RE: Default user runonce

2011-09-14 Thread Crawford, Scott 
"Talking it out really helped."

Yup, many a time have I tried to explain to someone this ridiculous "behavior 
with no explanation" only to figure it out mid-explanation.

-Original Message-
From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Sent: Wednesday, September 14, 2011 12:09 PM
To: NT System Admin Issues
Subject: RE: Default user runonce

It fixes the borked Documents Library!!  Sorry, couldn't resist that.  :)

It rewrites HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion 
\ Explorer \ User Shell Folders taking out 'c:\users\CopiedUser\' and putting 
back in %USERPROFILE% on all the values for my documents and so on.

This script is the hard way. I am going to export the corrected key and do a 
runonce reg merge.

Appreciate the help, this has been a mind bender from the beginning trying to 
figure out what he did to the image. I got to the end, the fix, and my mind was 
fried. Talking it out really helped.

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com]
Sent: Wednesday, September 14, 2011 1:03 PM
To: NT System Admin Issues
Subject: Re: Default user runonce

On Wed, Sep 14, 2011 at 11:46 AM, Kennedy, Jim  
wrote:
> Most importantly it borks the Documents Library.  Fixable via a Kix 
> script I have.

  What.  Does.  The.  Script.  Do?  :-)

> That script needs to RunOnce as the user logs in the first time...the 
> script hits the Current User hive.

  As Scott Crawford says, it shouldn't need to run elevated for most things 
under HKEY_CURRENT_USER.  Unless it's monkeying about under 
HKCU\Software\Policies, in which case you should be using a GPO, not a logon 
script.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Default user runonce

2011-09-14 Thread Kennedy, Jim 
It fixes the borked Documents Library!!  Sorry, couldn't resist that.  :)

It rewrites HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion 
\ Explorer \ User Shell Folders taking out 'c:\users\CopiedUser\' and putting 
back in %USERPROFILE% on all the values for my documents and so on.

This script is the hard way. I am going to export the corrected key and do a 
runonce reg merge.

Appreciate the help, this has been a mind bender from the beginning trying to 
figure out what he did to the image. I got to the end, the fix, and my mind was 
fried. Talking it out really helped.

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Wednesday, September 14, 2011 1:03 PM
To: NT System Admin Issues
Subject: Re: Default user runonce

On Wed, Sep 14, 2011 at 11:46 AM, Kennedy, Jim
 wrote:
> Most importantly it borks the Documents Library.  Fixable via a
> Kix script I have.

  What.  Does.  The.  Script.  Do?  :-)

> That script needs to RunOnce as the user logs in the first
> time...the script hits the Current User hive.

  As Scott Crawford says, it shouldn't need to run elevated for most
things under HKEY_CURRENT_USER.  Unless it's monkeying about under
HKCU\Software\Policies, in which case you should be using a GPO, not a
logon script.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Default user runonce

2011-09-14 Thread Ben Scott 
On Wed, Sep 14, 2011 at 11:46 AM, Kennedy, Jim
 wrote:
> Most importantly it borks the Documents Library.  Fixable via a
> Kix script I have.

  What.  Does.  The.  Script.  Do?  :-)

> That script needs to RunOnce as the user logs in the first
> time...the script hits the Current User hive.

  As Scott Crawford says, it shouldn't need to run elevated for most
things under HKEY_CURRENT_USER.  Unless it's monkeying about under
HKCU\Software\Policies, in which case you should be using a GPO, not a
logon script.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Default user runonce

2011-09-14 Thread Crawford, Scott 
There's a myriad of ways to access the registry - regedit, reg.exe, powershell, 
vbscript.  I think I'd allow regedit to run and rely on the perms in the 
registry to prevent the mucking around. Otherwise, you end up hurting yourself 
more than the bad guys.  This issue is a perfect example.

-Original Message-
From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Sent: Wednesday, September 14, 2011 11:04 AM
To: NT System Admin Issues
Subject: RE: Default user runonce

Wooo, you are of course right. Bet I have a software or gpo restricting 
something else causing this. Regedit for example.


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu]
Sent: Wednesday, September 14, 2011 12:02 PM
To: NT System Admin Issues
Subject: RE: Default user runonce

If its hitting the current user hive, you shouldn't need to run elevated.

-Original Message-
From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
Sent: Wednesday, September 14, 2011 10:46 AM
To: NT System Admin Issues
Subject: RE: Default user runonce

We are in a bit of a pickle and digging out. Our Image creator copied a set up 
user to the default profile in windows 7 the way he has always done it without 
checking on how bad that is in Win 7. Then he ran around and imaged a ton of 
machines without doing any decent testing. I will deal with him later, and it 
won't be pretty. There  are 15 or 20 borked settings. Most importantly it borks 
the Documents Library.  Fixable via a Kix script I have. That script needs to 
RunOnce as the user logs in the first time...the script hits the Current User 
hive. Actually very cool.

So a runonce in the Default hive and it runs as it loads for the newly logged 
in user.

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com]
Sent: Wednesday, September 14, 2011 11:25 AM
To: NT System Admin Issues
Subject: Re: Default user runonce

On Wed, Sep 14, 2011 at 10:54 AM, Kennedy, Jim  
wrote:
> If I put a RunOnce key into the Default user profile (Windows 7) to 
> call a bat file, that bat file will run under the newly logging in 
> user and it will run under their credentials? So if I need to elevate 
> it I need to do a runas?

  More-or-less correct.  What are you trying to accomplish?  You nominally only 
need elevated privileges to modify the system configuration, and you normally 
only need to modify the system configuration once per machine, so doing it once 
per user seems wrong.
 There may be better approaches.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Default user runonce

2011-09-14 Thread Kennedy, Jim 
Wooo, you are of course right. Bet I have a software or gpo restricting 
something else causing this. Regedit for example.


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu] 
Sent: Wednesday, September 14, 2011 12:02 PM
To: NT System Admin Issues
Subject: RE: Default user runonce

If its hitting the current user hive, you shouldn't need to run elevated.

-Original Message-
From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
Sent: Wednesday, September 14, 2011 10:46 AM
To: NT System Admin Issues
Subject: RE: Default user runonce

We are in a bit of a pickle and digging out. Our Image creator copied a set up 
user to the default profile in windows 7 the way he has always done it without 
checking on how bad that is in Win 7. Then he ran around and imaged a ton of 
machines without doing any decent testing. I will deal with him later, and it 
won't be pretty. There  are 15 or 20 borked settings. Most importantly it borks 
the Documents Library.  Fixable via a Kix script I have. That script needs to 
RunOnce as the user logs in the first time...the script hits the Current User 
hive. Actually very cool.

So a runonce in the Default hive and it runs as it loads for the newly logged 
in user.

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com]
Sent: Wednesday, September 14, 2011 11:25 AM
To: NT System Admin Issues
Subject: Re: Default user runonce

On Wed, Sep 14, 2011 at 10:54 AM, Kennedy, Jim  
wrote:
> If I put a RunOnce key into the Default user profile (Windows 7) to 
> call a bat file, that bat file will run under the newly logging in 
> user and it will run under their credentials? So if I need to elevate 
> it I need to do a runas?

  More-or-less correct.  What are you trying to accomplish?  You nominally only 
need elevated privileges to modify the system configuration, and you normally 
only need to modify the system configuration once per machine, so doing it once 
per user seems wrong.
 There may be better approaches.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Default user runonce

2011-09-14 Thread Crawford, Scott 
If its hitting the current user hive, you shouldn't need to run elevated.

-Original Message-
From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Sent: Wednesday, September 14, 2011 10:46 AM
To: NT System Admin Issues
Subject: RE: Default user runonce

We are in a bit of a pickle and digging out. Our Image creator copied a set up 
user to the default profile in windows 7 the way he has always done it without 
checking on how bad that is in Win 7. Then he ran around and imaged a ton of 
machines without doing any decent testing. I will deal with him later, and it 
won't be pretty. There  are 15 or 20 borked settings. Most importantly it borks 
the Documents Library.  Fixable via a Kix script I have. That script needs to 
RunOnce as the user logs in the first time...the script hits the Current User 
hive. Actually very cool.

So a runonce in the Default hive and it runs as it loads for the newly logged 
in user.

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com]
Sent: Wednesday, September 14, 2011 11:25 AM
To: NT System Admin Issues
Subject: Re: Default user runonce

On Wed, Sep 14, 2011 at 10:54 AM, Kennedy, Jim  
wrote:
> If I put a RunOnce key into the Default user profile (Windows 7) to 
> call a bat file, that bat file will run under the newly logging in 
> user and it will run under their credentials? So if I need to elevate 
> it I need to do a runas?

  More-or-less correct.  What are you trying to accomplish?  You nominally only 
need elevated privileges to modify the system configuration, and you normally 
only need to modify the system configuration once per machine, so doing it once 
per user seems wrong.
 There may be better approaches.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Default user runonce

2011-09-14 Thread Kennedy, Jim 
We are in a bit of a pickle and digging out. Our Image creator copied a set up 
user to the default profile in windows 7 the way he has always done it without 
checking on how bad that is in Win 7. Then he ran around and imaged a ton of 
machines without doing any decent testing. I will deal with him later, and it 
won't be pretty. There  are 15 or 20 borked settings. Most importantly it borks 
the Documents Library.  Fixable via a Kix script I have. That script needs to 
RunOnce as the user logs in the first time...the script hits the Current User 
hive. Actually very cool.

So a runonce in the Default hive and it runs as it loads for the newly logged 
in user.

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Wednesday, September 14, 2011 11:25 AM
To: NT System Admin Issues
Subject: Re: Default user runonce

On Wed, Sep 14, 2011 at 10:54 AM, Kennedy, Jim  
wrote:
> If I put a RunOnce key into the Default user profile (Windows 7) to 
> call a bat file, that bat file will run under the newly logging in 
> user and it will run under their credentials? So if I need to elevate 
> it I need to do a runas?

  More-or-less correct.  What are you trying to accomplish?  You nominally only 
need elevated privileges to modify the system configuration, and you normally 
only need to modify the system configuration once per machine, so doing it once 
per user seems wrong.
 There may be better approaches.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Default user runonce

2011-09-14 Thread Ben Scott 
On Wed, Sep 14, 2011 at 10:54 AM, Kennedy, Jim
 wrote:
> If I put a RunOnce key into the Default user profile (Windows 7) to call a
> bat file, that bat file will run under the newly logging in user and it will
> run under their credentials? So if I need to elevate it I need to do a
> runas?

  More-or-less correct.  What are you trying to accomplish?  You
nominally only need elevated privileges to modify the system
configuration, and you normally only need to modify the system
configuration once per machine, so doing it once per user seems wrong.
 There may be better approaches.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin