Vista - Security issues when running login script.

02-09-2009

Does anyone have any suggestions on how I can get around this problem?

We run AutoCad in our operations. We have a set of custom files
(palettes, plot styles, etc) that we want to ensure all the CAD
workstations have. I'm currently using a call to Robocopy in my login
script to ensure the workstation files are kept current with the
master set.

This works fine as long as we've added "Domain User" to the local
admin group. If it is not there then the copy continues to work fine
for the first person who uses the workstation, but if someone else
signs in, the copy does not have permissions to over write the files
in the destination folder as it is owner by the first user.

So far not a big issue, but we would like to not have to give the user
local admin rights. Some of the stuff they want to install includes
headaches. How can I have give Robocopy enough priveledges to
synchronize these folders and their contents without giving the
priveledges to the user?

Martin

02-09-2009

"Marten" <absolute88@xxxxxx> wrote in message
news:98s0p49jbu720fvll42rqgm6vb64dc2ang@xxxxxx

Quote:

> Does anyone have any suggestions on how I can get around this problem?
>
> We run AutoCad in our operations. We have a set of custom files
> (palettes, plot styles, etc) that we want to ensure all the CAD
> workstations have. I'm currently using a call to Robocopy in my login
> script to ensure the workstation files are kept current with the
> master set.
>
> This works fine as long as we've added "Domain User" to the local
> admin group.

Yes, that is the easiest way to remove all restrictions from your
workstations. And the easiest way to lose control of them...

Quote:

> If it is not there then the copy continues to work fine
> for the first person who uses the workstation, but if someone else
> signs in, the copy does not have permissions to over write the files
> in the destination folder as it is owner by the first user.

I suspect that your script may be copying to "shared documents", which is,
by default, a folder within the "all users" profile setup with permissions
that allow users to create and edit their own content, but where they have
readonly access to material created by others.

Quote:

> So far not a big issue, but we would like to not have to give the user
> local admin rights.

IMHO, that is already a big issue.

Quote:

> Some of the stuff they want to install includes
> headaches.

True enough, but even if your users do not purposefully try to do things
like that, having excessive privileges will eventually cause problems.

Quote:

> How can I have give Robocopy enough priveledges to
> synchronize these folders and their contents without giving the
> priveledges to the user?

You cannot permit things to an executable. I would suggest that you create a
folder elsewhere on the workstation where you can fully control the
permissions ("C:\AutoCAD Custom files\"), give all your user change access,
then configure AutoCAD to look there for the info.

Robocopy should work now for all users, but you would want to configure it
to ensure that files there are deleted when they no longer exist in "the
master set".

/Al

02-11-2009

To add (or complete) Al's comments, just adjust the NTFS permissions on the
local folder so "Users" have modify rights. Heck, if you are running in an
Active Directory environment, you can use a GPO to enforce the NTFS rights
on said folder w/out having to give the users local administrator rights.

"Al Dunbar" <alandrub@xxxxxx> wrote in message
news:OGEPenwiJHA.5496@xxxxxx

Quote:

>
> "Marten" <absolute88@xxxxxx> wrote in message
> news:98s0p49jbu720fvll42rqgm6vb64dc2ang@xxxxxx

Quote:

>> Does anyone have any suggestions on how I can get around this problem?
>>
>> We run AutoCad in our operations. We have a set of custom files
>> (palettes, plot styles, etc) that we want to ensure all the CAD
>> workstations have. I'm currently using a call to Robocopy in my login
>> script to ensure the workstation files are kept current with the
>> master set.
>>
>> This works fine as long as we've added "Domain User" to the local
>> admin group.

>
> Yes, that is the easiest way to remove all restrictions from your
> workstations. And the easiest way to lose control of them...
>

Quote:

>> If it is not there then the copy continues to work fine
>> for the first person who uses the workstation, but if someone else
>> signs in, the copy does not have permissions to over write the files
>> in the destination folder as it is owner by the first user.

>
> I suspect that your script may be copying to "shared documents", which is,
> by default, a folder within the "all users" profile setup with permissions
> that allow users to create and edit their own content, but where they have
> readonly access to material created by others.
>

Quote:

>> So far not a big issue, but we would like to not have to give the user
>> local admin rights.

>
> IMHO, that is already a big issue.
>

Quote:

>> Some of the stuff they want to install includes
>> headaches.

>
> True enough, but even if your users do not purposefully try to do things
> like that, having excessive privileges will eventually cause problems.
>

Quote:

>> How can I have give Robocopy enough priveledges to
>> synchronize these folders and their contents without giving the
>> priveledges to the user?

>
> You cannot permit things to an executable. I would suggest that you create
> a folder elsewhere on the workstation where you can fully control the
> permissions ("C:\AutoCAD Custom files\"), give all your user change
> access, then configure AutoCAD to look there for the info.
>
> Robocopy should work now for all users, but you would want to configure it
> to ensure that files there are deleted when they no longer exist in "the
> master set".
>
> /Al
>
>

02-11-2009

To answer Al's comments, I forgot to mention that I was I am actually
doing as he suggested. That I am writing to a specific folder off the
root and not the shared directory.

As Robocopy will create the folder if it is not there, the user who is
signing in get the creation ownership and other users will then be
only read only to it. To clarify myself, it would be nice if I could
have a few lines in the script with the ability to create the folder
if needed and then set the appropriate priveleges. But without local
admin rights, the active user wouldn't be able to that for the script.

We are in an AD environment so the GPO option sounds promising as a
solution. Any recommendations on where I can research how to set that
up?

Martin

On Wed, 11 Feb 2009 04:58:31 -0800, "neo [mvp outlook]"
<neo@xxxxxx> wrote:

Quote:

>To add (or complete) Al's comments, just adjust the NTFS permissions on the
>local folder so "Users" have modify rights. Heck, if you are running in an
>Active Directory environment, you can use a GPO to enforce the NTFS rights
>on said folder w/out having to give the users local administrator rights.
>
>"Al Dunbar" <alandrub@xxxxxx> wrote in message
>news:OGEPenwiJHA.5496@xxxxxx

Quote:

>>
>> "Marten" <absolute88@xxxxxx> wrote in message
>> news:98s0p49jbu720fvll42rqgm6vb64dc2ang@xxxxxx

Quote:

>>> Does anyone have any suggestions on how I can get around this problem?
>>>
>>> We run AutoCad in our operations. We have a set of custom files
>>> (palettes, plot styles, etc) that we want to ensure all the CAD
>>> workstations have. I'm currently using a call to Robocopy in my login
>>> script to ensure the workstation files are kept current with the
>>> master set.
>>>
>>> This works fine as long as we've added "Domain User" to the local
>>> admin group.

>>
>> Yes, that is the easiest way to remove all restrictions from your
>> workstations. And the easiest way to lose control of them...
>>

Quote:

>>> If it is not there then the copy continues to work fine
>>> for the first person who uses the workstation, but if someone else
>>> signs in, the copy does not have permissions to over write the files
>>> in the destination folder as it is owner by the first user.

>>
>> I suspect that your script may be copying to "shared documents", which is,
>> by default, a folder within the "all users" profile setup with permissions
>> that allow users to create and edit their own content, but where they have
>> readonly access to material created by others.
>>

Quote:

>>> So far not a big issue, but we would like to not have to give the user
>>> local admin rights.

>>
>> IMHO, that is already a big issue.
>>

Quote:

>>> Some of the stuff they want to install includes
>>> headaches.

>>
>> True enough, but even if your users do not purposefully try to do things
>> like that, having excessive privileges will eventually cause problems.
>>

Quote:

>>> How can I have give Robocopy enough priveledges to
>>> synchronize these folders and their contents without giving the
>>> priveledges to the user?

>>
>> You cannot permit things to an executable. I would suggest that you create
>> a folder elsewhere on the workstation where you can fully control the
>> permissions ("C:\AutoCAD Custom files\"), give all your user change
>> access, then configure AutoCAD to look there for the info.
>>
>> Robocopy should work now for all users, but you would want to configure it
>> to ensure that files there are deleted when they no longer exist in "the
>> master set".
>>
>> /Al
>>
>>

>

02-12-2009

"Marten" <absolute88@xxxxxx> wrote in message
news:mrn6p4llb5qi2v1aogj82tjlbg0hlur6u6@xxxxxx

Quote:

> To answer Al's comments, I forgot to mention that I was I am actually
> doing as he suggested. That I am writing to a specific folder off the
> root and not the shared directory.

What, precisely are the permissions you have assigned there?

Quote:

> As Robocopy will create the folder if it is not there, the user who is
> signing in get the creation ownership and other users will then be
> only read only to it.

This makes it seem that you are using a permission scheme much like that in
the shared documents folder, in which the creator/owner will, by default, be
the only one able to modify files.

try permitting the root folder Change to authenticated users.

Quote:

> To clarify myself, it would be nice if I could
> have a few lines in the script with the ability to create the folder
> if needed and then set the appropriate priveleges. But without local
> admin rights, the active user wouldn't be able to that for the script.
>
> We are in an AD environment so the GPO option sounds promising as a
> solution. Any recommendations on where I can research how to set that
> up?

Really, it shouldn't be this complicated.

/Al

Quote:

> Martin
>
> On Wed, 11 Feb 2009 04:58:31 -0800, "neo [mvp outlook]"
> <neo@xxxxxx> wrote:
>

Quote:

>>To add (or complete) Al's comments, just adjust the NTFS permissions on
>>the
>>local folder so "Users" have modify rights. Heck, if you are running in
>>an
>>Active Directory environment, you can use a GPO to enforce the NTFS rights
>>on said folder w/out having to give the users local administrator rights.
>>
>>"Al Dunbar" <alandrub@xxxxxx> wrote in message
>>news:OGEPenwiJHA.5496@xxxxxx

Quote:

>>>
>>> "Marten" <absolute88@xxxxxx> wrote in message
>>> news:98s0p49jbu720fvll42rqgm6vb64dc2ang@xxxxxx
>>>> Does anyone have any suggestions on how I can get around this problem?
>>>>
>>>> We run AutoCad in our operations. We have a set of custom files
>>>> (palettes, plot styles, etc) that we want to ensure all the CAD
>>>> workstations have. I'm currently using a call to Robocopy in my login
>>>> script to ensure the workstation files are kept current with the
>>>> master set.
>>>>
>>>> This works fine as long as we've added "Domain User" to the local
>>>> admin group.
>>>
>>> Yes, that is the easiest way to remove all restrictions from your
>>> workstations. And the easiest way to lose control of them...
>>>
>>>> If it is not there then the copy continues to work fine
>>>> for the first person who uses the workstation, but if someone else
>>>> signs in, the copy does not have permissions to over write the files
>>>> in the destination folder as it is owner by the first user.
>>>
>>> I suspect that your script may be copying to "shared documents", which
>>> is,
>>> by default, a folder within the "all users" profile setup with
>>> permissions
>>> that allow users to create and edit their own content, but where they
>>> have
>>> readonly access to material created by others.
>>>
>>>> So far not a big issue, but we would like to not have to give the user
>>>> local admin rights.
>>>
>>> IMHO, that is already a big issue.
>>>
>>>> Some of the stuff they want to install includes
>>>> headaches.
>>>
>>> True enough, but even if your users do not purposefully try to do things
>>> like that, having excessive privileges will eventually cause problems.
>>>
>>>> How can I have give Robocopy enough priveledges to
>>>> synchronize these folders and their contents without giving the
>>>> priveledges to the user?
>>>
>>> You cannot permit things to an executable. I would suggest that you
>>> create
>>> a folder elsewhere on the workstation where you can fully control the
>>> permissions ("C:\AutoCAD Custom files\"), give all your user change
>>> access, then configure AutoCAD to look there for the info.
>>>
>>> Robocopy should work now for all users, but you would want to configure
>>> it
>>> to ensure that files there are deleted when they no longer exist in "the
>>> master set".
>>>
>>> /Al
>>>
>>>

>>

>

02-09-2009	#1 (permalink)
Marten n/a posts	Security issues when running login script. Does anyone have any suggestions on how I can get around this problem? We run AutoCad in our operations. We have a set of custom files (palettes, plot styles, etc) that we want to ensure all the CAD workstations have. I'm currently using a call to Robocopy in my login script to ensure the workstation files are kept current with the master set. This works fine as long as we've added "Domain User" to the local admin group. If it is not there then the copy continues to work fine for the first person who uses the workstation, but if someone else signs in, the copy does not have permissions to over write the files in the destination folder as it is owner by the first user. So far not a big issue, but we would like to not have to give the user local admin rights. Some of the stuff they want to install includes headaches. How can I have give Robocopy enough priveledges to synchronize these folders and their contents without giving the priveledges to the user? Martin
My System Specs

02-09-2009	#2 (permalink)
Al Dunbar n/a posts	Re: Security issues when running login script. "Marten" <absolute88@xxxxxx> wrote in message news:98s0p49jbu720fvll42rqgm6vb64dc2ang@xxxxxx Quote: > Does anyone have any suggestions on how I can get around this problem? > > We run AutoCad in our operations. We have a set of custom files > (palettes, plot styles, etc) that we want to ensure all the CAD > workstations have. I'm currently using a call to Robocopy in my login > script to ensure the workstation files are kept current with the > master set. > > This works fine as long as we've added "Domain User" to the local > admin group. Yes, that is the easiest way to remove all restrictions from your workstations. And the easiest way to lose control of them... Quote: > If it is not there then the copy continues to work fine > for the first person who uses the workstation, but if someone else > signs in, the copy does not have permissions to over write the files > in the destination folder as it is owner by the first user. I suspect that your script may be copying to "shared documents", which is, by default, a folder within the "all users" profile setup with permissions that allow users to create and edit their own content, but where they have readonly access to material created by others. Quote: > So far not a big issue, but we would like to not have to give the user > local admin rights. IMHO, that is already a big issue. Quote: > Some of the stuff they want to install includes > headaches. True enough, but even if your users do not purposefully try to do things like that, having excessive privileges will eventually cause problems. Quote: > How can I have give Robocopy enough priveledges to > synchronize these folders and their contents without giving the > priveledges to the user? You cannot permit things to an executable. I would suggest that you create a folder elsewhere on the workstation where you can fully control the permissions ("C:\AutoCAD Custom files\"), give all your user change access, then configure AutoCAD to look there for the info. Robocopy should work now for all users, but you would want to configure it to ensure that files there are deleted when they no longer exist in "the master set". /Al
My System Specs

02-11-2009	#3 (permalink)
neo [mvp outlook] n/a posts	Re: Security issues when running login script. To add (or complete) Al's comments, just adjust the NTFS permissions on the local folder so "Users" have modify rights. Heck, if you are running in an Active Directory environment, you can use a GPO to enforce the NTFS rights on said folder w/out having to give the users local administrator rights. "Al Dunbar" <alandrub@xxxxxx> wrote in message news:OGEPenwiJHA.5496@xxxxxx Quote: > > "Marten" <absolute88@xxxxxx> wrote in message > news:98s0p49jbu720fvll42rqgm6vb64dc2ang@xxxxxx Quote: >> Does anyone have any suggestions on how I can get around this problem? >> >> We run AutoCad in our operations. We have a set of custom files >> (palettes, plot styles, etc) that we want to ensure all the CAD >> workstations have. I'm currently using a call to Robocopy in my login >> script to ensure the workstation files are kept current with the >> master set. >> >> This works fine as long as we've added "Domain User" to the local >> admin group. > > Yes, that is the easiest way to remove all restrictions from your > workstations. And the easiest way to lose control of them... > Quote: >> If it is not there then the copy continues to work fine >> for the first person who uses the workstation, but if someone else >> signs in, the copy does not have permissions to over write the files >> in the destination folder as it is owner by the first user. > > I suspect that your script may be copying to "shared documents", which is, > by default, a folder within the "all users" profile setup with permissions > that allow users to create and edit their own content, but where they have > readonly access to material created by others. > Quote: >> So far not a big issue, but we would like to not have to give the user >> local admin rights. > > IMHO, that is already a big issue. > Quote: >> Some of the stuff they want to install includes >> headaches. > > True enough, but even if your users do not purposefully try to do things > like that, having excessive privileges will eventually cause problems. > Quote: >> How can I have give Robocopy enough priveledges to >> synchronize these folders and their contents without giving the >> priveledges to the user? > > You cannot permit things to an executable. I would suggest that you create > a folder elsewhere on the workstation where you can fully control the > permissions ("C:\AutoCAD Custom files\"), give all your user change > access, then configure AutoCAD to look there for the info. > > Robocopy should work now for all users, but you would want to configure it > to ensure that files there are deleted when they no longer exist in "the > master set". > > /Al > >
My System Specs

02-11-2009	#4 (permalink)
Marten n/a posts	Re: Security issues when running login script. To answer Al's comments, I forgot to mention that I was I am actually doing as he suggested. That I am writing to a specific folder off the root and not the shared directory. As Robocopy will create the folder if it is not there, the user who is signing in get the creation ownership and other users will then be only read only to it. To clarify myself, it would be nice if I could have a few lines in the script with the ability to create the folder if needed and then set the appropriate priveleges. But without local admin rights, the active user wouldn't be able to that for the script. We are in an AD environment so the GPO option sounds promising as a solution. Any recommendations on where I can research how to set that up? Martin On Wed, 11 Feb 2009 04:58:31 -0800, "neo [mvp outlook]" <neo@xxxxxx> wrote: Quote: >To add (or complete) Al's comments, just adjust the NTFS permissions on the >local folder so "Users" have modify rights. Heck, if you are running in an >Active Directory environment, you can use a GPO to enforce the NTFS rights >on said folder w/out having to give the users local administrator rights. > >"Al Dunbar" <alandrub@xxxxxx> wrote in message >news:OGEPenwiJHA.5496@xxxxxx Quote: >> >> "Marten" <absolute88@xxxxxx> wrote in message >> news:98s0p49jbu720fvll42rqgm6vb64dc2ang@xxxxxx Quote: >>> Does anyone have any suggestions on how I can get around this problem? >>> >>> We run AutoCad in our operations. We have a set of custom files >>> (palettes, plot styles, etc) that we want to ensure all the CAD >>> workstations have. I'm currently using a call to Robocopy in my login >>> script to ensure the workstation files are kept current with the >>> master set. >>> >>> This works fine as long as we've added "Domain User" to the local >>> admin group. >> >> Yes, that is the easiest way to remove all restrictions from your >> workstations. And the easiest way to lose control of them... >> Quote: >>> If it is not there then the copy continues to work fine >>> for the first person who uses the workstation, but if someone else >>> signs in, the copy does not have permissions to over write the files >>> in the destination folder as it is owner by the first user. >> >> I suspect that your script may be copying to "shared documents", which is, >> by default, a folder within the "all users" profile setup with permissions >> that allow users to create and edit their own content, but where they have >> readonly access to material created by others. >> Quote: >>> So far not a big issue, but we would like to not have to give the user >>> local admin rights. >> >> IMHO, that is already a big issue. >> Quote: >>> Some of the stuff they want to install includes >>> headaches. >> >> True enough, but even if your users do not purposefully try to do things >> like that, having excessive privileges will eventually cause problems. >> Quote: >>> How can I have give Robocopy enough priveledges to >>> synchronize these folders and their contents without giving the >>> priveledges to the user? >> >> You cannot permit things to an executable. I would suggest that you create >> a folder elsewhere on the workstation where you can fully control the >> permissions ("C:\AutoCAD Custom files\"), give all your user change >> access, then configure AutoCAD to look there for the info. >> >> Robocopy should work now for all users, but you would want to configure it >> to ensure that files there are deleted when they no longer exist in "the >> master set". >> >> /Al >> >> >
My System Specs

02-12-2009	#5 (permalink)
Al Dunbar n/a posts	Re: Security issues when running login script. "Marten" <absolute88@xxxxxx> wrote in message news:mrn6p4llb5qi2v1aogj82tjlbg0hlur6u6@xxxxxx Quote: > To answer Al's comments, I forgot to mention that I was I am actually > doing as he suggested. That I am writing to a specific folder off the > root and not the shared directory. What, precisely are the permissions you have assigned there? Quote: > As Robocopy will create the folder if it is not there, the user who is > signing in get the creation ownership and other users will then be > only read only to it. This makes it seem that you are using a permission scheme much like that in the shared documents folder, in which the creator/owner will, by default, be the only one able to modify files. try permitting the root folder Change to authenticated users. Quote: > To clarify myself, it would be nice if I could > have a few lines in the script with the ability to create the folder > if needed and then set the appropriate priveleges. But without local > admin rights, the active user wouldn't be able to that for the script. > > We are in an AD environment so the GPO option sounds promising as a > solution. Any recommendations on where I can research how to set that > up? Really, it shouldn't be this complicated. /Al Quote: > Martin > > On Wed, 11 Feb 2009 04:58:31 -0800, "neo [mvp outlook]" > <neo@xxxxxx> wrote: > Quote: >>To add (or complete) Al's comments, just adjust the NTFS permissions on >>the >>local folder so "Users" have modify rights. Heck, if you are running in >>an >>Active Directory environment, you can use a GPO to enforce the NTFS rights >>on said folder w/out having to give the users local administrator rights. >> >>"Al Dunbar" <alandrub@xxxxxx> wrote in message >>news:OGEPenwiJHA.5496@xxxxxx Quote: >>> >>> "Marten" <absolute88@xxxxxx> wrote in message >>> news:98s0p49jbu720fvll42rqgm6vb64dc2ang@xxxxxx >>>> Does anyone have any suggestions on how I can get around this problem? >>>> >>>> We run AutoCad in our operations. We have a set of custom files >>>> (palettes, plot styles, etc) that we want to ensure all the CAD >>>> workstations have. I'm currently using a call to Robocopy in my login >>>> script to ensure the workstation files are kept current with the >>>> master set. >>>> >>>> This works fine as long as we've added "Domain User" to the local >>>> admin group. >>> >>> Yes, that is the easiest way to remove all restrictions from your >>> workstations. And the easiest way to lose control of them... >>> >>>> If it is not there then the copy continues to work fine >>>> for the first person who uses the workstation, but if someone else >>>> signs in, the copy does not have permissions to over write the files >>>> in the destination folder as it is owner by the first user. >>> >>> I suspect that your script may be copying to "shared documents", which >>> is, >>> by default, a folder within the "all users" profile setup with >>> permissions >>> that allow users to create and edit their own content, but where they >>> have >>> readonly access to material created by others. >>> >>>> So far not a big issue, but we would like to not have to give the user >>>> local admin rights. >>> >>> IMHO, that is already a big issue. >>> >>>> Some of the stuff they want to install includes >>>> headaches. >>> >>> True enough, but even if your users do not purposefully try to do things >>> like that, having excessive privileges will eventually cause problems. >>> >>>> How can I have give Robocopy enough priveledges to >>>> synchronize these folders and their contents without giving the >>>> priveledges to the user? >>> >>> You cannot permit things to an executable. I would suggest that you >>> create >>> a folder elsewhere on the workstation where you can fully control the >>> permissions ("C:\AutoCAD Custom files\"), give all your user change >>> access, then configure AutoCAD to look there for the info. >>> >>> Robocopy should work now for all users, but you would want to configure >>> it >>> to ensure that files there are deleted when they no longer exist in "the >>> master set". >>> >>> /Al >>> >>> >> >
My System Specs

Similar Threads
Thread	Forum
Login script not running, or some other issue....	Vista General
Re: Parse a login script	PowerShell
Login script	VB Script
Running Application in Login Script	Vista security
Login script	Vista security