Announcement

Collapse
No announcement yet.

Frustration

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Frustration

    Ok so I was handed a batch file by my boss. The file checks to see if a testing program is installed, if it is not installed it installs the program then launches the program, thus launching the test.

    This can only be applied to a user account that we created, and it is required to work on any ol' random machine that the teachers decide are the testing computers of the day (out of about 2500 systems).

    I need this to load, without making the students a local admin on the computers (pointedly the student testing account) without asking for credentials which for obvious reasons the students will not have.

    Things I have tried:
    1) Assigned the batch file as a logon script on the "Profile" tab of Active Directory - fail, does nothing.
    2) Converted the batch file to an exe and assigned as a logon script on the "Profile" tab of Active Directory - fail, does nothing
    3) In the properties of the .exe set the "Run As Administrator" to checked for all users, then set as a logon script in the "Profile" tab of AD - Also fail, does nothing (WTF?)
    4) Created a GPO applied it to the user account. Set the exe to be run as administrator and applied that to the logon script of the GPO. - Runs, but asks for credentials*.
    5) Applied the .bat file to the gpo - Also runs but asks for credentials (as expected).
    6) Created a shortcut to the .bat file. Set the shortcut to run as admin. Applied the shortcut to the GPO. - Fail, it bypasses the shortcut and just copies the batch file as if the shortcut wasn't there into the Sysvol.

    *The problem with #4 is that for some reason, when the exe is copied from one DC to another, the run as admin setting is removed. So short of creating 12 exes, then logging into all of our DCs and setting them individually to be run as admin (if that will even work) is there a better way to do this?

    There has to be. This is completely asanine.

    Thanks for the help!
    Two things:
    1) If I wrote something wrong please please please let me know. I want to know ESPECIALLY if I am wrong.
    2) I have a tendency to write things that are misconstrued as being agressive or not so pleasant. That is not my intent.

  • #2
    Re: Frustration

    Well, if the computer is receiving the Group Policy and failing to apply it, it should issue an error in the event logs. The first thing we need to know in those cases where it did nothing would be to know if the problem is with the computer receiving the GP or with the GP itself.

    Is there no way you can get a list of computernames for those on which they wish to test? This would be a hell of a lot simpler if you could assign it as a startup script.

    Comment


    • #3
      Re: Frustration

      You are correct in the computer applications, however unfortunately that is not an option.

      The failures to apply were not via GPO they were in the logon script in AD (on the Profile tab), which I have never seen fail before, but it just does not run anything I put in there now (Win 7X64 Enterprise coming from a Server 2012 domain) and there is nothing in the event logs at all.

      The GPOs work but require admin permissions. I think I am going to have to just go through and manually set all of them to run as admin, which is going to take the better part of a day, but it has to be done so off we go!

      Thanks for the help!
      Two things:
      1) If I wrote something wrong please please please let me know. I want to know ESPECIALLY if I am wrong.
      2) I have a tendency to write things that are misconstrued as being agressive or not so pleasant. That is not my intent.

      Comment


      • #4
        Re: Frustration

        Is the application profile-specific? If not, you could always create a temporary Domain Admin account, assign the batch file as a logon script to it via GPO and log on to these computers using that account. You'd still have to hit every computer, but it's better than elevating each local user account for only as long as it takes to install the software.

        Comment


        • #5
          Re: Frustration

          I have actually pondered that, however it would mean a level of organization that does not actually exist in our school district (i.e. someone would have to make a decision about which computers we are going to use so we can preload) and the key words there are "make a decision". Nobody does that here.

          Thanks though!
          Two things:
          1) If I wrote something wrong please please please let me know. I want to know ESPECIALLY if I am wrong.
          2) I have a tendency to write things that are misconstrued as being agressive or not so pleasant. That is not my intent.

          Comment


          • #6
            Re: Frustration

            No problem. I spent 12 years in the IT department of a public school district. Glad I'm not there anymore.

            Comment

            Working...
            X