $inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"
  $propagation = [system.security.accesscontrol.PropagationFlags]"None"
  $accessrule = new-object system.security.AccessControl.FileSystemAccessRule ("CREATOR OWNER","Modify",$inherit,$propagation,"Allow")
  $acl.AddAccessRule($accessrule)
  $accessrule = new-object system.security.AccessControl.FileSystemAccessRule ("NT AUTHORITY\SYSTEM","FullControl",$inherit,$propagation,"Allow")
  $acl.AddAccessRule($accessrule)
  $accessrule = new-object system.security.AccessControl.FileSystemAccessRule ("administrators","FullControl",$inherit,$propagation,"Allow")
  $acl.AddAccessRule($accessrule)
  If ($strDomain -eq "students.hempfieldsd.org"){
  $accessrule = new-object system.security.AccessControl.FileSystemAccessRule ("DOMAIN\Domain Users","Modify",$inherit,$propagation,"Allow")
  $acl.AddAccessRule($accessrule)
  $accessrule = new-object system.security.AccessControl.FileSystemAccessRule ("DOMAIN\Staff_Tech","FullControl",$inherit,$propagation,"Allow")
  $acl.AddAccessRule($accessrule)
  $accessrule = new-object system.security.AccessControl.FileSystemAccessRule ("DOMAIN\Enterprise Admins","FullControl",$inherit,$propagation,"Allow")
  $acl.AddAccessRule($accessrule)
  $accessrule = new-object system.security.AccessControl.FileSystemAccessRule ($strName,"FullControl",$inherit,$propagation,"Allow")
  $acl.AddAccessRule($accessrule)
  $acl.SetAccessRuleProtection($true,$false)
  $acl.SetOwner([System.Security.Principal.NTAccount]$strName)
  Set-Acl -AclObject $acl $target
  Ryan Breneman - Systems Administrator - Hempfield School District

  Thanks jrv.  That is kind of what I thought but wasn't sure.  I think I will attack this a different way and modify the script to run through all the AD accounts and check for folder existence and create if needed.  Perhaps I'll play
  with System Center Orchestrator and run it inside there.
  These folders aren't being used for profile storage, and we already have folder redirection pointing to them, however I don't want a user to login to citrix and not have anywhere to save if they didn't have a folder to redirect to.
  Folders are supposed to be created when the staff member/student AD account is created, but it doesn't always happen.
  Thanks for your help!
  Ryan Breneman - Systems Administrator - Hempfield School District

• Logon Script with Credential

  Hello everybody.
  Let me explain my problem. 
  I have a Powershell shell Logon Script for a Domain user without privileges that has to:
  Run IE as Domain user.
  When user close al IE open windows, Script have to make some process as soon as finish, script run again IE.
  The user that run the script doesn’t have any kind of access to the any drive and doesn’t have any access to any app or windows config setting, he has only access to IE through Powershell Logon Script, no more.
  I gave to user privileges as a part of the operating system through GPO.
  Well, let me show you the script before continue with the explanation: 
  Function fCredenciales([String]$FileTXT, [String]$UserIE)
                 $UsIE1       = Get-Credential -Credential $UserIE 
                $SecureIE  = $UsIE1.Password
                 $BytesIE    = ConvertFrom-SecureString $SecureIE
                 $BytesIE   | Out-File $FileTXT
  #                     SCRIPT                              
  $Folder  = "C:\Cred"
  $FileIE   = $Folder + "\IE.txt"
  $UsIE     = "Domain\User"
  If(-Not (Test-Path $Folder))
                 New-Item $Folder -Type Directory
                  fCredenciales $FileIE $UsIE
  If (-Not (Test-Path $FileIE))
                 fCredenciales $FileIE $UsIE
  $UsIETxt   = Get-Content $FileIE | ConvertTo-SecureString
  If ($UsIETxt -eq $Null)
                 fCredenciales $FileIE $UsIE
  $UsuarioIE      = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $UsIE, $UsIETxt
  $MyNetwork    = Get-WMIObject Win32_NetworkAdapterConfiguration -ComputerName LocalHost | Where-Object { $_.IPAddress -ne $null } # | Select-Object IPAddress
  $MyIPAddress = $MyNetwork.IPAddress[0]
  $URL                   = "https://www.mywebpage.com/?qwerty="
  + $MyIPAddress + " -private"
  $IE                       = "C:\Program Files\Internet Explorer\iexplore.exe"
  While ($True)
      Start-Process $IE -ArgumentList $URL -ArgumentList $URL  -Credential $UsuarioIE
      $IDProcess = Get-Process -Name iexplore | ?{$_.MainWindowTitle} | %{$_.ID}
      Wait-Process -Id $IDProcess
      # Proccess 1                                             
      # Process2                                                                
  I need to execute IE as other user.
  As logon user doesn’t have drive access, he cannot read credential.
  If logon script wants to ask for credential, credential windows never shown.
  I don’t know why, but if the user hasn’t  administratives privileges
  Start-Proccess with –Credential doesn´t work, exactly as
  Wait-Process -Id $IDProcess.
  The security department wants:
  User Without any access (No drives, no menu, no nothing
  J).
  Script has to run IE as domain simple user.
  If script needs administrative privileges to run  Wait-Window the script can be run as administrative user, but not the Start-Process.
   I hope that you can understand me.
  Thanks in advanced,
  Angel Biurrun C.

  Sorry but what you seem to be trying to do is not possible.  You cannot make a user an admin by having them do something that only an admin can do.
  If your company says a user cannot have access to any drives then there is no way they can open a file on a drive they have no access to.
  The script you posted is also impossible to read.  Can you try and post it correctly.  Maybe someone can decode what you are trying to do.
  As a quick example this is how we post scripts.
  Function fCredenciales([String]$FileTXT, [String]$UserIE){
  $UsIE1=Get-Credential -Credential $UserIE
  $SecureIE=$UsIE1.Password
  $BytesIE=ConvertFrom-SecureString $SecureIE
  $BytesIE | Out-File $FileTXT
  Notice that it is readable and better indented. The eye can follow the code.  By using the code control the code becomes color keyed which makes it even more readable.
  ¯\_(ツ)_/¯

• Help with logon script

  Hi
  We have a legacy reporting app (Crystal Distribution 8.5) that relies on DLLs to export data from it to other apps such as Excel.
  In XP/2003 the DLLs are installed and accessed from the WINDOWS & System32 directory but due to changes that MS made in Vista/2008 and higher the DLLS need to be installed in the user's local profile for the app to work properly on Vista/2008+.  Example:
  C:\Users\user.name\WINDOWS\Crystal
  This has been easy to manage for the few users on Win 7 workstations but we are now making the move to Server 2008R2 RDS.  Therefore using a script to put these DLLs in the right place via Group Policy when a user logs on to an RDS server (there will be
  multiple and they will be load balanced) seems the logical answer.
  I am not however an expert on scripting by any means.  I can just about manage a logon script to map a network drive.  Could do with some help on:
  > A logon script that runs once per server per user that I can deploy with a GPO
  > The script needs to create a directory in their local user profile path (as previously mentioned) and copy a list of DLLs to it (or just copy the "Crystal" folder to the WINDOWS folder in their local profile).
  Many thanks

  Hi Flanjman,
  If the servers are deployed on server 2008 R2+, you can try a powershell script, and the script below may be helpful for you, which can create a new directory and copy the local folder to the new created folder:
  $newfolder = "C:\Users\user.name\WINDOWS\Crystal"
  New-Item -Path $newfolder -ItemType directory #create new folder
  copy-item -Path d:\test1 -Destination $newfolder -Force -Recurse #copy all the files in the folder
  Then please save the script above as .ps1 file, and follow this article to deploy in GPO:
  Start Me Up: Scripting a Logon with PowerShell
  Please also note, if the powershell execution policy on all the servers haven't been set to allow to run a powershell script locally, you also need delopy the execution policy in GPO firstly:
  Computer Configuration\ Administrative Templates\ Windows Components\ Windows Powershell" and configure the "Turn on script execution" setting, and choose "Allow local script and remote signed scripts"
  If you have any feedback on our support, please click here.
  Best Regards,
  Anna
  TechNet Community Support

• Problem Windows 8 logon script not working from windows server 2008 R2

  hi there , this is third post regard this problem, here is my problem goes .....
  Is a very simple logon script for mapping drive purpose .... PLS take note Domain users can access and run this script for domain users using windows XP / WINDOWS VISTA / WINDOSWS 7 and only  users " WINDOWS 8.1 " Does NOT run
  at all . the script I put on logon script in Windows server 2008R2 group policy ... 
  @jrv :- http://social.technet.microsoft.com/profile/jrv/?ws=usercard-mini , insist said is my group policy setup problem so I post here agn...
  Manually run the script on WINDOWS 8.1 is 100 % perfect so it is definitely not my logon script issue , PLS any guidance pls share for me ok ?? thanks
  Below is my script syntax ;-
  @echo off
  REM Login.bat Version 1.0
  REM Exit if user has logged on to the Server
  IF %COMPUTERNAME%.==SL2011. GOTO END
  REM Delete pre-existing drive mappings
  REM
  REM Map M: to SL2011 on sl2011
  NET USE M: /DELETE >nul
  NET USE M: \\SL2011\sl2011 /YES >nul
  REM
  REM Map Y: to AccScan on rss2
  NET USE Y: /DELETE >nul
  NET USE Y: \\rss2\Public\AccScan /YES >nul
  REM

  Hi Tee Ee Foong,
  According to your post, the gpresult showed the GPO was applied and the script could run successfullymanully in the client. Right? Please follow the following step to narrow down
  the issue:
  1. Change the script to the following command: add 
  > %SystemDrive%\Users\test.txt to the script.
  2. Log on to a client with a regular user account, run gpupdate/force, and then re-log on to this client.
  3. Check if the test.txtfile exists in this location %SystemDrive%\Users.
  If the test.txtfile exists, the GPO with logon script is applied successfully when user logs on. But the result of running logon script achieves the goal we excepted or not which
  is still not sure.
  Regards,
  Lany Zhang

• Powershell User logon script not Exiting With "Exit" scripts are set to be visible in GPO

  I am trying to run this script as a user logon script and it is set to visible to the user. There are other parts of the script but It won't ever Exit. It works fine if I run it directly I only have the trouble when it is in the logon script. I'm thinking
  of tryin "Kill -Id $PID" but I'm sure I'll get a bad return code.
  Has anyone else experienced this or hav any ideas what I could try?
  If (Test-Path U:){
  Robocopy U:\ $Destination /E /move /XF "*.inf"
  New-Item -Path HKCU:\Software\test\test -Name Test –Force
  Else{
  Exit
  Else{
  New-Item -Path HKCU:\Software\test\1 -Name Test1 –Force
  Exit       #here is where it will not stop!
  Exit

  Sorry, I did mention this was only a subset of the complete script.
  So, what I am trying to accomplish in words.
  1. Check for the existence of a certain folderon the c: Drive (that is created as apart of a different process)
  2.  Look to see if a registry key exisits that tells the script if it should run or not. So if certain registry key exists under HKCU then don't run if not continue.)
  3. The first time a user logs in and does not find the value that the process is allready complete show the user a message box aski9ng them if they are ready to do (something) if not write a registry key saying step one has completed and then quit.
  4. When the user logs in again the script looks to see if the process is complete and or if step one is complete, if step one is complete it allows the user to skip the process 2 more times but on the forth login forces the user to complete the process and
  writes the final registry key that it is complete.
  Like I say I have this all working correctly if I manually have the user run it. I just don't know why Exit is not being recognized when in the users login script processing of the script. I appreciate your reply and any direction you can point me to.

• Machine authentication is a little slow causing logon script to fail

  using:
  - Windows Zero with PEAP
  - Machine authentication only (AuthMode is set to 2 in the registry)
  - PCs are loginning it automatically, so it's a fast process
  It appears that machine authentication is a little slow. I can ping the PC's IP after the auto login happens. This cuses logon script to fail.
  If I hold shift to cancel auto-login, and wait for 10-20 seconds, the ping of the PC starts, and then if I login the logon script works.
  Does anyone know a solution to this issue? Maybe a way to introduce a delay for login window (msgina.dll) to appear, so that machine authentication has time to connect

  It's a common issue when authentication takes time.
  You can simply delay the logon scripts.
  This is an example of waiting for network to be up by pinging 10.10.10.10
  Only when network is up, then it will execute the script
  :CHECK
  @echo off
  echo Please wait....
  ping -n 1 -l 1 10.10.10.10
  if errorlevel 1 goto CHECK
  @echo on
  # Now the actual Logon script:
  net use L: \\fileserver\share
  Note: Modify the script in accordance with the network topology.
  Nicolas
  ===
  Don't forget to rate answers that you find useful

• Logon script delayed by 5 minutes (300 seconds)

  It appears Windows 8.1 may have a built in delay processing logon scripts of 5 minutes.  Obviously, seems how it is brand new I'm not finding an ounce of information about it anywhere.
  Basically, I have troubleshooted this problem for hours now.  It boils down to the simple fact that I have several brand new Windows 8.1 systems joined to a Server 2003 domain.  Users have a GPO applied to them that assigns a logon script that
  maps network drives and printers.  After logging in, the script does not execute until 5 minutes have passed.
  I have removed all other GPOs, eliminated all non-microsoft services and shut off all startup items.  It makes no difference of admin or limited account, roaming profiles or folder redirection makes no difference.  Looking through the event viewer
  -> Microsoft -> Group Policy I can follow the the process step by step and everything looks great.  The event log shows the policy processing and application is happening within milliseconds.  Then there is exactly a 5 minute delay down to
  the second between:
  Group Policy Winlogon Start Shell handling complete
  and
  Starting Logon script for domain\user
  Task manager confirms that wscript.exe does not run until 5 minutes after logging in.  Once wscript.exe starts the logon script is processed as normal and the drives and printers are mapped as expected.
  I do not have any Windows 8 machines at this location, but I checked another location that has very similar policies and scripting and Windows 8 processes the logon script immediately.  This issue appears isolated to Windows 8.1.
  It appears that part of Microsoft's attempt to optimize the startup and logon process of Windows they may have added a 5 minute delay before processing logon scripts.  What I need to know is why, and where is the registry key to change this.
  Thanks

  Mark Russinovich had a very good session about troubleshooting slow logins this year at Teched.  I highly recommend you try running Procmon during bootup to identify exactly why its taking so long.  In his example it was trying to access a path
  for updates that no longer existed and it waited until it timed out and then continued on.  Another example of this was an environment that was installing McAffee every time during bootup which was causing slow logons.  Its worth a shot to at least
  ensure all your policies have been applied as the event log isn't verbose enough.
  This is not my blog, nor am I affiliated, but it seemed like a good tutorial for doing this.
  http://www.msigeek.com/6231
  Be kind and Mark as Answer if I helped.

• Error in security provider logon stack: no logon to visual administrator

  Probably i made a mistake in configuring SAP-J2EE-Engine security provider login modules.
  Now i cannot logon to Visual Administrator, it tells me
  "Error while connecting
  com.sap.engine.services.security.exceptions.BaseLoginException: Access Denied."
  Is there a way to reset login module stack from configtool or in some config file?
  Many thanks in advance.
  Simone Zaffalon

  Hi
  you can configure your login stack configuration using config tool. Config tool works locally against the server's database, thus no authentication is required.
  1. Be sure that your server is not running! (shutdown SAP J2EE processes)
  2. Launch config tool ("use default db settings").
  3. switch to configuration editor mode (the most-right icon in the icon toolbar)
  4. navigate to security-->configurations
  Here you find your logon stacks and the login modules contained within them. Click on the "pencil" icon for changing your current configuration.
  See the thread below .It will resolve your issue
  Unable to access Visual Admin
  Points are welcome if it is helpful
  Koti Reddy

• How can you add a new connection to SAP GUI using a domain logon script?

  We have two new SAP connections and over 1100 computers to add it to.  The computers are on a domain, and using logon scripts. Can someone help me create a script to add connections to the SAP Logon.

  Hello,
  please make the neccessary entries in your own SAPLOGON...
  and then deploy the file  SAPLOGON.ini  from your client to all other client
  via the logon script...
  Or, and that is what we ( SAP ) recommend, you can use the SAP FRONTEND ÌNSTALLATION SERVER.
  Best regards, Sven

• Denying logon to an administrative account

  I'm trying to find a way for user accounts that are used to elevate privileges cannot be logged on to. Like "Deny local logon"
  but with the added benefit of elevating a command prompt with that account.
  Anything like this exist in GPOs? Or any other kind of solution that can give me the same results?

  Hi,
  To deny logon access at the domain level to service administrators,
  please try the following steps:
  Log on with Domain Admins credentials, and then open Active Directory Users and Computers.
  In the console tree, right-click
  domain name, and then click
  Properties.
  On the
  Group Policy tab, click
  Default Domain Policy, and then click
  Edit.
  Expand the policy tree to Computer Configuration\Windows Settings\Security Settings\Local Policies, and then click
  User Rights Assignment.
  In the details pane, double-click
  Deny logon locally.
  Click
  Define these policy settings, and then click
  Add.
  Add all of the service administrator accounts (Administrators, Schema Admins, Enterprise Admins, Domain Admins, Server Operators, Backup Operators, and Account Operators) to the
  list.
  Also, follow the procedure as below for restoring logon capability to administrators so that they can log on to administrative workstations.
  Allowing Logon Access to Administrative Workstations
  http://technet.microsoft.com/en-us/library/dd379005(v=ws.10).aspx
  Hope this helps,
  Ada Liu

• Assign a local logon script using Group Policy

  Is there a way to assign a local logon script using Group Policy? The reason I ask is that I wrote a logon/logoff script that will record the date/time, user, and computer for everyone who logs on to any machine in the domain. Right now it's set on a domain
  GPO, so it works great for domain accounts, but I'd like to extend that functionality to local accounts as well. The only way I know how to do that would be to set my script to run using the local policy. Since I don't want to manually go around to all 400+
  machines in my domain, I would rather find a simpler way of modifying the local policy. Any ideas?

  Martin, thank you for your response. That's exactly the kind of out-of-the-box answer I was looking for, unfortunately, it looks like I can only do that for Logon scripts. I don't see an option for Logoff. (Maybe the took the Logoff functionality out?
  This article says there should be a Logoff item in the GPO, but they're talking about Windows 2000 in that article.)
  Matthias, I started playing around with what you said, and I noticed that the "Scripts" key only seems to show up on my Windows 7 clients. The XP workstations don't have that key. Plus I did some testing, and I think I can do it without having
  to mess with the registry at all.
  So I think I have a workable solution at the moment. I found
  this article that talks about copying Local Polices from one computer to another. I tried manually setting the Logon/Logoff scripts in the Local policy on a fresh machine. From that reference computer I copied the Scripts folder out of the %SYSTEMROOT%\System32\GroupPolicy\User
  directory. It also created a gpt.ini file in the %SYSTEMROOT%\System32\GroupPolicy directory. The gpt.ini file contained an attribute called gPCUserExtensionNames, and one called Version. The gPCUserExtensionNames attribute specified two GUIDs, which
  I assumed to be the GUIDs that identify the Local Policy. I tried manually creating the Local policy on several different machines, with several different Operating Systems, and those GUIDs always seemed to be the same (not sure why). So I copied the gpt.ini
  file off the reference machine as well. When I placed all of the files I copied from the reference machine on to a new machine, everything seemed to work just fine (no registry modification necessary), with one caveat. It seemed to be running the script twice.
  So I went back into the gpt.ini file and deleted one of the GUIDs listed under gPCUserExtensionNames, and now the script runs just once!
  So I think this solution will work ok for me. We don't have any other Local Policies in place, so demolishing all existing Local Policies is perfectly acceptable in my case. I'm just not sure if I'm doing any damage by copying the gpt.ini file from a reference
  machine (if anyone can expand on how that works, I would appreciate the peace of mind that I'm not making things worse by doing this). So all I need now is to write a Startup script, or an SCCM package to deliver the Logon scripts and associated ini files
  to the appropriate location on all the domain PCs. Easy enough to do on my own. If anyone knows of a reason why this method is a bad idea, please post here. I'll be testing it out on a handful of PCs in the mean time.
  Hi Guys,
  Will this solution work for my case? I have a forcereboot batch script that I need to load on the local policy (logoff script through GPEDIT) however I can only load it manually. I need to do it on multiple machines (approx 5000 computers). I am having
  trouble doing it using powershell. Is there any other options to do it? 
  Will I have to use the same GUID's you mentioned on the gpt.ini file? (gPCUserExtensionNames=[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B66650-4972-11D1-A7CA-0000F87571E3}] since it refers to the local script and how about the version on the gpt.ini file?
  Thanks in advance.
  Dash
  https://social.technet.microsoft.com/Forums/en-US/1f636042-bcff-498d-93c0-e1aa89f80961/how-to-load-a-script-on-the-local-group-policy-on-multiple-computers?forum=mdopagpm

• Wired 802.1x logon-scripts don't run

  I tested wired 802.1x authentication with a XP-client and a Cat 2960 switch. The authentication are configured with PEAP and MS-ChAP V2. The 802.1x authentication works well.
  The problem is that the 802.1x authentication starts after the windows logon. Due this problem, the logon script don't run.
  How can I force the 8021.x authentication befor the windows login starts?
  Regards
  Pascal

  With the XP-Client, this cannot be forced. You need to enable machine authentication. This way, network access is granted with machine credentials by the time the user logs on, and 802.1X authentication occurs during the user logon event.
  Hope this helps,