尝试通过vbscript删除文件时权限被拒绝

时间:2014-02-28 14:20:31

标签: vbscript permission-denied

我们有一个登录脚本,可以在通过组策略部署的用户桌面上设置默认快捷方式。此脚本在我们以前的Windows XP环境中使用。问题是,设置此项的人将快捷方式复制到%ALLUSERSPROFILE $ \ Desktop。现在我们在Windows 7中,我正在尝试将快捷方式移动到%USERPROFILE%\ Desktop,当我尝试通过vbscript删除快捷方式时,我将获得权限被拒绝。我可以手动删除快捷方式,UAC提示符出现,但它可以工作。

有三个问题:

1)从GPO运行时脚本运行的用户上下文是什么?

2)当我从命令行运行脚本并以管理员身份运行命令提示符时,脚本在运行时运行的用户上下文是什么?

3)有没有办法在我的情况下通过vbscript删除这些?

提前感谢您的帮助。


我尝试使用通过GP部署的以下脚本作为启动脚本无济于事。

'Startup Script

' Force explicit variable declaration.
Option Explicit

On Error Resume Next

Const sPhoneLnk = "Phone_List.lnk"
Const sDesktop = "\Desktop\"

Dim g_oShell, g_oFSO, sAllUsrPrf, sPhoneLink

Set g_oShell = CreateObject("Wscript.Shell")
Set g_oFSO = CreateObject("Scripting.FileSystemObject")

sAllUsrPrf = g_oShell.ExpandEnvironmentStrings("%ALLUSERSPROFILE%")
sPhoneLink = sAllUsrPrf & sDesktop & sPhoneLnk

If g_oFSO.FileExists (sPhoneLink) Then
'   wscript.echo sPhoneLnk & " Found."
    g_oFSO.DeleteFile (sPhoneLink)
'   wscript.echo sPhoneLnk & " Deleted."
Else
'   wscript.echo sPhoneLnk & " Not found."
End if

我还尝试在管理员的命令提示符下运行上面的脚本,关闭UAC并收到拒绝访问。

2 个答案:

答案 0 :(得分:0)

1)从GPO运行时脚本运行的用户上下文是什么?

登录脚本会以登录用户的安全性激活。

2)当我从命令行运行脚本并以管理员身份运行命令提示符时,脚本在什么用户上下文中运行?

该脚本在本地计算机上以管理员身份运行。

3)有没有办法在我的情况下通过vbscript删除这些?

是。但您应该考虑,您需要多长时间才能安装此脚本?是暂时的还是永久的。如果它是临时的,你应该写一个simple computer startup script which remotes the shortcut links under the all users directory on boot.这样它就不会绑定到用户帐户。

如果您绝对想要绕过所有用户帐户的安全性,并在用户登录时执行操作,无论如何。您可以使用domain logon based vbscript

' ======================================================================
'| name  :  DSMoveAs.vbs
'| author:  Remco Simons [nl] 2007
'|
'| ( http://www.petri.co.il/forums/showthread.php?t=18003 )
' ======================================================================
'
' this script accepts Credentials from command-line
' Usage with GPO:
' Scripts / LogonScript / scriptName       -> scriptname.vbs
' Scripts / LogonScript / ScriptParameters -> /u:"domain\user" /p:"password"
'(this user does not nessecarily have to be a member of the Domain Admins group, you can just delegate control over the OU's to it.   
'
' this script can move computer objects in active directory
' you have to copy 'dsmove.exe' to a central share


Set objSysInfo = CreateObject("ADSystemInfo")
 strComputerDN  = objSysInfo.ComputerName
 strComputerRDN = split(strComputerDN,",")(0)
 strCurrentOU   = Replace(strComputerDN, strComputerRDN & ",","")
 strCurrentSite = UCase(objSysInfo.SiteName)

'tool
pathDSMOVE = "\\domain.local\sysvol\domain.local\scripts\Dsmove.exe"

'Alternate Credentials
Set Named = WScript.Arguments.Named  'Read script parameters
   strUser = Empty
   strSecret = Empty
 If Named.Exists("u") Then
   strUser = Named.Item("u")
 If Named.Exists("p") Then _
   strSecret = Named.Item("p")
 End If
altCredentials = " -u """ & strUser & """ -p """ & strSecret & """" 

'variables
strSiteName1 = UCase("New-York")
strSiteName2 = UCase("washington")

'conditional run
If (strCurrentSite = strSiteName1) Then
  strNewOU = "CN=computers,DC=domain,dc=Local"
  If Not UCase(strCurrentOU) = Ucase(strNewOU) Then
    call MoveObject(pathDSMOVE, strComputerDN, strNewOU, altCredentials)
  End If
ElseIf (strCurrentSite = strSiteName2) Then
  strNewOU = "ou=workstations,DC=domain,dc=Local"
  If Not UCase(strCurrentOU) = Ucase(strNewOU) Then
    call MoveObject(pathDSMOVE, strComputerDN, strNewOU, altCredentials)
  End If
End If


Sub MoveObject(pathDsmove, strComputerDN, targetOU, credentials)
 With Wscript.CreateObject("WScript.Shell")
   strCommand = pathDsmove & " """ & strComputerDN & """ " _ 
                & "-newparent """ & targetOU & """ " _
                & credentials
   .Run "%comspec% /c @call " & strCommand,0,True
 End With
End Sub

答案 1 :(得分:0)

我建议使用Group Policy Preferences来修改桌面快捷方式。登录脚本始终在用户登录的上下文中运行。该用户可能具有或不具有从“所有用户”桌面删除快捷方式的足够权限。