Windows Vista UAC e Group Policy logon scripts

Come riportato nel seguente Deploying Group Policy Using Windows Vista la UAC potrebbe impedire l’esecuzione di corretta dei Group Policy logon scripts.

Nel caso in cui Group Policy logon script mappi un drive di rete questo non verrà visuallizzato nel caso di utente amministrativo con UAC abilitata.

Le soluzioni possono essere mappare per gli utenti amministravi i drive di rete utilizzando token di utenti limitati oppure eseguire la mappatura avviando lo script tramite il task scheduler.

“UAC may prevent Group Policy logon scripts from appearing to work properly. For example, a domain environment contains a Group Policy object that includes a logon script to map network drives. A nonadministrative user logs on to the domain from a Windows Vista computer. After Windows Vista loads the desktop, the nonadministrative user starts Windows Explorer. The user sees their mapped drives. Under the same environment, an administrative user logs on to the domain from a Windows Vista computer. After Windows Vista loads the desktop, the administrative user starts Windows Explorer. The user does not see their mapped drives.

When the administrative user logs on, Windows processes the logon scripts using the elevated token. The script actually works and maps the drive. However, Windows blocks the view of the mapped network drives because the desktop uses the limited token while the drives were mapped using the elevated token.

To get around this issue, administrative users should map network drives under the limited user token. This mapping is accomplished by using the launchapp.wsf script shown in Appendix A, which works by scheduling the commands using the task scheduler. The task scheduler launches the script under the administrative full token, thereby allowing Windows Explorer, other limited token processes, and the elevated token process to view the mapped network drives.”