Question : Running scripts with elevated privileges

I have a Win2k domain with two Windows 2000 DC's and a mix of 150+ windows xp and 2000 clients.  Due to some music software that requires power user rights to run, all domain users are power users on the workstations.  As a result, I have a big problem with spyware such as comet cursor, precisiontime, savenow, etc.  Though I have written login scripts to remove some of this crap at logon (the stuff that uses Wise installer, can't figure out installshield), I would like to prevent further re-installs if possible.  Blocking this crap at the firewall has been problematic since many of them eventually default to port 80, or simply have way too many server IP's that would involve me creating hundreds of rules on the firewall. So far, in addition to the scripts that uninstall this crap, I have found the best solution (and cheapest) is to simply replace the local hosts file with a a hosts file I found on the internet that maintains a huge list of spyware sites and redirects them to the localhost.

Now here is the problem:

I created a script with the following syntax in a GPO attached to the domain:

xcopy \\server1\scripts$\hosts c:\winnt\system32\drivers\etc\hosts /Y

Unfortunately, it does not work because the domain users do not have rights to the destination folder.  My questions are the following:

1) Is there a way, or a utility, that would allow the script to be run with elevated privileges?  I know of Scriptlogic, but we will not spend $3k+ to get this functionality.

2) is there a command line utility I can run at the server that would change the permissions of the \etc folder on all stations to allow write access for domain users?

Thanks in advance,

ycore

Answer : Running scripts with elevated privileges

Sorry, hadn't seen this until now!

It will run as whatever the Task Scheduler service runs as.  Typically "local system".  This does then present a minor challenge hat I hadn't thought of before in that it won't be able to see network shares...

You can make a registry change to make shares show up to localsystem accounts but the easiest is to put your lmhosts or bacth files into the NETLOGON directory on the server then set the AT task to run them from there.  Should go OK though not something I've ever needed to try...

hth

Steve