Announcement

Collapse
No announcement yet.

run (gpo) setup (.exe) files @ startup/logon

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • run (gpo) setup (.exe) files @ startup/logon

    I'd like to run the next script @ logon/startup:
    Code:
    @ECHO OFF
    SETLOCAL ENABLEEXTENSIONS
    
    IF NOT EXIST "%systemroot%\LOGS\LKSVDD\Tim\IrfanView-436_Deploy.txt" (GOTO IrfanView_Setup) ELSE GOTO:EOF
    
    :IrfanView_Setup
    
    if defined ProgramFiles(x86) (SET "PrgFiles=%ProgramFiles(x86)%") ELSE (SET "PrgFiles=%ProgramFiles%")
    REM SET "PrgFiles="
    IF "%PrgFiles%"=="" (GOTO ERROR)
    
    rem *import* SetUp elevation...
    Reg.exe IMPORT "\\dc01.lksvdd.local\netlogon\Fix\Irfanview\irfanview_elevation.reg" > NUL 2>&1
    
    
    rem *SetUp* IrfanView...
    Start "SetUp IrfanView" /D"\\lksvdd\netlogon\Fix\Irfanview\" /MIN /WAIT /B "iview436_setup.exe" /silent /folder="%PrgFiles%\irfanview" /desktop=1 /thumbs=0 /group=1 /allusers=1 /assoc=1 /assocallusers /ini="%PrgFiles%\irfanview"
    
    rem *SetUp* IrfanView Plugins...
    Start "SetUp IrfanView Plugins" /D"\\lksvdd\netlogon\Fix\Irfanview\" /MIN /WAIT /B "irfanview_plugins_436_setup.exe" /silent
    
    rem *Copy* IrfanView Dutch Language .ini settings...
    Start "Copy_Custom-NL-Language files" /D"%WinDir%\system32\" /MIN /B xcopy.exe "\\lksvdd\netlogon\Fix\Irfanview\Languages\*.*" "%PrgFiles%\irfanview\Languages\" /s /e /c /Q /h /r /y > NUL 2>&1
    Start "Copy_Custom-NL-Language  .ini" /D"%WinDir%\system32\" /MIN /B xcopy.exe "\\lksvdd\netlogon\Fix\Irfanview\i_view32.ini" "%PrgFiles%\irfanview\" /c /Q /h /r /y >nul 2>&1
    
    
    REM echo.
    ECHO %DATE% %TIME%: FiNiSHED IrfanView 4.36 install +Plugins +Dutch_Language... >> "%systemroot%\LOGS\LKSVDD\Tim\IrfanView-436_Deploy.txt" 2>&1
    REM echo.
    GOTO EXIT
    
    
    :EXIT
    REM echo.
    rem ECHO.script date: 09-07-2013
    REM echo.
    rem PAUSE
    GOTO:EOF
    
    
    :ERROR
    CLS
    echo.
    echo.
    ECHO ERROR:
    ECHO No "Program Files (x86)" and/or No "Program Files" path found?
    echo.
    ECHO "PrgFiles"=="%PrgFiles%"
    echo.
    ECHO variables should be: %ProgramFiles(x86)% or %ProgramFiles%
    echo.
    echo.
    PAUSE
    GOTO:EOF
    But my problem is that when the workstations logon, and this script run's I get a security warning asking if I wan't to run "iview436_setup.exe" and "irfanview_plugins_436_setup.exe" and that's something I really don't want to happen.

    I start/run this script with GPO: comp.conf.->policies->admin.templ.->system->logon->run these programs at user logon
    Can I elevate these setup files or what ever? I probably need an exception for these 2 files some way or another, I'm kinda stuck...

    With kind regards, Tim

  • #2
    Re: run (gpo) setup (.exe) files @ startup/logon

    Originally posted by APOC View Post
    I get a security warning asking if I wan't to run "iview436_setup.exe" and "irfanview_plugins_436_setup.exe"
    Hi Tim,

    Of course the user must be a member of the local administrators group to be able to install software! A logon script option will not work for regular users.

    Is it a "Open File – Security Warning" prompt?
    Are the exe file on a server in the domain?

    Basically - for the user,
    1) Add the FQDN of the local domain to the list of sites at the "Local Intranet zone" in Internet Explorer - (only if you would configure this manually via IE options you don't need to logoff-on)
    If a user still gets the security warnings you can,
    2) Configure for the user the setting "Launching Applications and Unsafe Files" at the "Local Intranet zone" to -> "Permit"
    further,
    3) Sometimes you have to configure what should be included in the Local intranet zone (and disable AutoDetect).


    The registry keys are (can use an adm file or gpp to configure it),
    Code:
    Windows Registry Editor Version 5.00
    
    ; requires the user log-off and on  for the changes to take effect,
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\nameofdomain.local]
    "file"=dword:00000001
    
    ; if needed,
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
    "1806"=dword:00000000
    
    ; only if you should,
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
    "AutoDetect"=dword:00000000
    "IntranetName"=dword:00000001
    "ProxyBypass"=dword:00000001
    "UNCAsIntranet"=dword:00000001
    Or, it can be done with a logon script:
    Code:
    rem  requires the user log-off and on  for the changes to take effect,
    Reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\nameofdomain.local" /v "file" /t REG_DWORD /d 1 /f
    
    rem  if needed,
    Reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" /v "1806" /t REG_DWORD /d 0 /f
    
    rem  only if you should,
    Reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "AutoDetect" /t REG_DWORD /d 0 /f
    Reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IntranetName" /t REG_DWORD /d 1 /f
    Reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "ProxyBypass" /t REG_DWORD /d 1 /f
    Reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "UNCAsIntranet" /t REG_DWORD /d 1 /f

    Note, The default HKLM settings for the Local Intranet zone (1) on a client computer are: 'Launching Applications and Unsafe Files' (1806) is already set to 'Permit' (0) and 'AutoDetect'' is enabled by default. So with a Startup script you probably wouldn't get the File Open Security Warnings from the beginning.


    /Rems
    Last edited by Rems; 10th July 2013, 18:17.

    This posting is provided "AS IS" with no warranties, and confers no rights.

    __________________

    ** Remember to give credit where credit's due **
    and leave Reputation Points for meaningful posts

    Comment


    • #3
      Re: run (gpo) setup (.exe) files @ startup/logon

      YES: Is it a "Open File – Security Warning" prompt?
      YES: Are the exe file on a server in the domain?

      (users do have admin rights, is needed for specific software so in this case it's a plus )

      Additional info: I don't have such problems with .msi files though.
      Last edited by APOC; 9th July 2013, 19:20. Reason: added msi

      Comment


      • #4
        Re: run (gpo) setup (.exe) files @ startup/logon

        Originally posted by APOC View Post
        YES: Is it a "Open File Security Warning" prompt?
        YES: Are the exe file on a server in the domain?

        (users do have admin rights, is needed for specific software so in this case it's a plus )

        Additional info: I don't have such problems with .msi files though.
        This is usually caused by the data streams on the exe file.

        Download this Streams and run it in the folder where your .exe files are with the command streams -s -d

        It should remove the file streams for you.

        Comment


        • #5
          Re: run (gpo) setup (.exe) files @ startup/logon

          No files with streams found. (for your information)

          I'll be testing Rems advice right now...

          Comment


          • #6
            Re: run (gpo) setup (.exe) files @ startup/logon

            Rems .reg tweak doesn't seem to help me out (?)

            And I found out that these .reg settings do get reset after reboot (or logoff/logon).
            When I apply them manually they do get in the register, when I logoff & logon again then the settings are gone??? I can't find any rule in my GPO's which probably overwrite or reset default or whatever, so I'm a little confused why this happens OR is this normal?

            Only these settings do get reset by the way:
            [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings\ZoneMap]
            "AutoDetect"=dword:00000000
            "IntranetName"=dword:00000001
            "ProxyBypass"=dword:00000001
            "UNCAsIntranet"=dword:00000001


            These settings also seem to get reset when I start/run IE of FireFox ???

            This does seem to give a workaround:
            Code:
            REG ADD "HKCU\Environment" /V SEE_MASK_NOZONECHECKS /T REG_SZ /D 1 /F
            REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /V SEE_MASK_NOZONECHECKS /T REG_SZ /D 1 /F
            Not sure if it's the bast/safe way to do it? Perhaps someone can give his insight on this?
            Last edited by APOC; 10th July 2013, 13:10. Reason: workaround?

            Comment


            • #7
              Re: run (gpo) setup (.exe) files @ startup/logon

              Originally posted by APOC View Post
              This does seem to give a workaround:
              Code:
              REG ADD "HKCU\Environment" /V SEE_MASK_NOZONECHECKS /T REG_SZ /D 1 /F
              REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /V SEE_MASK_NOZONECHECKS /T REG_SZ /D 1 /F
              Not sure if it's the best/safe way to do it? Perhaps someone can give his insight on this?
              If this workaround works then I am almost sure that the exe files do have ntfs streams (type Zone.Identifier) on them.
              \
              When you right click on the exe files do you see on the general tab a button to Unblock the file? (for some directories you need elevation to edit a file).


              What is the OS and IE version on the user machines?

              what is the irfanview_elevation.reg for, are you sure it is suitable for both 32bit and 64-bit operating systems?


              The reg tweak I showed works for the user, so when the executable is launched by logon script.
              After the fqdn has been added for the local intranet zone programmatically and that was after the user shell (desktop) was already loaded, then the user has to log-off and -on once for the change to take effect. (Log-off and -on is not required when you add the local domain (file://*.domain.local) to the list of sites manually via IE Options / security / local intranet .Or when the entry was added to the registry before the user desktop was loaded)


              I will post a test script that will write a error log while running, maybe you can test it and post the error log??

              /Rems
              Last edited by Rems; 10th July 2013, 18:34.

              This posting is provided "AS IS" with no warranties, and confers no rights.

              __________________

              ** Remember to give credit where credit's due **
              and leave Reputation Points for meaningful posts

              Comment


              • #8
                Re: run (gpo) setup (.exe) files @ startup/logon

                When you right click on the exe files do you see on the general tab a button to Unblock the file? (for some directories you need elevation to edit a file).
                => YES
                I see this "unblock" option on a (user) workstation with "Win7PRO x64" and when I do this on the virtual server itself (Win2k8R2 x64) where the .exe files are located...
                When I unblock these files on the virtual server itself it does seem to work now...I'll test it a few times...(tried this earlier from a user workstation with admin right but without any result perhaps there was the problem?)

                BUT running "streams -s -d" at this same location of these .exe files then I get the result "No files with streams found." as stated earlier. (FYI) Weird? Not?

                OS user workstations are mostly Win7PROx64 and IE10
                Virtual Server hosting the .exe files Win2k8R2x64 (IE10)

                (irfanview_elevation.reg isn't used anymore)

                Your reg.tweak does get undon somehow by IE itself, not sure why and i've got smartscreen already disabled for testing purposes. As soon as IE get started your reg.tweaks in ZoneMap get undone immediately (maybey it's the protection feature? "secure modus in the ie settings" I'll test this)
                Last edited by APOC; 11th July 2013, 08:28. Reason: added: tried this earlier from a user workstation...

                Comment


                • #9
                  Re: run (gpo) setup (.exe) files @ startup/logon

                  Originally posted by APOC View Post
                  BUT running "streams -s -d" at this same location of these .exe files then I get the result "No files with streams found." as stated earlier. (FYI) Weird? Not?
                  You can't enter just a folder name or directory on the command line! Both local paths and UNC paths are accepted - but it should be pointing to a file , or to multiple files by using wildcards (*).

                  sample: The -s switch means search not only in the provided folder but also in all subfolders. The -d switch means delete ntfs streams if found. The wildcard here stands for ALL FILES of all types.
                  Code:
                  streams.exe -s -d "c:\temp\*"
                  tip: If you download a compressed container (i.e. a zip file) always remove the Zone.Identifier before uppacking/expanding the file. It can save you at lot of time on unblocking individual files.



                  btw, you can handle ntfs streams very good with powershell cmdlets,
                  http://technet.microsoft.com/en-us/l.../hh849924.aspx
                  http://blogs.technet.com/b/askcore/a...s-in-ntfs.aspx



                  /Rems
                  Last edited by Rems; 11th July 2013, 19:12.

                  This posting is provided "AS IS" with no warranties, and confers no rights.

                  __________________

                  ** Remember to give credit where credit's due **
                  and leave Reputation Points for meaningful posts

                  Comment


                  • #10
                    Re: run (gpo) setup (.exe) files @ startup/logon

                    Originally posted by APOC View Post
                    I unblock these files on the virtual server [...] (tried this earlier from a user workstation with admin right but without any result perhaps there was the problem?)
                    Mostlikely UAC didn't allow the administrator to edit the file.

                    /Rems

                    This posting is provided "AS IS" with no warranties, and confers no rights.

                    __________________

                    ** Remember to give credit where credit's due **
                    and leave Reputation Points for meaningful posts

                    Comment


                    • #11
                      Re: run (gpo) setup (.exe) files @ startup/logon

                      Originally posted by APOC View Post
                      Your reg.tweak does get undon somehow by IE itself, not sure why and i've got smartscreen already disabled for testing purposes. As soon as IE get started your reg.tweaks in ZoneMap get undone immediately (maybey it's the protection feature? "secure modus in the ie settings" I'll test this)
                      I have not tested it here but I wouldn't be surprised if it is a behavior of IE10.
                      I manage IE10 settings with gpo and some special ones with a logonscript, so the settings are applied at leased every time the user logs on.
                      I noticed IE10 is different than previous versions in when installed on a domain client it turns on some restrictions by itself. And you have to use a GPO to change these settings.

                      /Rems

                      This posting is provided "AS IS" with no warranties, and confers no rights.

                      __________________

                      ** Remember to give credit where credit's due **
                      and leave Reputation Points for meaningful posts

                      Comment


                      • #12
                        Re: run (gpo) setup (.exe) files @ startup/logon

                        thanks you very much guys, it's still working...
                        so it must have been a stream like both of you stated
                        (and I learned some nice additional tricks on the side, great)

                        Comment

                        Working...
                        X