Running Batch file with elevated rights through GPO

batch-filegroup-policywindows 7

I have a shortcut that specifically uses Google Chrome. We have XP and Windows 7 in our environment, and I want to only use one shortcut for both OS. The reason being is that our environment is quite messy, with some users still using logon scripts, while other uses GPO for everything.

Here's the batch file I want to use for computer start up script: 

if exist "C:\Program Files\Google\" (
    mklink /d "C:\Program Files\Google\Chrome" "C:\Program Files (x86)"\Google\Chrome"
) else (
    mklink /d "C:\Program Files\Google\" "C:\Program Files (x86)"\Google\"
)

I created a new GPO > put the script in directory for that Policy \\domain\SysVol\domain\Policies\{}\Machine\Scripts\Startup > add the script to Computer Configuration > Policies > windows Settings > Scripts > Startup > script.bat. I linked that GPO to the create OU and the computer object is in that OU.

I did a GPResult and I see that the GP was applied, but it didn't create the symlink I'm expecting. Is there an issue with NT Authority\Local System creating folders in C:\? I tried changing the script to just mkdir C:\temp and that didn't work either.

Note: The above script works perfectly fine if I run the script under the User Configuration and that user has admin rights.

UPDATE: Tried to do mklink with Powershell without any success either. I pretty sure that you can't run mklink in Start Up script. So instead of using this script, I just use Item Level Targeting under User's preference to copy a different link depending on the OS.

Best Answer

It's possible your computer's network connection isn't initialized before Group Policy attempts to run your script. The MSKB article Windows 7 Clients intermittently fail to apply group policy at startup explains behavior where Startup Scripts fail because the network link isn't ready when GP executes the script. Two solutions are offered:

Via Group Policy:

  • Configure the Startup policy processing wait time setting in Computer Configuration > Policies > Admin Templates > System > Group Policy to a value long enough for the computer to initialize its network connection. I've used 10 seconds with great success.

Via the Registry:

  • Create the DWORD value GpNetworkStartTimeoutPolicyValue in the subkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and provide a decimal wait time value in seconds.
Related Topic