批处理脚本:如何检查管理员权限
如何检查当前批处理脚本是否具有管理员权限?
我知道如何让它用 runas 调用自身,但不知道如何检查管理员权限。我见过的唯一解决方案是粗暴的黑客工作或使用外部程序。好吧,实际上我不在乎这是否是黑客工作,只要它能在 Windows XP 和更新版本上运行即可。
How do I check if the current batch script has admin rights?
I know how to make it call itself with runas but not how to check for admin rights. The only solutions I've seen are crude hack jobs or use external programs. Well, actually I don't care if it is a hack job as long as it works on Windows XP and newer.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(26)
问题
blak3r / Rushyo 的解决方案适用于所有情况,除了Windows 8。在 Windows 8 上运行
AT会导致:(参见屏幕截图 #1),并将返回
%errorLevel%1。研究
因此,我开始寻找需要提升权限的其他命令。 rationallyparanoid.com 有几个命令的列表,因此我在当前 Windows 操作系统(XP 和 8)的两个相反极端上运行每个命令,希望找到一个在使用标准权限运行时在两个操作系统上都被拒绝访问的命令。
最终,我确实找到了一个 - NET SESSION。一个真正、干净、通用的解决方案,不涉及:
FOR循环返回的数据AT(Windows 8 不兼容)或WHOAMI(Windows XP 不兼容)。每个都有自己的安全性、可用性和可移植性问题。
测试
我已经独立确认这适用于:
(请参阅屏幕截图 #2)
实施/使用
因此,要使用此解决方案,只需执行以下操作
:
说明
NET SESSION是一个标准命令,用于“管理服务器计算机连接。不带参数使用,[它] 显示与本地计算机的所有会话的信息。”因此,这是我给定实现的基本过程:
@echo offgoto check_Permissions:check_Permissions代码块net session >nul 2>&1STDOUT)流重定向到nulSTDERR)重定向到与数字句柄 1 相同的目标if %errorLevel% == 0%errorLevel%) 的值为0,那么这意味着没有发生错误< /strong> 因此,前一个命令成功运行else%errorLevel%) 的值不是0,那么这意味着发生了错误< /strong> 因此,前一个命令运行失败将根据满足哪个条件
屏幕截图
Windows 8
AT%errorLevel%:Windows XP x86 - Windows 8 x64 上的
NET SESSION:谢谢@Tilka,将您接受的答案更改为我的答案。 :)
Issues
blak3r / Rushyo's solution works fine for everything except Windows 8. Running
ATon Windows 8 results in:(see screenshot #1) and will return
%errorLevel%1.Research
So, I went searching for other commands that require elevated permissions. rationallyparanoid.com had a list of a few, so I ran each command on the two opposite extremes of current Windows OSs (XP and 8) in the hopes of finding a command that would be denied access on both OSs when run with standard permissions.
Eventually, I did find one -
NET SESSION. A true, clean, universal solution that doesn't involve:FORloopsAT(Windows 8 incompatible) orWHOAMI(Windows XP incompatible).Each of which have their own security, usability, and portability issues.
Testing
I've independently confirmed that this works on:
(see screenshot #2)
Implementation / Usage
So, to use this solution, simply do something like this:
Explanation
NET SESSIONis a standard command used to "manage server computer connections. Used without parameters, [it] displays information about all sessions with the local computer."So, here's the basic process of my given implementation:
@echo offgoto check_Permissions:check_Permissionscode blocknet session >nul 2>&1STDOUT) stream tonulSTDERR) to the same destination as numeric handle 1if %errorLevel% == 0%errorLevel%) is0then this means that no errors have occurred and, therefore, the immediate previous command ran successfullyelse%errorLevel%) is not0then this means that errors have occurred and, therefore, the immediate previous command ran unsuccessfullyScreenshots
Windows 8
AT%errorLevel%:NET SESSIONon Windows XP x86 - Windows 8 x64:Thank you, @Tilka, for changing your accepted answer to mine. :)
安德斯的解决方案对我有用,但我不确定如何反转它以获得相反的结果(当你不是管理员时)。
这是我的解决方案。它有两种情况:IF 和 ELSE 情况,以及一些 ascii 艺术以确保人们真正阅读它。 :)
最小版本
Rushyo 在此发布了此解决方案:如何检测 CMD 是否以管理员身份运行/具有提升的权限?
添加错误消息、暂停和退出的版本
适用于 WinXP --> Win8(包括32/64位版本)。
编辑:2012年8月28日更新以支持Windows 8。@BenHooper在下面的回答中指出了这一点。请为他的回答点赞。
Anders solution worked for me but I wasn't sure how to invert it to get the opposite (when you weren't an admin).
Here's my solution. It has two cases an IF and ELSE case, and some ascii art to ensure people actually read it. :)
Minimal Version
Rushyo posted this solution here: How to detect if CMD is running as Administrator/has elevated privileges?
Version which adds an Error Messages, Pauses, and Exits
Works on WinXP --> Win8 (including 32/64 bit versions).
EDIT: 8/28/2012 Updated to support Windows 8. @BenHooper pointed this out in his answer below. Please upvote his answer.
更多问题
正如 @Lectrode 所指出的,如果您在服务器服务停止时尝试运行
net session命令,您会收到以下错误消息:在这种情况下,
%errorLevel%< /code> 变量将设置为2。注意 在安全模式下(有或没有网络),服务器服务不会启动。
寻找替代
方案:
因此,我启动了一个普通的 Windows XP 虚拟机,并开始滚动浏览 C:\Windows\System32 文件夹中的应用程序列表,试图获得一些想法。经过反复试验和错误之后,这是我想出的“脏”(双关语)方法:
fsutil dirty命令需要管理员权限才能运行,否则会失败。%systemdrive%是一个环境变量,它返回操作系统所在的驱动器号安装。输出被重定向到nul,从而被忽略。仅在成功执行后,%errorlevel%变量才会设置为0。以下是文档的内容:
进一步研究
虽然上述解决方案从 Windows XP 开始有效,但值得补充的是,Windows 2000 和 Windows PE(预安装环境)不附带
fsutil.exe,所以我们必须求助于其他东西。在之前的测试中,我注意到运行不带任何参数的 sfc 命令会导致:
也就是说:没有参数,没有一方。我们的想法是,我们可以解析输出并检查除了错误之外是否还有其他内容:
错误输出首先重定向到标准输出,然后通过管道传输到 find 命令。此时,我们必须查找 only 参数,即 自 Windows 2000 以来的所有 Windows 版本均受支持:
/SCANNOW。搜索不区分大小写,并且通过将输出重定向到nul来丢弃输出。以下是文档的摘录:
示例用法
以下是一些粘贴并运行示例:
Windows XP 及更高版本
Windows 2000 / Windows PE
适用于
---
More issues
As pointed out by @Lectrode, if you try to run the
net sessioncommand while the Server service is stopped, you receive the following error message:In this case the
%errorLevel%variable will be set to2.Note The Server service is not started while in Safe Mode (with or without networking).
Looking for an alternative
Something that:
So I booted a vanilla Windows XP virtual machine and I started scrolling through the list of applications in the
C:\Windows\System32folder, trying to get some ideas. After trials and errors, this is the dirty (pun intended) approach I've come up with:The
fsutil dirtycommand requires admin rights to run, and will fail otherwise.%systemdrive%is an environment variable which returns the drive letter where the operating system is installed. The output is redirected tonul, thus ignored. The%errorlevel%variable will be set to0only upon successful execution.Here is what the documentation says:
Further research
While the solution above works from Windows XP onwards, it's worth adding that Windows 2000 and Windows PE (Preinstalled Environment) don't come with
fsutil.exe, so we have to resort to something else.During my previous tests I noticed that running the
sfccommand without any parameters would either result in:That is: no parameters, no party. The idea is that we can parse the output and check if we got anything but an error:
The error output is first redirected to the standard output, which is then piped to the
findcommand. At this point we have to look for the only parameter that is supported in all Windows version since Windows 2000:/SCANNOW. The search is case insensitive, and the output is discarded by redirecting it tonul.Here's an excerpt from the documentation:
Sample Usage
Here are some paste-and-run examples:
Windows XP and later
Windows 2000 / Windows PE
Applies to
---
还有两种方式——快速和向后兼容。
fltmc命令在 XP 以来的每个 Windows 系统上都可用,因此它应该非常便携。在
XP、8.1、7上测试的又一个非常快速的解决方案 - 有一个特定变量=::,它是仅当控制台会话没有管理员权限时才出现。由于创建名称中包含=的变量并不容易,因此这是检查管理员权限的相对可靠的方法(它不会调用外部可执行文件所以它表现良好)如果您想直接通过命令行使用它,而不是从批处理文件中使用,您可以使用:
two more ways - fast and backward compatible .
fltmccommand is available on every windows system since XP so this should be pretty portable.One more really fast solution tested on
XP,8.1,7- there's one specific variable=::which is presented only if the console session has no admin privileges.As it is not so easy to create variable that contains=in it's name this is comparatively reliable way to check for admin permission (it does not call external executables so it performs well)If you want use this directly through command line ,but not from a batch file you can use:
替代解决方案:
alternative solution:
我有两种检查特权访问的方法,两种方法都非常可靠,并且在几乎每个 Windows 版本中都非常便携。
1. 方法
* 适用于 XP 及更高版本
2. 方法
* 适用于 XP 及更高版本
工作示例
清除临时文件夹的脚本
I have two ways of checking for privileged access, both are pretty reliable, and very portable across almost every windows version.
1. Method
* Works on XP and later
2. Method
* Works on XP and later
Working example
A script that clear the temp folder
不仅检查而且自动获取管理员权限
又名 Win 7/8/8.1 ff 的自动 UAC。:以下是一个非常酷的功能,还有一个功能:此批处理代码片段不仅检查管理员权限,而且会自动获取它们! (如果生活在支持 UAC 的操作系统上,则可以进行之前的测试。)
有了这个技巧,您不需要更长的时间来“使用管理员权限”右键单击批处理文件。如果您忘记了,要以提升的权限启动它,UAC 会自动出现!此外,首先会测试操作系统是否需要/提供 UAC,因此它的行为正确,例如对于 Win 2000/XP,直到经过 Win 8.1 测试。
该代码片段将一些好的批处理模式合并在一起,特别是(1)Ben Hooper 在此线程中进行的管理测试和(2)在 BatchGotAdmin 上读取的 UAC 激活并由 robvanderwoude 在批处理网站上引用(尊重)。 (3)对于“VER | FINDSTR模式”的操作系统识别,我只是找不到参考。)
(关于一些非常小的限制,当“NET SESSION”不像另一个答案中提到的那样工作时,请随意插入另一个对于我来说,在 Windows 安全模式下运行或关闭特殊标准服务等并不是重要的用例 - 对于某些管理员来说可能是。)
Not only check but GETTING admin rights automatically
aka Automatic UAC for Win 7/8/8.1 ff.: The following is a really cool one with one more feature: This batch snippet does not only check for admin rights, but gets them automatically! (and tests before, if living on an UAC capable OS.)
With this trick you don´t need longer to right klick on your batch file "with admin rights". If you have forgotten, to start it with elevated rights, UAC comes up automatically! Moreoever, at first it is tested, if the OS needs/provides UAC, so it behaves correct e.g. for Win 2000/XP until Win 8.1- tested.
The snippet merges some good batch patterns together, especially (1) the admin test in this thread by Ben Hooper and (2) the UAC activation read on BatchGotAdmin and cited on the batch site by robvanderwoude (respect). (3) For the OS identificaton by "VER | FINDSTR pattern" I just don't find the reference.)
(Concerning some very minor restrictions, when "NET SESSION" do not work as mentioned in another answer- feel free to insert another of those commands. For me running in Windows safe mode or special standard services down and such are not an important use cases- for some admins maybe they are.)
在批处理脚本中Elevate.cmd(请参阅此链接) ,我编写的目的是获取管理员权限,我已按以下方式完成:
脚本的其余部分可能如下所示:
这是针对 Windows 7、8、8.1 进行测试的, 10 甚至 Windows XP,并且不需要任何资源,例如特殊目录、文件或注册表项。
它利用了这样一个事实:命令
NET FILE需要具有管理员权限才能运行,如果成功运行(并检测到管理员权限),将返回错误级别 0,否则返回错误级别 > 。 0. 任何消息都会被1>NUL 2>NULL抑制。NET FILE 的优点是,它不会更改系统上的任何内容来检测管理员权限(就像其他尝试通过在受保护区域中创建注册表项或文件/目录来探测管理员权限的解决方案一样)。
In the batch script Elevate.cmd (see this link), which I have written to get admin rights, I have done it the following way:
and the rest of the script might look like this:
This is tested for Windows 7, 8, 8.1, 10 and even Windows XP and does not need any resource such as a special directory, file or registry key.
It uses the fact that the command
NET FILEneeds to have admin rights to run and will return an error level 0 if it ran successfully (and detected admin rights), otherwise it returns an error level > 0. Any messages are suppressed by1>NUL 2>NULL.The advantage
NET FILEhas is, that it will not change anything on the system to detect admin rights (like other solutions trying to probe admin rights by creating registry keys or files/directories in protected areas).我发现,使用 CMD 脚本检查管理员权限的最简洁方法是这样的:
此方法仅使用 CMD.exe 内置命令,因此它应该非常快。它还检查进程的实际功能,而不是检查 SID 或组成员身份,因此测试有效权限。这可以追溯到 Windows 2003 和 XP。普通用户进程或非提升进程无法进行目录探测,而管理员或提升进程则成功。
The cleanest way to check for admin privileges using a CMD script, that I have found, is something like this:
This method only uses CMD.exe builtins, so it should be very fast. It also checks for the actual capabilities of the process rather than checking for SIDs or group memberships, so the effective permission is tested. And this works as far back as Windows 2003 and XP. Normal user processes or nonelevated processes fail the directory probe, where as Admin or elevated processes succeed.
whoami /groups 在一种情况下不起作用。如果您完全关闭了 UAC(不仅仅是关闭通知),并且您是从管理员提示符启动的,然后发出:
您将运行非提升权限,但发出:
会说您已提升。这是错误的。这是错误的原因:
在此状态下运行时,如果 IsUserAdmin (https://msdn.microsoft.com/en-us/library/windows/desktop/aa376389(v=vs.85).aspx) 返回 FALSE 并且 UAC 已完全禁用,并且GetTokenInformation 返回 TokenElevationTypeDefault (http://blogs.msdn.com/b/cjacks/archive/2006/10/24/modifying-the-mandatory-integrity-level-for-a-secureable -object-in-windows-vista.aspx),则该进程未以提升的方式运行,但
whoami /groups声称它是运行的。实际上,从批处理文件中执行此操作的最佳方法是:
您应该执行两次
net session,因为如果有人事先执行了at,您将获得错误的信息。The whoami /groups doesn't work in one case. If you have UAC totally turned off (not just notification turned off), and you started from an Administrator prompt then issued:
you will be running non-elevated, but issuing:
will say you're elevated. It's wrong. Here's why it's wrong:
When running in this state, if IsUserAdmin (https://msdn.microsoft.com/en-us/library/windows/desktop/aa376389(v=vs.85).aspx) returns FALSE and UAC is fully disabled, and GetTokenInformation returns TokenElevationTypeDefault (http://blogs.msdn.com/b/cjacks/archive/2006/10/24/modifying-the-mandatory-integrity-level-for-a-securable-object-in-windows-vista.aspx) then the process is not running elevated, but
whoami /groupsclaims it is.really, the best way to do this from a batch file is:
You should do
net sessiontwice because if someone did anatbefore hand, you'll get the wrong information.下面尝试在 Windows 目录中创建一个文件。如果成功,它将删除它。
请注意,06CF2EB6-94E6-4a60-91D8-AB945AE8CF38 是今天生成的 GUID,并且假定它不可能与现有文件名冲突。
The following tries to create a file in the Windows directory. If it suceeds it will remove it.
Note that 06CF2EB6-94E6-4a60-91D8-AB945AE8CF38 is a GUID that was generated today and it is assumed to be improbable to conflict with an existing filename.
PowerShell 有人吗?
PowerShell anyone?
编辑:版权方指出这是不可靠的。使用 UAC 批准读取访问将允许 dir 成功。我有更多的脚本来提供另一种可能性,但它不是只读的。
下面的旧答案
警告:不可靠
基于此处的许多其他好的答案以及 and31415 提出的观点,我发现我喜欢以下内容:
依赖性少且速度快。
Edit: copyitright has pointed out that this is unreliable. Approving read access with UAC will allow dir to succeed. I have a bit more script to offer another possibility, but it's not read-only.
Old answer below
Warning: unreliable
Based on a number of other good answers here and points brought up by and31415 I found that I am a fan of the following:
Few dependencies and fast.
本页中四种看似最兼容的方法的集合。第一个确实非常天才。从 XP 开始测试。令人困惑的是,没有可用的标准命令来检查管理员权限。我猜他们现在只是专注于 PowerShell,这对我自己的大部分工作来说确实没什么用。
我将该批处理称为“exit-if-not-admin.cmd”,可以从其他批处理中调用该批处理,以确保在未给出所需的管理员权限的情况下它们不会继续执行。
A collection of the four seemingly most compatible methods from this page. The first one's really quite genius. Tested from XP up. Confusing though that there is no standard command available to check for admin rights. I guess they're simply focusing on PowerShell now, which is really useless for most of my own work.
I called the batch 'exit-if-not-admin.cmd' which can be called from other batches to make sure they don't continue execution if the required admin rights are not given.
某些服务器禁用命令“net session”所需的服务。
这会导致管理员检查总是说您没有管理员权限,而实际上您可能拥有管理员权限。
Some servers disable services that the command "net session" requires.
This results in the admin check always saying you don't have admin rights when you may have.
笔记:
使用 cacls 检查 \system32\config\system
在 WOW64 中总是会失败(例如来自 %systemroot%\syswow64\cmd.exe / 32 位 Total Commander),因此在 64 位系统中的 32 位 shell 中运行的脚本将永远循环...
更好的方法是检查 Prefetch 目录的权限:
没有这样的目录,也没有 cacls.exe
同样在 winPE 中,wow64 也无法使用 openfiles.exe 检查:
Win XP 到 7 已测试,但是在 WinPE 中失败,因为在 Windows 7 install.wim中 Windows 7 的错误级别为“1”,并显示“目标系统需要是 32 位操作系统”的信息,
这两项检查也可能在恢复控制台中失败。
在 Windows XP - 8 32/64 位、WOW64 和 WinPE 中有效的是:目录创建测试(如果管理员没有对每个人的权限进行地毯式轰炸 Windows 目录...)
以及
检查。
另外,在某些 Windows XP(也可能是其他版本,取决于管理员的修补)中,根据注册表项直接从 .vbs 脚本调用 bat/cmd 将会失败,并显示 bat/cmd 文件与任何内容都没有关联的信息。
另一方面,使用 bat/cmd 文件的参数调用 cmd.exe 可以正常工作:
Note:
Checking with cacls for \system32\config\system
will ALWAYS fail in WOW64, (for example from %systemroot%\syswow64\cmd.exe / 32 bit Total Commander) so scripts that run in 32bit shell in 64bit system will loop forever...
Better would be checking for rights on Prefetch directory:
Win XP to 7 tested, however it fails in WinPE as in windows 7 install.wim there is no such dir nor cacls.exe
Also in winPE AND wow64 fails check with openfiles.exe :
In Windows 7 it will errorlevel with "1" with info that "Target system needs to be 32bit operating system"
Both check will probably also fail in recovery console.
What works in Windows XP - 8 32/64 bit, in WOW64 and in WinPE are: dir creation tests (IF admin didn't carpet bombed Windows directory with permissions for everyone...) and
and
checks.
Also one more note in some windows XP (and other versions probably too, depending on admin's tinkering) depending on registry entries directly calling bat/cmd from .vbs script will fail with info that bat/cmd files are not associated with anything...
Calling cmd.exe with parameter of bat/cmd file on the other hand works OK:
从字面上看,此问题以及相关问题和 SE 其他地方的数十个答案,所有这些答案都以这种或那种方式存在缺陷,已经清楚地表明 Windows 不提供可靠的内置控制台实用程序。所以,是时候推出你自己的了。
以下C代码,基于检测if程序以完全管理员权限运行,在 Win2k+1 中工作,在任何地方和所有情况下(UAC、域、传递组...) - 因为它在以下情况下与系统本身执行相同的操作:它检查权限。它通过消息(可以通过开关静音)和退出代码来表示结果。
它只需要编译一次,然后你可以将
.exe复制到任何地方 - 它只依赖于kernel32.dll和advapi32.dll(我已经上传了副本)。chkadmin.c:1MSDN 声称 API 是 XP+,但这是错误的。
CheckTokenMembership是 2k+,另一个更老< /a>.最后一个链接还包含一种更复杂的方法,即使在 NT 中也可以工作。Literally dozens of answers in this and linked questions and elsewhere at SE, all of which are deficient in this way or another, have clearly shown that Windows doesn't provide a reliable built-in console utility. So, it's time to roll out your own.
The following C code, based on Detect if program is running with full administrator rights, works in Win2k+1, anywhere and in all cases (UAC, domains, transitive groups...) - because it does the same as the system itself when it checks permissions. It signals of the result both with a message (that can be silenced with a switch) and exit code.
It only needs to be compiled once, then you can just copy the
.exeeverywhere - it only depends onkernel32.dllandadvapi32.dll(I've uploaded a copy).chkadmin.c:1MSDN claims the APIs are XP+ but this is false.
CheckTokenMembershipis 2k+ and the other one is even older. The last link also contains a much more complicated way that would work even in NT.这是另一个要添加到列表中的 ;-)
(尝试在系统位置创建文件)
MODE CON重新初始化屏幕并在没有时抑制任何文本/错误写入系统位置的权限。Here is another one to add to the list ;-)
(attempt a file creation in system location)
The
MODE CONreinitializes the screen and surpresses any text/errors when not having the permission to write to the system location.替代方案:使用专为此目的设计的外部实用程序,例如 IsAdmin.exe(不受限制的免费软件)。
退出代码:
0 - 当前用户不是管理员组的成员
1 - 管理员当前用户成员且运行提升权限
2 - 管理员当前用户成员,但未运行提升权限
Alternative: Use an external utility that is designed for this purpose, e.g., IsAdmin.exe (unrestricted freeware).
Exit codes:
0 - Current user not member of Administrators group
1 - Current user member of Administrators and running elevated
2 - Current user member of Administrators, but not running elevated
我将逐行解释代码:
如果没有此代码,用户将会对多于 1 行感到恼火。
程序开始的点。
设置要创建的目录的文件名。
在
:\Windows上创建目录(将替换为驱动器号)。
如果 ERRORLEVEL 环境变量为零,则回显成功消息。
走到最后(不要继续)。
如果 ERRORLEVEL 为 1,则回显失败消息并转到末尾。
如果文件名已存在,请重新创建该文件夹(否则
goto end命令将不会让其运行)。指定结束点
删除创建的目录。
暂停以便用户可以看到该消息。
注意:
>nul和2>nul正在过滤这些命令的输出。I will explain the code line by line:
Users will be annoyed with many more than 1 lines without this.
Point where the program starts.
Set the filename of the directory to be created.
Creates the directory on
<DL>:\Windows(replace <DL> with drive letter).If the ERRORLEVEL environment variable is zero, then echo success message.
Go to the end (don't proceed any further).
If ERRORLEVEL is one, echo failure message and go to the end.
In case the filename already exists, recreate the folder (otherwise the
goto endcommand will not let this run).Specify the ending point
Remove the created directory.
Pause so the user can see the message.
Note: The
>nuland2>nulare filtering the output of these commands.net user %username% >nul 2>&1 &&回显管理员||回显不是管理员net user %username% >nul 2>&1 && echo admin || echo not admin这是我的 2 便士价值:
我需要在用户登录过程中在域环境中运行批处理,在“工作室”环境中,查看用户遵守“锁定”策略和受限视图(主要通过 GPO 集分发) )。
在 AD 用户链接登录脚本之前应用域 GPO 集
创建 GPO 登录脚本过于成熟,因为用户“新”配置文件尚未创建/加载/或未及时准备好应用“删除和/或固定”任务栏和开始菜单项 vbscript + 添加一些本地文件。
例如:建议的“默认用户”配置文件环境需要将“.URL”(.lnk) 快捷方式放置在“%ProgramData%\Microsoft\Windows\Start Menu\Programs*MyNewOWA.url*”中,并且
“C:\Users\Public\Desktop\*MyNewOWA.url*”位置等
用户在域内拥有多台计算机,其中只有这些设置的“工作室”PC 需要这些策略。
这些文件夹需要“管理员”权限才能修改,尽管“域用户”是本地“管理员”组的一部分,但 UAC 是下一个挑战。
在这里找到了各种改编并合并。我确实有一些使用 BYOD 设备的用户,并且需要具有永久问题的其他文件。
尚未在 XP(操作系统有点太旧)上进行测试,但代码已存在,希望得到反馈。
域 PC 应尽可能由 GPO 集进行管理。
工作组/独立计算机可以通过此脚本进行管理。
请记住,对于 BYOD 工作组 PC,UAC 提示将至少弹出一次(一旦需要第一次提升到“管理员权限”),但随着本地安全策略从此时起修改为供管理员使用,弹出窗口将会消失。
域 PC 应在“已”创建的“锁定”策略中设置 GPO“ConsentPromptBehaviorAdmin”策略 - 如脚本“参考”部分中所述。
如果您陷入“使用 UAC 还是不使用 UAC”的争论,请再次运行 secedit.exe 导入默认的“.inf”文件:-)。
顺便提一句:
@布瓦洛
请检查以下方面的失败:
通过从命令提示符仅运行“%SYSTEMROOT%\system32\cacls.exe”或“%SYSTEMROOT%\system32\config\system”或两者(无论是否提升),全面检查结果。
Here's my 2-pennies worth:
I needed a batch to run within a Domain environment during the user login process, within a 'workroom' environment, seeing users adhere to a "lock-down" policy and restricted view (mainly distributed via GPO sets).
A Domain GPO set is applied before an AD user linked login script
Creating a GPO login script was too per-mature as the users "new" profile hadn't been created/loaded/or ready in time to apply a "remove and/or Pin" taskbar and Start Menu items vbscript + add some local files.
e.g.: The proposed 'default-user' profile environment requires a ".URL' (.lnk) shortcut placed within the "%ProgramData%\Microsoft\Windows\Start Menu\Programs*MyNewOWA.url*", and the
"C:\Users\Public\Desktop\*MyNewOWA.url*" locations, amongst other items
The users have multiple machines within the domain, where only these set 'workroom' PCs require these policies.
These folders require 'Admin' rights to modify, and although the 'Domain User' is part of the local 'Admin' group - UAC was the next challenge.
Found various adaptations and amalgamated here. I do have some users with BYOD devices as well that required other files with perm issues.
Have not tested on XP (a little too old an OS), but the code is present, would love feed back.
Domain PC's should be governed as much as possible by GPO sets.
Workgroup/Standalone machines can be governed by this script.
Remember, a UAC prompt will pop-up at least once with a BYOD workgroup PC (as soon as the first elevating to 'Admin perms' is required), but as the local security policy is modified for admin use from this point on, the pop-ups will disappear.
A Domain PC should have the GPO "ConsentPromptBehaviorAdmin" policy set within your 'already' created "Lock-down" policy - as explained in the script 'REFERENCES' section.
Again, run the secedit.exe import of the default '.inf' file if you are stuck on the whole "To UAC or Not to UAC" debate :-).
btw:
@boileau
Do check your failure on the:
By running only "%SYSTEMROOT%\system32\cacls.exe" or "%SYSTEMROOT%\system32\config\system" or both from the command prompt - elevated or not, check the result across the board.
另一种方法可以做到这一点。
Another way to do this.