# Running a logon script using admin rights



## Jeckler (Jun 1, 2001)

I'm currently tasked to run a registry command to update domain suffix search orders so that a certain server can resolve correctly. I want to be able to automate the process through the domain logon script. I've been doing onesy-twosy's to make sure the command works, so now we want to deploy it across the campus. The users do not have admin rights on their machines. I have close to 180 machines to update.
What I've been using is psexec to run the command from my workstation, using a domain admin account to ensure it runs correctly. I'm not 100% sure this will work on their machines through the logon script, since it will run on their local machine, using a domain account, back to their local machine. I've been looking at using RUNAS instead. What I'll do is create a temp domain account with admin priviledges, but no password, and use it to run the command.
My real question is on how to properly use RUNAS. Comand line options are:
RUNAS USAGE:

RUNAS [/profile] [/env] [/netonly] /user:<UserName> program

/profile if the user's profile needs to be loaded
/env to use current environment instead of user's.
/netonly use if the credentials specified are for remote access only.
/user <UserName> should be in form [email protected] or DOMAIN\USER
program command line for EXE. See below for examples

Examples:
> runas /profile /user:mymachine\administrator cmd
> runas /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.msc"
> runas /env /user:[email protected] "notepad \"my file.txt\""

NOTE: Enter user's password only when prompted.
NOTE: [email protected] is not compatible with /netonly.
Since I'm not using a password, the first NOTE: is irrelevant for my needs. And I don't think /netlonly applies. However, I'm not sure what environment I should run it in. The command I want to run is:
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v SearchList /t REG_SZ /d xxx.com,yyy.com,zzz.com /f

Since I'm adding it to local machine, I'm thinking I can use the /env switch. So, my command would be thus:
RUNAS /env /user:domain\dnsadd REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v SearchList /t REG_SZ /d xxx.com,yyy.com,zzz.com /f

Does anybody have any other suggestions for what I'm doing? Or does this look like it'll work.

Thanks, Andy


----------



## squidboy (Dec 29, 2004)

It appears sound. How do you currently deploy apps? SMS, or visit each workstation, or something else? I ask because that might prove useful. If you package an .MSI it can temporarily elevate permissions to accomplish this task.


----------

