Can I Deploy a batch file with Group Policy to run as administrator?

domain-name-system group-policy batch-file
93,276

Solution 1

Yes, you can deploy batch files via Group Policy that will run under the context of Local System. A very common way of doing so is Computer Startup scripts. (As opposed to User Logon scripts.)

Also, this is probably the worst possible way imaginable of blocking Facebook.

Computer Startup Script

From http://technet.microsoft.com/en-us/library/cc770556.aspx

Startup scripts are run under the Local System account, and they have the full rights that are associated with being able to run under the Local System account.

The Local System account is essentially even more powerful than Administrator.

Solution 2

I know this is an old post, but what the heck. I'm not sure what's up with the naysayers. Pointing the objectionable domain to the local loopback address seems like a perfectly fine way to block access. It'll prevent DNS from returning the real address of the Facebook site, and if the user is not a local administrator, even if they know about the hosts file, which they probabaly don't, they won't have permissions to change it.

The problem I see with your approach is that if you got it running, you'll be appending that same line to your hosts file over and over again indefinitely.

If you're going to do this, you should have a script that looks for that line in the file, and only appends it if it doesn't already exist (and perhaps edits it if it doesn't say what you want it to).

Finally, running as the local SYSTEM account won't work if the script needs network access, unless you grant adequate permissions to the AD "Domain Computers" group and are prepared to do a little debugging.

Solution 3

You might want to change this to:

0.0.0.0 www.facebook.com

If you use the loopback address you'll have to wait for a timeout unless there is a local web server.

Share:
93,276

Related videos on Youtube

pgunston
Author by

pgunston

Web Developer / Desktop Support / System Administrator

Updated on September 18, 2022

Comments

  • pgunston
    pgunston over 1 year

    I have created a batch script which will block Facebook by amending the hosts file in this location C:\windows\system32\drivers\etc\hosts

    This is the contents of the batch file:

    @echo off
echo 127.0.0.1 www.facebook.com >> C:\windows\system32\drivers\etc\hosts
exit

    I have tested this batch file on my local machine and it works however, it will only work when I run it as Administrator.

    Is it possible to deploy this batch file to all computers on my network, running as administrator using Group Policy?

    I am using Windows Server 2012.

  • pgunston
    pgunston over 9 years
    Thanks, The reason I want to use Group Policy to block facebook is because I need granularity. I want to only block it for particular users.
  • 030
    030 over 9 years
    @pgunston this information would clarify the question.
  • pgunston
    pgunston over 9 years
    I achieved my goal by using Symantec Endpoint Protection Management Server rather than using DNS.
  • Jonas Lear
    Jonas Lear over 8 years
    I know I'm a year late, just wanted to iterate a bit on what Ryan said. This is the worst way of blocking Facebook because it relies on a lot and only works on IE. So if someone were to download another browser, that hosts file becomes pointless. However, if your network is locked down, everyone is domain user and downloads of Chrome are disabled, and you have all proxies blocked, then you should be fine, lol.
  • Craig Tullis
    Craig Tullis about 7 years
    Jonas, that completely wrong. The DNS client on every operating system looks at the hosts file before running a query against the configured DNS servers. Every program running on the operating system, certainly all of the web browsers, use the operating system's DNS client to find hosts on the network. This is not just an IE fix, it will affect every program running on the machine that uses DNS normally.
  • Craig Tullis
    Craig Tullis about 7 years
    Are you sure about that? If you ping 127.0.0.1, it will respond immediately UNLESS that mechanism has been subverted somehow on your machine or your network.
  • Dylan Knoll
    Dylan Knoll about 7 years
    You're listening for ping on localhost, but likely not for http traffic. Try again with http-ping or ping an unreachable host.
  • Craig Tullis
    Craig Tullis about 7 years
    That might be a fair point. But if the objective is to block access to an objectionable website, why worry about a timeout? I have a ready answer, of course, which is that you get Facebook assets (tracking scripts, primarily) injected into other web pages all over the web, and a timeout accessing the facebook.com domain would impact the load time of every such page.
  • Dylan Knoll
    Dylan Knoll about 7 years
    Why ask the question if you already know the answer? ;)
  • Craig Tullis
    Craig Tullis about 7 years
    haha, well, one the one hand I don't care if they experience a timeout trying to access something I'm blocking. On the other hand... the law of unintended consequences. ;)
  • Dylan Knoll
    Dylan Knoll about 7 years
    Yes, even this site has Facebook assets. My responses here and elsewhere are based upon experience and research... those two tend to mitigate unintended consequences.
  • Craig Tullis
    Craig Tullis about 7 years
    So... going back to the research issue. You will definitely experience a timeout trying to reach an IP address that doesn't respond immediately. Trying to reach a specific non-existent service on a live host, however, should result in an immediate rejection, as the host will explicitly refuse the connection. Unless the host is just dropping packets, of course, but it's unlikely that an edge device other than a firewall is doing that.
  • Dylan Knoll
    Dylan Knoll about 7 years
    Test it and let me know... the answer may surprise you! :)
  • Craig Tullis
    Craig Tullis about 7 years
    Informally (as tests go), I just tried 127.0.0.1 using a web browser, on my machine which is not currently configured as a development web server, and the ERR_CONNECTION_REFUSED result was immediate. To be fair, I've actually seen and done this in the past using hosts files that were intentionally full of objectionable (porn, gambling, etc.) dns names.
  • Dylan Knoll
    Dylan Knoll about 7 years
    Immediate by your own sight, or 0ms?
  • raja
    raja about 7 years
    Welcome to serverfault. There are a lot of "head scratching" answers here.
  • Craig Tullis
    Craig Tullis about 7 years
    As there are everywhere, I suppose. And thank you for the welcome. ;-)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Deny running batch files
How can I edit local Group Policy settings using command line?
AD DC - Group Policy Event ID 1055
Install RSClientPrint for Reporting Services 2012 using .bat file and still be able to use 2005
Group Policy for DNS Server Addresses
"Applying user settings" takes a long time for domain users
Run Log-on Script with Admin Rights
Event ID 1030/1058 causing DNS and Group Policy errors
NetLogon and RPC Errors
Group Policy to Specify DNS Servers in DHCP Environment - Good or Bad?