Making a .bat run silently via GPO?

All replies

• 

  

  0

  Sign in to vote

  Hi,

  
  

  You can Use a vb script that runs a Bat File in a Hidden Window.

  Use this following Script as the main script given to the GPO, and your Bat file as the Parameter.

  
  

  You can Use this Method for any program that you want to run in hidden Window (via GPO).

  Dim objShell
  Set objShell = WScript.CreateObject ("WScript.shell")
  objShell.run WScript.Arguments(0), 0, True
  Set objShell = Nothing

  Good Luck.

  ---

  Assaf Miron http://Assaf.Miron.googlepages.com

  • Proposed as answer by AssafM Monday, February 8, 2010 7:47 PM

  Monday, February 8, 2010 7:43 PM
• 

  

  0

  Sign in to vote

  There is no parameter field. The location for that is "Computer Configuration > Windows Settings > Scripts (Startup/Shurtdown) > Startup."
  
  I've been instructed (by my boss) that I should use "Computer Configuration > Administrative Templates > System > Logon > Run these programs at user logon" and this does not have a parameters option.
  
  Is it possible to do something using this? Or do I have to use the Windows Settings and parameters instead of the Administrative Templates in order to make this work?
  
  I'm sorry I didn't make this clear in my first post. Thank you for the reply, though!

  Monday, February 8, 2010 8:26 PM
• 

  

  0

  Sign in to vote

  From what I understand you are trying to change the password of the account.  If this is correct you need to go to your GPO, "Computer Configuration/Windows Settings/ Scripts/Startup"  Go to properties on the startup click add, then browse.  Copy and paste your bat file in the window.  Select it, then select open and ok.  You should see it listed under name in the window.  There is a script parameters blank if you click on edit for adding parameters.  I believe that you will want to run this under startup so that it doesn't require the users user credentials to be administrative in case of a limited user account signing on.
  
  Hope this helps.
  
  Joshua

  • Marked as answer by Haml337 Thursday, February 18, 2010 5:53 PM

  Monday, February 8, 2010 9:26 PM
• 

  

  0

  Sign in to vote

  I saved "newpassword.bat" to a network location. It contained the following lines of script:
  
  @echo off

  NET USER Administrator %1
  
  I went to "Computer Configuration > Windows Settings > Scripts (Startup/Shurtdown)" and chose newpassword.bat as the startup script. I selected "newpassword" for my script parameter there. I ran a "gpupdate /force" to the target workstation I'm using to test the script with.
  
  Once I received the login box, I chose to log in as "Administrator" and used the password I defined, making sure to log into the local computer and not the domain. The password did not change, but I did not see any dialogue asking me to run the script, either.
  
  What is still wrong?

  Monday, February 8, 2010 10:29 PM
• 

  

  0

  Sign in to vote

  try it using the original script without trying to pass parameters.  I think that your original issue wasn't the script, but how you were trying to run it.
  
  Joshua

  Monday, February 8, 2010 11:34 PM
• 

  

  0

  Sign in to vote

  It did not work. I removed the parameter and changed the %1 back to "newpasswordhere." The computers I have put on this GPO to test still have the old administrator passwords on them, and the new one does not work.
  
  Other suggestions, please?

  Tuesday, February 9, 2010 8:19 PM
• 

  

  0

  Sign in to vote

  There is another simpler option if you have a newer domain (server 2008).  Client Side Extensions Preferences under "Group Policy" now allows local accounts (Predefined) to be renamed, disabled and assigned a standard password.
  
  I've used it quite effectively.  The only catch is you need to have the patch already applied for the O/S to recognize the preferences.
  
  Sean
  The Energized Tech

  ---

  Powershell. It's so Easy and it's FREE! Dive in and use it now, It'll take no time. :) http://www.energizedtech.com

  Tuesday, February 9, 2010 8:55 PM
• 

  

  0

  Sign in to vote

  We are still an 03 environment. I'll keep that in mind when we do move to an 08 server, though.

  Tuesday, February 9, 2010 9:01 PM
• 

  

  0

  Sign in to vote

  Have you tried running this under an administrator account manually to see if it works that way?
  
  Joshua

  Tuesday, February 9, 2010 10:56 PM
• 

  

  0

  Sign in to vote

  I have. My boss originally instructed me to put it as part of "Policy > Computer Configuration > Administrative Templates > System > Logon > Run These Programs at User Logon."
  
  When I did that, and logged in as myself (an admin account), I was prompted to run the batch file (or the vbs, I've used both extensions), which was successful. It also works if the policy is NOT in place and I just run the script from wherever I have it saved to the network drive.
  
  Making it run without the user noticing (via GPO) has not been successful, though.

  Wednesday, February 10, 2010 3:37 PM
• 

  

  0

  Sign in to vote

  A second thought... In the location I listed just above (run these programs at user logon), my boss usually puts .reg files there. You can make those silent where it prompts for the file by typing "regedit /c/s \\folder\file.reg" in the field.
  
  Is it possible to turn this into a .reg file? I've never written a script to do that, ever. So it's way out of my league... But if someone has a suggestion (or some code already made for the purpose), I'd be really appreciative if we could go that route, too.

  Wednesday, February 10, 2010 4:21 PM
• 

  

  0

  Sign in to vote

  As far as I know there is no registry change that can be made for passwords.  However, the issue that you are describing currently with the gpo running the batch at startup in the computer account sounds alot like a permissions issue.  I know that sounds probably sounds weird to say about group policy, but follow me for a second. 
  
  In the GPO go to "computer configuration/windows settings/scripts/startup/ and click edit, then browse.  Right click on the batch file, then go to properties and click on the security tab.  Check the script's permissions and make certain that the "authenticated users" group is listed with "read" and "read & execute" control at the very least (you may need to give it all the way up to modify control, but i'm fairly certain that read and read/execute will work).  Also, if you go to the delegation tab on the gpo itself, click on the advanced button at the bottom right of the screen and be certain that the "authenticated users" group is added.  For the GPO itself this group will need "read" and "apply group policy" checked.
  
  If you are wondering why this may resolve the issue.  Since you are running the script using a gpo as a machine, then the machine needs permission to it.  You can give machines, just as you can user accounts and any other AD object permission to things in windows.  Now since it is with group policy you will more then likely want to do this for more than one machine and user.  Therefore, microsoft has the "authenticated users" group.  This is the group that which all objects (machines and computers) in your domain are a part.  Therefore, when you give this group permissions to your gpo and script, then it should run without any issues.  Also remember this in case you ever decide to call an exe to install on a machine from a startup script.  You will then have to add permissions to the exe.  I've had the same issue before and it sounds exactly like what your saying.    -experience is the best teacher
  
  Joshua

  Wednesday, February 10, 2010 8:46 PM
• 

  

  0

  Sign in to vote

  It did not work. I've added "Authenticated Users" to both the file and to the GPO. I have attempted it with and without a parameter. It's just not taking.
  
  I have it saved to a different server on a shared network drive - so it's in a place where everyone has permission to access and run the script - do I need to save it somewhere particular? The GPM console keeps showing me this default folder...

  Friday, February 12, 2010 5:25 PM
• 

  

  0

  Sign in to vote

  So...you want to save the script in the default folder that the GPM gives you when you click edit/browse or add/browse.  That is where GP naturally pulls it from.  It is possible to use a different network path, as long as you specifiy the path and the script in the "script name" blank.  However, I don't recommend using a different network path since it just leaves more for you to troubleshoot later.  Now onto other issues.
  
  I believe that there may also be a little misunderstanding about when a "startup" script runs.  Now, if you're like me, then it would make sense for a startup script to run during...well, startup.  However,  if you're like microsoft, then that doesn't make any sense because of their view of security.  What actually happens is that the startup script runs, after a user authenticates to the machine, not before a user authenticates.  If this isn't what is occuring, then let me know and i'll look further into this.  However, I beleive that you're most likely restarting the machine, expecting the script to change the password, then attempting to logon with the changed password.  If this is correct, then the order you need to work in is to: 1) restart the machine 2) logon with an account 3) logoff 4) logon to the local account with the changed password
  
  Now, you may be thinking about the implications of this on a network wide level if you have to do this password change to all machines and beleive that it is the dumbest thing ever.  However, it really isn't that bad.  You simply apply the group policy in startup to the machines that you want to make the change on, and then wait a day to let users logon to the systems.  As the users logon to the systems the change is made and then you won't have any manual work.  Now you may run across one or two that won't get changed because they aren't used very much.  So it's now perfect, but it's not awful either.
  
  Hope this helps.  Let me know if this works or if i'm misunderstanding something.
  
  Joshua

  • Marked as answer by Haml337 Thursday, February 18, 2010 5:53 PM

  Wednesday, February 17, 2010 12:27 AM
• 

  

  0

  Sign in to vote

  Placing it in the default folder seemed to resolve the issue. After a gpupdate /force, I'm now able to log into the two computers on my GPO with the password set in the batch file.
  
  In order to apply this to ALL the computer in my domain, all I have to do is make sure "Authenticated Users" is the only group in the GPO under the "Security Filtering" window, correct? That seems to be the last step.
  
  

  Wednesday, February 17, 2010 4:55 PM
• 

  

  0

  Sign in to vote

  If you will compare Active Directory Computers and Users (ADU&C) interface to the Group Policy Management Console (GPMC), then you will notice that they correspond to each other.  Basically, a Group Policy Object (GPO) is applied to the objects in an Organizational Unit (OU - folder in ADU&C that contains AD objects or other OUs) in ADU&C that corresponds to wherever you placed the GPO in the GPMC. 
  
  This is true except for the default groups in AD.  You will know the difference because the icon beside the default group name will simply be a blank folder.  While the non-default groups will be a folder with what appears to be a book or something similiar on the front of it.  Default groups are things like Computers, Users, ForeignSecurityPrincipals, Builtin...  You won't see these groups in the GPMC.
  
  So if you want the script to run for all the machines on your network, then you will need to go to the GPMC, choose the domain that you need, right click on the OU that contains all of the machines in your domain\network, choose to link an existing gpo, then choose the gpo that you need to apply.  You could also apply the gpo to the root of the domain instead of a specific OU.  If there is a machine that doesn't get the policy applied to it the you will have to start troubleshooting how the GPO is applied to the machine.
  
  As far as permissions, do you mean the delegation tab and advanced?  If so, then you will want to be sure that "Authenticated Users" have the "read" and "apply group policy" boxes checked under the "allow column".  Also, it's ok (and I would recommend this) to have other groups or users with permissions to the gpo.  For example, it's good to have Domain Admins, Enterprise Admins, and System with access to read, write, create all child objects, delete all child objects. Also, give Enterprise Domain Controllers the ability to read so that they can access and apply the gpo to the machines, since they will be the ones who do this.  Probably, the script in the default folder will need similiar permissions.  If you're uncertain about the default permissions for a gpo then you can check on the other gpo's or create a new one, check the permissions, then delete the new one.
  
  I know these post have been long winded, but i'm trying to be really clear with them.  Hope this helps.
  
  Joshua

  Wednesday, February 17, 2010 9:48 PM
• 

  

  0

  Sign in to vote

  I've made sure all our computers are in non-default OUs. My GPO is also linked to the domain - the same place our login and domain policy GPOs are linked - instead of directly to the OUs.
  
  I do not mean the delegation tab. I mean under the "Scope" tab. The "Security Filtering" takes up the bottom half of that tab. Under the "Delegation" tab, I have added Domain Admins, Enterprise Admins, et al, to the list with appropriate permissions.
  
  You've been very clear. I just have a need to double- and triple-check that I'm correct in understanding what you said. The policy seems to be pushing down to computers I had not listed in the "Scope > Security Filtering" tab of the GPO now. I'm going to test it on a few other machines, and once I verify those, I will mark this thread as solved.
  
  Thank you so very much!

  Wednesday, February 17, 2010 10:22 PM
• 

  

  0

  Sign in to vote

  Tested and running fine! Thanks very much!

  Thursday, February 18, 2010 5:52 PM
• 

  

  0

  Sign in to vote

  Need a new hand with this (unless I should start a new thread).
  
  I had this GPO linked directly to the domain. My admin removed it, because it also ended up changing the domain admin's password (HIS password), because the PDC doesn't have a local password. Yea, that was fun to find out about the Monday morning after I made it live (I also learned not to make anything live on a Friday night before leaving for the weekend >_<).
  
  Since then, he removed the link to the domain, and instead linked it to each of the OUs that have workstations in them. The GPO has stopped working since he did that, too, and I'm not sure why. I only discovered this after adding this script to the GPO and found it wasn't working.
  
  Since then, I've gone into each of the individual OUs where this GPO is linked and changed the "Enforced" default to "yes." Maybe I need to wait longer, but it did not work on the couple of users I attempted to have reboot and re-log into their computers (which should have changed the password and deleted that shortcut - but the shortcut is still there).
  
  Is my problem that I added a second script to the GPO, or that the GPO was linked to OUs instead of the domain? Or is there something else I have not considered?

  Tuesday, March 9, 2010 5:10 PM
• 

  

  0

  Sign in to vote

  Hello

  I am new to vb scripting, but i think i might need your solution. Could you show how to run a script named test.bat in the vbscripting above?
  
  Thank You

  Friday, October 14, 2016 11:14 AM