Group policy startup script needs elevated priviledges

group-policy permissions startup-scripts user-permissions

10,628

Scripts placed in Computer Configuration\Windows Settings\Scripts (Startup/Shutdown) are run as Local System which is usually all that's required for installing programs etc. The same is true of MSIs deployed using Group Policy.

Do you know what privileges your script requires? What is your script doing that requires these privileges?

Grab a copy of Process Monitor from Sysinternals and, using a standard user account, monitor your script to find out what it's doing and what extra privileges it needs to be able to run. You can then use that information to find out why the Local System account isn't able to run it.

EDIT: An option available to you is for you to use your Startup script to run a net shell command

netsh interface ipv4 set subinterface interface="Local Area Connection" mtu=1400

It's a single liner you need in your script. Any use?

Lewis

10,628

Phil

Updated on September 18, 2022

Comments

Phil almost 2 years

I have a script that I want to run at startup but that requires elevated priviledges. Is there a way of doing this with Group Policy?

I tried adding it in as a startup script using GPO but it doesn't appear to run. If I run it from a standard cmd prompt then it gives access denied but if I right click the command prompt and select "Run as Administrator" then it works fine so I suspect it is a permission issue.

The script is setting the MTU on each NIC to be 1400 as follows

Dim strDNSDomain  
Dim strComputer  
Dim strID  
Dim strKeyPath  
Dim strValueName  
Dim strDWValue  

Const HKEY_LOCAL_MACHINE = &H80000002  
Const DEFAULT_MTU_Size = 1400  
const KEY_SET_VALUE = &H0002

'====  Gets the Setting for MTU from the command line in the form of /MTU:1500 ====  

Set colNamedArguments = Wscript.Arguments.Named  

strComputer = "." 
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")  
set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

strDWValue = DEFAULT_MTU_SIZE

Set colAdapters = objWMIService.ExecQuery ("SELECT * FROM Win32_NetworkAdapterConfiguration")  
For each objAdapter in colAdapters  
   strDNSDomain = objAdapter.DNSDomain  
   if Instr(1, strDNSDOmain, strTemp) >0 then  
       strID = objAdapter.SettingID  
       strKeyPath = "SYSTEM\CurrentControlSet\Services\TCPIP\Parameters\Interfaces\" & strID  
       strValueName = "MTU" 

    oReg.CheckAccess HKEY_LOCAL_MACHINE, strKeyPath, KEY_QUERY_VALUE, bHasAccessRight
    If bHasAccessRight = True Then
        oReg.GetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
        WScript.Echo strKeyPath & " value " & strValueName & " contains " & dwValue
        oReg.SetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strDWValue  
        WScript.Echo strKeyPath & " value " & strValueName & " changing to " & strDWValue
        oReg.GetDWORDValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
        WScript.Echo strKeyPath & " value " & strValueName & " changed to " & dwValue
    Else
        WScript.Echo "Cannot set registry value - access denied"
    End if
   End if  
Next

Greg Askew about 13 years

What is the script doing?

Phil about 13 years

It is setting the MTU for each NIC to 1400 - see edit to question for the script
Dave M about 13 years

+1 Startup/shutdown works well for this.