Richard
Wed Apr 23 10:58:31 CDT 2008
Jake wrote:
> Say I need \\myserver\netlogon\delprof.exe to be run at any login for
> computers in mydomain.net's OU=myworkshop
>
> What would a simple vbs logon script for the above situation look like?
>
> Will a normal domain user have enough priviledges to run delprof.exe in
> the above logon script or do domain logon scripts run under the system
> account?
>
> I any case I look for solutions to have delprof successfully do its work
> for OU=myworkshop computers.
>
> Thanks for any help on this
The utility delprof.exe requires administrator privileges. It cannot be run
by normal users. Since logon scripts run with the credentials of the user,
it would not be appropriate to run this in a logon script.
Assuming this program can run unattended, this could be run in a StartUp
script (configured in a Group Policy applied to the computers in the
designated OU). StartUp scripts run with System privileges on the local
computer when the computer starts up and authenticates to the domain (before
there is any user). This would work if the program can be run from a share
accessible to the computer (StartUp scripts run with the credentials of the
local computer elsewhere in the network). You can grant permissions to
delprof.exe to the group "Domain Computers". Remember that the StartUp
script will run every time the computer starts, so if you want the utility
run just once you will need to run it from a script that checks if it has
already been run (perhaps the script can save a "flag" file on the local
computer when it runs successfully, which can be checked for existence at
the beginning of the StartUp script).
It might make more sense to run delprof.exe remotely. This link documents
how to do that:
http://support.microsoft.com/kb/315411
It would be a simple matter to create a script that runs delprof.exe
remotely for all computers in an OU, with the appropriate switches. It seems
the syntax would be:
delprof /q /i /c:\\<NetBIOS name of computer> /d:days
I don't think you want the /p parameter, as then you would be prompted to
confirm the deletion of each profile (or maybe you do want that). A VBScript
program to run this on every computer in ou=MyWorkshop,dc=MyDomain,dc=net
would be similar to:
============
Option Explicit
Dim objOU, objComputer, strComputer, objShell
Dim strPath, intError
' Specify path to delprof.exe.
strPath = "\\MyServer\MyShare\delprof.exe"
' Specify number of days after which delprof
' considers the profile as inactive (and subject to deletion).
intDays = 20
' Bind to the Organizational Unit.
Set objOU = GetObject("LDAP://ou=MyWorkshop,dc=MyDomain,dc=net")
' Filter on objects of class computer.
objOU.Filter = Array("computer")
' Use the Run method of the wshShell object.
Set objShell = CreateObject("Wscript.Shell")
' Enumerate all computers in the OU.
For Each objComputer In objOU
' Retrieve the NetBIOS name of the computer.
strComputer = objComputer.sAMAccountName
' Strip off trailing "$".
strComputer = Left(strComputer, Len(strComputer) - 1)
' Run delprof.exe on the remote computer.
intError = objShell.Run("%comspec% /c " & strPath & " /q /i /c:\\" &
strComputer & " /d:" & CStr(intDays)
If (intError <> 0) Then
Wscript.Echo "Error " & CStr(intError) & " on computer " &
strComputer
End If
Next
==========
You may not want to use the /i parameter, which causes delprof to ignore
errors. Note the spaces in the command passed to the Run method are needed,
one after "/c", one before "/q", and one before "/d".
For the script to run delprof successfully on a computer, it must be on and
authenticated to the domain, but it does not matter if anyone is logged on.
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab -
http://www.rlmueller.net
--