User identity used by startup script and login script in group policy

      In Group Policy , We can use startup / To turn it off , Sign in / Log off these actions as events for executing scripts .

start-up / The shutdown script is under the computer configuration menu , Sign in / The logout script is under the user configuration menu . seeing the name of a thing one thinks of its function , Computer configuration is global , The authority must be relatively high . User configuration is specific to the user environment , Permission must be limited .

Let's see when running through an experiment Group Policy - Computer configuration - The startup script , as well as Group Policy - User configuration - Login script When , Specifically, what user identity is used to run .

First ,windows In the environment variable ,%username% Is the current user name ,%userprofile% Is the current user configuration path ,%homepath% Is the path of the current user's home directory ,%appdata% Is the current user data folder .whoami /user In addition to displaying the user name, the command can also display SID.

Write a script that contains the following :

whoami /user >>x:\test.txt

echo %username%,%userprofile%,%homepath%,%appdata%>>x:\test.txt

Pay attention to save the path. We give it everyone read-write permission .

Then make the startup script and login script respectively .

The computer operating system of the testing machine is win10, The name is test, Use users The account name of the permission is ceshi.

The final verification is as follows ：

Boot script

whoami The display uses nt authority\system account number ,sid yes S-1-5-18

%username% yes TEST$ ,—— Add $ Symbol

%userprofile% yes C:\Windows\system32\config\systemprofile

%homepath% Display blank

%appdata% Is shown as C:\Windows\system32\config\systemprofile\AppData\Roaming

Login script

whoami The display uses domain name \ceshi,sid Namely S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-XXXX

%username% yes ceshi

%userprofile% yes C:\Users\ceshi

%homepath% yes \Users\ceshi

%appdata% yes C:\Users\ceshi\AppData\Roaming

obviously , The identity used by the boot script is system user , Have more than administrators Authority

The login script uses the identity and permissions of the current login user . Therefore, some login scripts that must be run by the administrator cannot be used .