我们有一个登录脚本,可以在通过组策略部署的用户桌面上设置默认快捷方式。此脚本在我们以前的Windows XP环境中使用。问题是,设置此项的人将快捷方式复制到%ALLUSERSPROFILE $ \ Desktop。现在我们在Windows 7中,我正在尝试将快捷方式移动到%USERPROFILE%\ Desktop,当我尝试通过vbscript删除快捷方式时,我将获得权限被拒绝。我可以手动删除快捷方式,UAC提示符出现,但它可以工作。
有三个问题:
1)从GPO运行时脚本运行的用户上下文是什么?
2)当我从命令行运行脚本并以管理员身份运行命令提示符时,脚本在运行时运行的用户上下文是什么?
3)有没有办法在我的情况下通过vbscript删除这些?
提前感谢您的帮助。
我尝试使用通过GP部署的以下脚本作为启动脚本无济于事。
'Startup Script
' Force explicit variable declaration.
Option Explicit
On Error Resume Next
Const sPhoneLnk = "Phone_List.lnk"
Const sDesktop = "\Desktop\"
Dim g_oShell, g_oFSO, sAllUsrPrf, sPhoneLink
Set g_oShell = CreateObject("Wscript.Shell")
Set g_oFSO = CreateObject("Scripting.FileSystemObject")
sAllUsrPrf = g_oShell.ExpandEnvironmentStrings("%ALLUSERSPROFILE%")
sPhoneLink = sAllUsrPrf & sDesktop & sPhoneLnk
If g_oFSO.FileExists (sPhoneLink) Then
' wscript.echo sPhoneLnk & " Found."
g_oFSO.DeleteFile (sPhoneLink)
' wscript.echo sPhoneLnk & " Deleted."
Else
' wscript.echo sPhoneLnk & " Not found."
End if
我还尝试在管理员的命令提示符下运行上面的脚本,关闭UAC并收到拒绝访问。
答案 0 :(得分:0)
1)从GPO运行时脚本运行的用户上下文是什么?
登录脚本会以登录用户的安全性激活。
2)当我从命令行运行脚本并以管理员身份运行命令提示符时,脚本在什么用户上下文中运行?
该脚本在本地计算机上以管理员身份运行。
3)有没有办法在我的情况下通过vbscript删除这些?
是。但您应该考虑,您需要多长时间才能安装此脚本?是暂时的还是永久的。如果它是临时的,你应该写一个simple computer startup script which remotes the shortcut links under the all users directory on boot.这样它就不会绑定到用户帐户。
如果您绝对想要绕过所有用户帐户的安全性,并在用户登录时执行操作,无论如何。您可以使用domain logon based vbscript:
' ======================================================================
'| name : DSMoveAs.vbs
'| author: Remco Simons [nl] 2007
'|
'| ( http://www.petri.co.il/forums/showthread.php?t=18003 )
' ======================================================================
'
' this script accepts Credentials from command-line
' Usage with GPO:
' Scripts / LogonScript / scriptName -> scriptname.vbs
' Scripts / LogonScript / ScriptParameters -> /u:"domain\user" /p:"password"
'(this user does not nessecarily have to be a member of the Domain Admins group, you can just delegate control over the OU's to it.
'
' this script can move computer objects in active directory
' you have to copy 'dsmove.exe' to a central share
Set objSysInfo = CreateObject("ADSystemInfo")
strComputerDN = objSysInfo.ComputerName
strComputerRDN = split(strComputerDN,",")(0)
strCurrentOU = Replace(strComputerDN, strComputerRDN & ",","")
strCurrentSite = UCase(objSysInfo.SiteName)
'tool
pathDSMOVE = "\\domain.local\sysvol\domain.local\scripts\Dsmove.exe"
'Alternate Credentials
Set Named = WScript.Arguments.Named 'Read script parameters
strUser = Empty
strSecret = Empty
If Named.Exists("u") Then
strUser = Named.Item("u")
If Named.Exists("p") Then _
strSecret = Named.Item("p")
End If
altCredentials = " -u """ & strUser & """ -p """ & strSecret & """"
'variables
strSiteName1 = UCase("New-York")
strSiteName2 = UCase("washington")
'conditional run
If (strCurrentSite = strSiteName1) Then
strNewOU = "CN=computers,DC=domain,dc=Local"
If Not UCase(strCurrentOU) = Ucase(strNewOU) Then
call MoveObject(pathDSMOVE, strComputerDN, strNewOU, altCredentials)
End If
ElseIf (strCurrentSite = strSiteName2) Then
strNewOU = "ou=workstations,DC=domain,dc=Local"
If Not UCase(strCurrentOU) = Ucase(strNewOU) Then
call MoveObject(pathDSMOVE, strComputerDN, strNewOU, altCredentials)
End If
End If
Sub MoveObject(pathDsmove, strComputerDN, targetOU, credentials)
With Wscript.CreateObject("WScript.Shell")
strCommand = pathDsmove & " """ & strComputerDN & """ " _
& "-newparent """ & targetOU & """ " _
& credentials
.Run "%comspec% /c @call " & strCommand,0,True
End With
End Sub
答案 1 :(得分:0)
我建议使用Group Policy Preferences来修改桌面快捷方式。登录脚本始终在用户登录的上下文中运行。该用户可能具有或不具有从“所有用户”桌面删除快捷方式的足够权限。