Friday, February 06, 2009

Running Logon Scripts with CPAU

I like scripting.

It helps me manage my client PC's, perform redundant tasks, push out software updates, among other things.

Most of the users on my network do not have privileges to install software, so this affects how some of my scripts function.

I discovered that setting GPO to install applications with elevated privileges doesn't mean that the logon scripts also get processed the same way. This annoyed me, and I quickly found a solution.

Introduce CPAU, from http://www.joeware.net/. A neat little utility that takes the place of RUNAS, and very easy to use.

I use it to launch my domain logon script, as it copies a HOST file, and other batch files run locally by the scheduler service, which are not allowed write by ordinary users.

The following line encodes a file that will run logon.cmd using the credentials provided it.

\\mydc\netlogon\cpau.exe -u mydomain\UserWithPermissions -p UserWithPermissionsPassword -ex \\mydc\netlogon\logon.cmd -file \\mydc\netlogon\logon.txt -enc

The following line runs this file, which in turn fires logon.cmd with elevated priveledges.

\\mydc\netlogon\cpau.exe -hide -file \\mydc\netlogon\logon.txt -dec -lwp

It's important to note that you should use UNC, and if you need local access, use -lwp.

RTFM for more info on his site.

TIP: Place drive and print mapping duties to a script that runs under the users credentials, i.e., NOT using CPAU. From the site:

Another thing that confused people is security of network drives. When you spawn a process in another security context, you lose access to your current network drives. This is a security function Microsoft has been implementing. It wasn't the case in Windows NT and I know of no way to help you get it re-enabled because you can't. You should use UNC's as much as possible for connecting to remote file shares. See http://support.microsoft.com/kb/180362

PS: He has MANY other great tools available!

Reblog this post [with Zemanta]

3 comments:

Anonymous said...

But this works only on W2k and on XP clients. Try it on Win7 and you will see, that there are no super right elevated. Unfortunately! :(

Anonymous said...

Hi guys,

Is CPAU working for Windows 8? I tried it but it seems that it did not work. Or maybe I did something wrong :-/

Ally

Anonymous said...

I was able to encrypt the file, but when I run the command to decrypt it I get Successfully process job file then last line is Error: Caouldn't create the Process: ,2. The system cannot find the file specified.

Thanks
Wade