clivebuckwheat Posted August 6, 2010 Share Posted August 6, 2010 When the UAC /open file security warning is always prompting, yes or no. Is there a way to turn that off via a batch file, which will be run from a share so I can cam complete my post configs after an imaging session?. What do you guys do to get around this annoyance? Link to comment Share on other sites More sharing options...
cluberti Posted August 6, 2010 Share Posted August 6, 2010 You can't dismiss a UAC dialog from a script (for one, it's not shown in the same session as the script that's running). You could disable UAC (and reboot) from a script, and then re-enable it afterwards (that might work). See this. Link to comment Share on other sites More sharing options...
IcemanND Posted August 7, 2010 Share Posted August 7, 2010 How are you runing your post instal scripts? I run mine from a network share via the runonceex registry keys after an autoadmin login and the UAC never prompts me. Link to comment Share on other sites More sharing options...
clivebuckwheat Posted August 7, 2010 Author Share Posted August 7, 2010 How are you runing your post instal scripts? I run mine from a network share via the runonceex registry keys after an autoadmin login and the UAC never prompts me.I am running them from a shared drive via a Novell Login script and the UAC always asks for confirmation. Link to comment Share on other sites More sharing options...
Escorpiom Posted August 8, 2010 Share Posted August 8, 2010 It is possible without reboot. I´m using a script on startup that:- Shares network drive- disables UAC- Lowers IE security settings to avoid warnings- updates system policy using the gpupdate /force commandAfter this, all other scripts are executed without warnings.The first script as explained above is on the local drive, executed as part of firstlogon command. This way there are no problems with UAC. After finishing the scripts/installs there is another script to reset the security settings to default values.If interested, I can post the contents of the .cmd file.Cheers! Link to comment Share on other sites More sharing options...
clivebuckwheat Posted August 9, 2010 Author Share Posted August 9, 2010 Please post them, but we are not using policies in our environment. That will happen next year when we move to active directory and away from Novell. It is possible without reboot. I´m using a script on startup that:- Shares network drive- disables UAC- Lowers IE security settings to avoid warnings- updates system policy using the gpupdate /force commandAfter this, all other scripts are executed without warnings.The first script as explained above is on the local drive, executed as part of firstlogon command. This way there are no problems with UAC. After finishing the scripts/installs there is another script to reset the security settings to default values.If interested, I can post the contents of the .cmd file.Cheers! Link to comment Share on other sites More sharing options...
Tripredacus Posted August 9, 2010 Share Posted August 9, 2010 There are also registry keys used by Internet Explorer that can open prompts when running apps from a network share. Here is an example script I have used before on XP, so some keys might be different for 7.reg add "HKCU\Software\Microsoft\Internet Explorer\Download" /v "CheckExeSignature" /t REG_SZ /d "no" /freg add "HKCU\Software\Microsoft\Internet Explorer\Download" /v "RunInvalidSignature" /t REG_DWORD /d "00000001" /freg add "HKCU\Software\Microsoft\Windows\CUrrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /freg Delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Shell /fThen run scripts hereand when finished, this script reverts to default settings:reg Delete "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download" /v CheckExeSignatures /freg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download" /v CheckExeSignatures /t REG_SZ /d yes /freg Delete "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download" /v RunInvalidSignatures /freg Delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations /v LowRiskFileTypes /f Link to comment Share on other sites More sharing options...
Escorpiom Posted August 10, 2010 Share Posted August 10, 2010 (edited) Please post them, but we are not using policies in our environment. That will happen next year when we move to active directory and away from Novell. Hi Clivebuckwheat,You don't have to use active directory. It is posible to use these settings locally. I believe it is called Local Group Policy. Here is my script, it isn't all that different from the script Tripredacus just posted.@echo offREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /fREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\techcomp" /V file /T REG_DWORD /D 00000001 /FREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\server" /V file /T REG_DWORD /D 00000001 /FREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /V "Security_HKLM_only" /T REG_DWORD /D "1" /FREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /V "AutoDetect" /T REG_DWORD /D "0" /FREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /V "AutoDetect" /T REG_DWORD /D "0" /FREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /V "ModRiskFileTypes" /t REG_SZ /d ".exe;.cmd;.bat;.com;.inf;.txt;.doc;.reg;.rar;.7z;.zip;.msi" /fREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /V "SaveZoneInformation" /t REG_DWORD /d 1 /fREG ADD "HKLM\Software\Microsoft\Internet Explorer\Download" /V "CheckExeSignatures" /t REG_SZ /d "no" /fREG ADD "HKLM\Software\Microsoft\Internet Explorer\Download" /V "RunInvalidSignatures" /t REG_DWORD /d 1 /fgpupdate /forceTASKKILL /IM EXPLORER.EXE /FECHO Restarting Explorer shell, please wait...START EXPLORER.EXEI use this script for any Windows from XP Home up til 2008R2, that's why it uses several methods. First it disables UACThen it adds the tech comp and the server to the domain listNext it forces that all security settings are managed by the HKLM part of the registry instead of HKCU.Next turns off autodetect intranetLowRiskFileTypes is overkill, mine uses ModRiskFileTypes to add some extensions.Next enable saveZoneInformation so that files are NOT marked with zone info (confusing, it has to be "1")Next it disables signature checking Next it allows running invalid signaturesTo make this effective without having to reboot I added these lines:Gpupdate / force to do a force update of Group Policy SettingsRestarting Explorer Shell is needed because of the latest IE8 security settings. If not, we have to reboot.This is only my n00bish attempt to automate app installs after OS install. It might be that I'm doing something wrong, if so please correct me.@Tripredacus: What does this line mean?reg Delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Shell /fCheers! Edited August 10, 2010 by Escorpiom Link to comment Share on other sites More sharing options...
clivebuckwheat Posted August 10, 2010 Author Share Posted August 10, 2010 (edited) I have never used policies before. I am just learning them.They are located in gpedit.msc right?Don't the policies have to be configured on a server such as a w2k3, or w2k8 windows server to make this happen?, and then pushed to the clients via gpupdate /force ?.I sincerely apologize for my ignorance in this matter, but I am learning.Please post them, but we are not using policies in our environment. That will happen next year when we move to active directory and away from Novell. Hi Clivebuckwheat,You don't have to use active directory. It is posible to use these settings locally. I believe it is called Local Group Policy. Here is my script, it isn't all that different from the script Tripredacus just posted.@echo offREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /fREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\techcomp" /V file /T REG_DWORD /D 00000001 /FREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\server" /V file /T REG_DWORD /D 00000001 /FREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /V "Security_HKLM_only" /T REG_DWORD /D "1" /FREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /V "AutoDetect" /T REG_DWORD /D "0" /FREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /V "AutoDetect" /T REG_DWORD /D "0" /FREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /V "ModRiskFileTypes" /t REG_SZ /d ".exe;.cmd;.bat;.com;.inf;.txt;.doc;.reg;.rar;.7z;.zip;.msi" /fREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /V "SaveZoneInformation" /t REG_DWORD /d 1 /fREG ADD "HKLM\Software\Microsoft\Internet Explorer\Download" /V "CheckExeSignatures" /t REG_SZ /d "no" /fREG ADD "HKLM\Software\Microsoft\Internet Explorer\Download" /V "RunInvalidSignatures" /t REG_DWORD /d 1 /fgpupdate /forceTASKKILL /IM EXPLORER.EXE /FECHO Restarting Explorer shell, please wait...START EXPLORER.EXEI use this script for any Windows from XP Home up til 2008R2, that's why it uses several methods. First it disables UACThen it adds the tech comp and the server to the domain listNext it forces that all security settings are managed by the HKLM part of the registry instead of HKCU.Next turns off autodetect intranetLowRiskFileTypes is overkill, mine uses ModRiskFileTypes to add some extensions.Next enable saveZoneInformation so that files are NOT marked with zone info (confusing, it has to be "1")Next it disables signature checking Next it allows running invalid signaturesTo make this effective without having to reboot I added these lines:Gpupdate / force to do a force update of Group Policy SettingsRestarting Explorer Shell is needed because of the latest IE8 security settings. If not, we have to reboot.This is only my n00bish attempt to automate app installs after OS install. It might be that I'm doing something wrong, if so please correct me.@Tripredacus: What does this line mean?reg Delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Shell /fCheers! Edited August 10, 2010 by clivebuckwheat Link to comment Share on other sites More sharing options...
Escorpiom Posted August 10, 2010 Share Posted August 10, 2010 (edited) I have never used policies before. I am just learning them.They are located in gpedit.msc right?Don't the policies have to be configured on a server such as a w2k3, or w2k8 windows server to make this happen?, and then pushed to the clients via gpupdate /force ?.I sincerely apologize for my ignorance in this matter, but I am learning.Sure, if your network uses active directory and you log on to a domain, that is the way group policy works, but they also work locally. No problem just test it.Note that gpupdate /force is used to update the policies, not to push policies out to clients. They even work on XP Home, although it hasn't got the UI but the registry entries work all the same.Don't worry about asking, I'm learning every day and will be more than happy to pass on what I've learned here.Cheers.EDIT: Put a note to explain gpupdate /force. Edited August 11, 2010 by Escorpiom Link to comment Share on other sites More sharing options...
Tripredacus Posted August 10, 2010 Share Posted August 10, 2010 @Tripredacus: What does this line mean?reg Delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Shell /fCheers!I don't really remember. I had needed to do it on a system, but it may be specific to something else that system does, rather than let you run apps. If you can do this without deleting this key, then skip it. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now