Jump to content

Logon script that writes to registry


Recommended Posts

Hi i have a logon script that changes the default location of the outlook express store from local system to the user's home folder on a network share.

Now obviously doing this manually on a 100 systems is not an exciting prospect so i thought i would configure this as a logon script for all the users.

The only problem is the logon scripts run in the context of the currently logged-on user(s) who only have domain user rights and thus cannot modify the registry.

i cannot run this in an registry ADM because the OE identifier for each user is different on each system.

I have been googling for this for some time now without any luck so any help is greatly appreciated.

Link to comment
Share on other sites


Stupid question, maybe it's just early for me and I cannot think straight. But is this "<domain>\administrator" referring to the domain name being whatever your domain is? Or will it work as "Domain\Administrator"? I only know what I have used, I have no proper training with Domains and Servers -- so I apologize if this is an extremely simple question, I just don't know if it is simply referring to the Domain Administrators group...?

Ex: My Domain is "Stuff.local" -- So I would use runas "Stuff\Administrator" correct?

Edited by Brennen
Link to comment
Share on other sites

I always create a group policy in AD that has a batch file in the start up section of the GPO. That batch file has the information to delete reg keys add reg keys etc.. And it runs before any user logs in.. It runs while the CTRL ALT DELETE screen is loading.

I think that's what you want to do..

Link to comment
Share on other sites

Stupid question, maybe it's just early for me and I cannot think straight. But is this "<domain>\administrator" referring to the domain name being whatever your domain is? Or will it work as "Domain\Administrator"? I only know what I have used, I have no proper training with Domains and Servers -- so I apologize if this is an extremely simple question, I just don't know if it is simply referring to the Domain Administrators group...?

Ex: My Domain is "Stuff.local" -- So I would use runas "Stuff\Administrator" correct?

that is correct, this would launch regedit under the context of the Admin account

Link to comment
Share on other sites

Thankyou fizban.

And I know I am not the topic starter, but for me dub is right -- and I was going to start going about that route. Im a Server 2003 novice, and I help the main admin -- but he is usually too busy with the rest of the network so I am trying to make up for that.

Thanks alot!

Link to comment
Share on other sites

Hi thank you all for the replies.

Fizban- cannot use runas because then the application being run would run in the context of the administrator having a different "HKCU" hive whereas i need to be able to run the regedit app as the user or by any other means but the key being modified should be under the user's registry hive and not the administrator's.

dubsdj: startup items ha sounds very promising and yes indeed that is what i intend to do.you know prior to reading this i was going to run another computer login script which would give all domain users write permissions on the regedit application using setacl or cacls and then run my outlook express script. Thanks for the suggestion.

Link to comment
Share on other sites

Hi thank you all for the replies.

Fizban- cannot use runas because then the application being run would run in the context of the administrator having a different "HKCU" hive whereas i need to be able to run the regedit app as the user or by any other means but the key being modified should be under the user's registry hive and not the administrator's.

dubsdj: startup items ha sounds very promising and yes indeed that is what i intend to do.you know prior to reading this i was going to run another computer login script which would give all domain users write permissions on the regedit application using setacl or cacls and then run my outlook express script. Thanks for the suggestion.

Just for clarification, how do you plan to access HKCU when no one is logged in? --and I quote: "And it runs before any user logs in.. It runs while the CTRL ALT DELETE screen is loading."

Edited by techtype
Link to comment
Share on other sites

Users have access to edit their own registry settings. All user customizations (changing the theme, desktop wallpaper, etc, etc) are stored in HKCU. My suggestion, and people have seen me do this before...use KiXtart. It was originally designed to be a logon script processor and has a TON of registry features.

http://www.kixtart.org/

Here's an example line that would change the desktop wallpaper:

$X = WriteValue("HKCU\Control Panel\Desktop","Wallpaper","<new wallpapper bitmap>",REG_SZ)

Look simple enough? :)

Link to comment
Share on other sites

Techtype:hi you got me there, i was so excited at the prospect of it all working that i had'nt give it much thought .

nmxmemnoch: Hi i havent used kixtart before but i guess i could always learn.But is this any different from the other scripting languages(eg;,vb,or batch) in the sense of writing to registry when the the users only have read-only rights.Because i dont really care which language is used all i want to get done is basically have the registry modified while the users are logged in or logging in without giving them too many rights. is that possible with kixtart??

Link to comment
Share on other sites

Kixtart should work fine for that purpose. I use Kixtart to map the user network drives based off groups they are part of. I have also used it for some registry entries, but I moved that to a simple catch file since I do not have read/write problems with our users.

I think if you follow the link posted by nmX.Memnoch, and some basic directions for use that you can get from the manual -- along with the sample value nmX.Memnoch set, you should be in good shape in no time.

I think it would look something like this:

$X = WriteValue("HKEY_CURRENT_USER\Identities\{idnum}\Software\Microsoft\Outlook Express\5.0","Store Root","\\network\data\outlook data store\",REG_EXPAND_SZ)

Take that (with the store path changed obviously -- and the idnum??), move it to your netlogon folder and save as "Outlook.kix". Download kixtart and place the executable in the netlogon folder, then create a batch file like "logon.bat" and make it something like this:

@echo off

%0\..\kix32.exe %0\..\outlook.kix

-- Someone go ahead and correct me if I am wrong but I think this should work fine --

Edited by Brennen
Link to comment
Share on other sites

i want to get done is basically have the registry modified while the users are logged in or logging in without giving them too many rights. is that possible with kixtart??

You shouldn't have problems writing to anywhere under HKCU as a regular User, except for the Group Policy keys. This is regardless of the language you use.

My primary logon script is over 1200 lines long, and there are two supplemental scripts that sometimes get called. The supplemental scripts are several hundred lines each. I do everything from checking the version of our antivirus program (emails me if it's the wrong version), checking virus definition dates (emails me if they're too old), setting Office user information (for the Track Changes and Author options) to simply mapping network drives and printers. And it all runs in the context of a regular user.

Link to comment
Share on other sites

memnoch: well i tested the script on an user who had local admin rights and the script worked with no problems but the same failed on a regular user.So i presumed the user couldn't right to the registry but if as yo say even regular users can modify the HKCU reg entries then i guess i have to have a relook at the domain policy.maybe there is a conflicting setting somewhere, i hope.:)

Brennen: Hi thanks for the kixtart snippet.The OE ID well is a bit tricky but i got that covered in the vbscript. if what memnoch says is right then i guess it shouldn't matter what language the script is written in.So let me have a look again and then i shall post the results tommorow.

Link to comment
Share on other sites

@echo off

%0\..\kix32.exe Outlook.kix

-- Someone go ahead and correct me if I am wrong but I think this should work fine --

I would probably make that like this just for the sake of sanity when trying to figure out what it's not working :)

@ECHO OFF

%0\..\kix32.exe %0\..\outlook.kix

memnoch: well i tested the script on an user who had local admin rights and the script worked with no problems but the same failed on a regular user.So i presumed the user couldn't right to the registry but if as yo say even regular users can modify the HKCU reg entries then i guess i have to have a relook at the domain policy.maybe there is a conflicting setting somewhere, i hope.:)

I just checked and the profile owner (i.e. the user) does have full access to write to the area you're trying to write to. The only way they wouldn't is if you already have a GPO that locks down that access for whatever reason.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...