This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 1%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
Hi All,
I am working on a cmd script which needs to the change local machine policies when a user who is connected to the domain logs on. I have been able to make it work with domain admins accounts. But it is not working when trying same with standard users. Here is my script:
net accounts /lockoutthreshold:3
net accounts /lockoutduration:30
net accounts /lockoutwindow:30
To make it work without prompt and as administrator, I created a shortcut then I went to Advanced settings tab on it and tick the Run as Administrator checkbox.
Kindly advise if there a way which i could make it work for standard users as well? Like a one command line so that despite a standard user is logging in, it would run the bat file. Or any other way around.
Thanks in advance for your help.
Regards,
Gyanesh
Hi Gyanesh,
By Design, logon script runs as the logon user and not in elevated mode.
Thanks,
Manu
Hi Manu,
I appreciate your help.
So we cannot run a logon script with elevated privileges on a standard user account? :(
Actually I am trying to achieve the below:
When applying GPO, while user is connected to the domain, policies are working fine but local machine policies do not seem to be changing.
Thus when the user is not connected to domain, GPO are not being applied hence no policies being applied locally.
I want same policies to be applied to the user when he is connected to the domain and also when he is not connected to it(this i believe can be achieved when local policies will be changed to match same as GPO when connected to the domain.)
Regards,
Gyanesh
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHX%3C/text%3E%3C/svg%3E)
Hi Gyanesh,
Thank you so much for posting here.
According to our description, we are working on a script to configure the Account Lockout Policy, which would change the local group policy. We would like to make it work for standard domain users.
As we know, domain admins could configure the Account Lockout Policy, while standard users could not. As for the cmd commands, it should run as administrator, and then the command could complete successfully.
As per my understanding and experience, we could configure the group policy of scheduled task as shown below.
In my test, the logon script is configured as:
Then logon the client with the standard user account. After the scheduled task group policy applied and the scheduled task finished, the account lockout policy changed. And then logon the client with administrator account and check the local group policy, it is showing as below. (In my test, the Lockout duration would not change. I have no idea about this. But the other two settings could change. If possible, we could have a try and see whether it works. )
Hope the information is helpful. For any question, please feel free to contact us.
Best regards,
Hannah Xiong
Hello,
I am checking how the issue is going, if you still have any questions, please feel free to contact us.
Thank you so much for your time and support.
Best regards,
Hannah Xiong
Hello,
Does this question have any update or has this issue been solved? Also, for the question, is there any other assistance we could provide?
Thank you so much for your time and support.
Best regards,
Hannah Xiong
Hi Hannah,
I really appreciate your response and valuable help you provided.
I have been able to make the script change local policies for the domain admins users(but not for standard users) when they log onto the machine, but still when they are not connected to the domain controller, the policies do not work :(.
The user can try to login with a wrong password more than the account threshold policy is set to, but it does not lock him out. It allows to continuously try passwords till he gets the correct one, hence allowing brute force attempts in case the laptop containing corporate or personal information is lost/stolen.
Regards,
Gyanesh
Hi Hannah,
I really appreciate your response and help.
The logon script is still working just for domain admins and not standard users.
For now let's just disregard the part that it is not working for standard users as this not the main objective.
Now the main concern is that despite the logon script changed the local policies for domain admin users, once the laptop is off network the policies are not applied(like in my scenario it is the Account Lock Out policy)
Do you think there a way to mitigate this security issue? (Like to make the group policy work same as it is on network and off the network)
Because the laptop is ''protected'' by group policies till it is connected to the active directory. Once the laptop is off network the group policies are not more being applied (in our particular situation which is the account lockout policy not being applied).
Am still trying to figure out a way out.
Thanks a lot for your help.
Regards,
Gyanesh
Hi Gyanesh,
You are welcome. Thank you so much for your kindly reply.
How we configured the logon script? Did we configure this logon script policy via Local Group Policy or Group Policy Management? As per my understanding, if we configured this logon script policy via Group Policy management on DC, and the laptop is off domain network, this policy will not be applied.
So to make this account lockout policy being applied, we could try to configure the logon script policy via local group policy.
For any question, please feel free to contact us.
Best regards,
Hannah Xiong
Hi Hannah,
Yes, I have configured this logon script policy via Group Policy management on DC so that users can be differentiated when they are login in as normally there will be two types of users - Admin and Standard users.
I tried changing the local policy via the logon script i.e. the local policy are changed by the script and kept even the laptop is disconnected from network, but the local policies are only applied to the local users accounts and not to domain users.
I do not know if this is something that is feasible or not but it stands as a security loophole.
Thanks enormously for your help.
Regards,
Gyanesh