Jump to content

How do I run scripts from a network share

clivebuckwheat
 Share

Recommended Posts

clivebuckwheat

clivebuckwheat

Posted
Posted

When the UAC /open file security warning is always prompting, yes or no. Is there a way to turn that off via a batch file, which will be run from a share so I can cam complete my post configs after an imaging session?. What do you guys do to get around this annoyance?

Link to comment
Share on other sites

cluberti

cluberti

Posted
Posted

You can't dismiss a UAC dialog from a script (for one, it's not shown in the same session as the script that's running). You could disable UAC (and reboot) from a script, and then re-enable it afterwards (that might work). See this.

Link to comment
Share on other sites
clivebuckwheat

clivebuckwheat

Posted
  • Author
Posted

How are you runing your post instal scripts?

I run mine from a network share via the runonceex registry keys after an autoadmin login and the UAC never prompts me.

I am running them from a shared drive via a Novell Login script and the UAC always asks for confirmation.

Link to comment
Share on other sites
Escorpiom

Escorpiom

Posted
Posted

It is possible without reboot. I´m using a script on startup that:

- Shares network drive

- disables UAC

- Lowers IE security settings to avoid warnings

- updates system policy using the gpupdate /force command

After this, all other scripts are executed without warnings.

The first script as explained above is on the local drive, executed as part of firstlogon command.

This way there are no problems with UAC.

After finishing the scripts/installs there is another script to reset the security settings to default values.

If interested, I can post the contents of the .cmd file.

Cheers!

Link to comment
Share on other sites
clivebuckwheat

clivebuckwheat

Posted
  • Author
Posted

Please post them, but we are not using policies in our environment. That will happen next year when we move to active directory and away from Novell.

It is possible without reboot. I´m using a script on startup that:

- Shares network drive

- disables UAC

- Lowers IE security settings to avoid warnings

- updates system policy using the gpupdate /force command

After this, all other scripts are executed without warnings.

The first script as explained above is on the local drive, executed as part of firstlogon command.

This way there are no problems with UAC.

After finishing the scripts/installs there is another script to reset the security settings to default values.

If interested, I can post the contents of the .cmd file.

Cheers!

Link to comment
Share on other sites
Tripredacus

Tripredacus

Posted
Posted

There are also registry keys used by Internet Explorer that can open prompts when running apps from a network share. Here is an example script I have used before on XP, so some keys might be different for 7.

reg add "HKCU\Software\Microsoft\Internet Explorer\Download" /v "CheckExeSignature" /t REG_SZ /d "no" /f
reg add "HKCU\Software\Microsoft\Internet Explorer\Download" /v "RunInvalidSignature" /t REG_DWORD /d "00000001" /f
reg add "HKCU\Software\Microsoft\Windows\CUrrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f
reg Delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Shell /f

Then run scripts here

and when finished, this script reverts to default settings:

reg Delete "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download" /v CheckExeSignatures /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download" /v CheckExeSignatures /t REG_SZ /d yes /f
reg Delete "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download" /v RunInvalidSignatures /f
reg Delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations /v LowRiskFileTypes /f

Link to comment
Share on other sites
Escorpiom

Escorpiom

Posted
Posted (edited)

Please post them, but we are not using policies in our environment. That will happen next year when we move to active directory and away from Novell.

Hi Clivebuckwheat,

You don't have to use active directory. It is posible to use these settings locally. I believe it is called Local Group Policy. Here is my script, it isn't all that different from the script Tripredacus just posted.

@echo off
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\techcomp" /V file /T REG_DWORD /D 00000001 /F
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\server" /V file /T REG_DWORD /D 00000001 /F
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /V "Security_HKLM_only" /T REG_DWORD /D "1" /F
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /V "AutoDetect" /T REG_DWORD /D "0" /F
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /V "AutoDetect" /T REG_DWORD /D "0" /F
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /V "ModRiskFileTypes" /t REG_SZ /d ".exe;.cmd;.bat;.com;.inf;.txt;.doc;.reg;.rar;.7z;.zip;.msi" /f
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /V "SaveZoneInformation" /t REG_DWORD /d 1 /f
REG ADD "HKLM\Software\Microsoft\Internet Explorer\Download" /V "CheckExeSignatures" /t REG_SZ /d "no" /f
REG ADD "HKLM\Software\Microsoft\Internet Explorer\Download" /V "RunInvalidSignatures" /t REG_DWORD /d 1 /f
gpupdate /force
TASKKILL /IM EXPLORER.EXE /F
ECHO Restarting Explorer shell, please wait...
START EXPLORER.EXE

I use this script for any Windows from XP Home up til 2008R2, that's why it uses several methods.

First it disables UAC

Then it adds the tech comp and the server to the domain list

Next it forces that all security settings are managed by the HKLM part of the registry instead of HKCU.

Next turns off autodetect intranet

LowRiskFileTypes is overkill, mine uses ModRiskFileTypes to add some extensions.

Next enable saveZoneInformation so that files are NOT marked with zone info (confusing, it has to be "1")

Next it disables signature checking

Next it allows running invalid signatures

To make this effective without having to reboot I added these lines:

Gpupdate / force to do a force update of Group Policy Settings

Restarting Explorer Shell is needed because of the latest IE8 security settings. If not, we have to reboot.

This is only my n00bish attempt to automate app installs after OS install. It might be that I'm doing something wrong, if so please correct me.

@Tripredacus: What does this line mean?

reg Delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Shell /f

Cheers!

Edited by Escorpiom
Link to comment
Share on other sites
clivebuckwheat

clivebuckwheat

Posted
  • Author
Posted (edited)

I have never used policies before. I am just learning them.

They are located in gpedit.msc right?

Don't the policies have to be configured on a server such as a w2k3, or w2k8 windows server to make this happen?, and then pushed to the clients via gpupdate /force ?.

I sincerely apologize for my ignorance in this matter, but I am learning.

Please post them, but we are not using policies in our environment. That will happen next year when we move to active directory and away from Novell.

Hi Clivebuckwheat,

You don't have to use active directory. It is posible to use these settings locally. I believe it is called Local Group Policy. Here is my script, it isn't all that different from the script Tripredacus just posted.

@echo off
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\techcomp" /V file /T REG_DWORD /D 00000001 /F
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\server" /V file /T REG_DWORD /D 00000001 /F
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /V "Security_HKLM_only" /T REG_DWORD /D "1" /F
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /V "AutoDetect" /T REG_DWORD /D "0" /F
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /V "AutoDetect" /T REG_DWORD /D "0" /F
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /V "ModRiskFileTypes" /t REG_SZ /d ".exe;.cmd;.bat;.com;.inf;.txt;.doc;.reg;.rar;.7z;.zip;.msi" /f
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /V "SaveZoneInformation" /t REG_DWORD /d 1 /f
REG ADD "HKLM\Software\Microsoft\Internet Explorer\Download" /V "CheckExeSignatures" /t REG_SZ /d "no" /f
REG ADD "HKLM\Software\Microsoft\Internet Explorer\Download" /V "RunInvalidSignatures" /t REG_DWORD /d 1 /f
gpupdate /force
TASKKILL /IM EXPLORER.EXE /F
ECHO Restarting Explorer shell, please wait...
START EXPLORER.EXE

I use this script for any Windows from XP Home up til 2008R2, that's why it uses several methods.

First it disables UAC

Then it adds the tech comp and the server to the domain list

Next it forces that all security settings are managed by the HKLM part of the registry instead of HKCU.

Next turns off autodetect intranet

LowRiskFileTypes is overkill, mine uses ModRiskFileTypes to add some extensions.

Next enable saveZoneInformation so that files are NOT marked with zone info (confusing, it has to be "1")

Next it disables signature checking

Next it allows running invalid signatures

To make this effective without having to reboot I added these lines:

Gpupdate / force to do a force update of Group Policy Settings

Restarting Explorer Shell is needed because of the latest IE8 security settings. If not, we have to reboot.

This is only my n00bish attempt to automate app installs after OS install. It might be that I'm doing something wrong, if so please correct me.

@Tripredacus: What does this line mean?

reg Delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Shell /f

Cheers!

Edited by clivebuckwheat
Link to comment
Share on other sites
Escorpiom

Escorpiom

Posted
Posted (edited)

I have never used policies before. I am just learning them.

They are located in gpedit.msc right?

Don't the policies have to be configured on a server such as a w2k3, or w2k8 windows server to make this happen?, and then pushed to the clients via gpupdate /force ?.

I sincerely apologize for my ignorance in this matter, but I am learning.

Sure, if your network uses active directory and you log on to a domain, that is the way group policy works, but they also work locally. No problem just test it.

Note that gpupdate /force is used to update the policies, not to push policies out to clients.

They even work on XP Home, although it hasn't got the UI but the registry entries work all the same.

Don't worry about asking, I'm learning every day and will be more than happy to pass on what I've learned here.

Cheers.

EDIT: Put a note to explain gpupdate /force.

Edited by Escorpiom
Link to comment
Share on other sites
Tripredacus

Tripredacus

Posted
Posted

@Tripredacus: What does this line mean?

reg Delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Shell /f

Cheers!

I don't really remember. I had needed to do it on a system, but it may be specific to something else that system does, rather than let you run apps. If you can do this without deleting this key, then skip it.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...