Logon scripts via Group Policy, who do they run as ?

[Fatboy40]

I've never been 100% certain in regards to under what user a logon script is run as when it is called via a group policy ? (for this example its a Windows Server 2003 network with XP clients).

Does a login script run under the account of the user who is logging in, and therefore come under the effect of the various rights that they have localy on their PC ?. For example if they are just in the local users group and a script calls for files to be copied to the local PC will the copy fail ?.

Thanks

[FAT64]

I think that there are only 2 possible account candidates: the user account of the person logging on or the SYSTEM account. My gut feeling would go with the SYSTEM account. Anyone care to offer an alternative suggestion?

Edit:

After much Google-ing, it seems that Startup and Shutdown scripts certainly use the SYSTEM account, so maybe a Logon script uses the account of the person logging on; hence the name?

Edited November 27, 2007 by FAT64

[Fatboy40]

After more digging around I agree with you FAT64, I need to run a startup script and ensure that the system accoutn has rights to any shares where I need to copy files from

[FAT64]

After yet more Google-ing, I have come to the conclusion that Logon scripts simply use the account of the person logging on. B)

[cluberti]

Computer startup / shutdown scripts run as LOCAL SYSTEM, and user logon / logoff scripts run as that user.

[bennebiest]

For example if they are just in the local users group and a script calls for files to be copied to the local PC will the copy fail ?.

If you configure a loginscript via group policy. This script will be executed if the user is a member of the OU where the GPO w/ the loginscript is linked.

So if the user is just in the local users group (client XP machine), the loginscript will not be executed.

edit: I didn't get your question right :-)

Edited November 29, 2007 by bennebiest

[nmX.Memnoch]

For example if they are just in the local users group and a script calls for files to be copied to the local PC will the copy fail ?

If you're trying to copy the file to a location where regular users don't have write access, yes, it will fail.

We use SMS here at work, but unfortunately I don't have direct access to create/push packages using it (it's a complicated setup...). What we came up with was to use AdminScriptEditor to package scripts to run with alternate privileges. We've been using this to deploy updates to our PCs via the logon script with great success.