Here is my setup. Win 7 64bit, completely patched with DISA Security lockdowns in place. I have an admin account 'TEST' listed in both the administrators and users groups. The cmd.exe file has both groups as full control to the file, and ownership as the administrators group.
I have a bat file that resides on the C:\. The C:\ has administrators as full control access. The BAT file itself has the same permissions and settings as the cmd.exe file.
I have gone into secpol and ensured that administrators and users are listed in the 'Logon as Batch Job' setting and nothing shown for the Deny Logon as Batch Job' setting.
So here is the problem... when the computer starts up, this BAT file is to run to map some network drives for me. When I login locally to the machine as the TEST account, the BAT file says 'Access is Denied'. Once I am in, if I right-click and choose 'Run As Administrator' and retype my credentials, then it maps the drives. So I created a standard user account 'STUser' and logged in locally and of course the BAT file does not run, I need to 'Run As Admin' and use the TEST credentials.
I need this BAT file to run at startup for all users without elevation being required. Is there a Security Setting somewhere on this machine or reg entry I need to modify to enable this? I would just handle the DISA lockdown however I am not the one who applies it. I am just the one who has to figure out how to make this work and what settings I need to modify to do so. I know that some Firewall entries were made in the registry at HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall but I dont want to play around in something I am unsure of. I also cannot check if the Firewall is on because Windows Firewall under Control Panel is blank.
Any guidance would be great good sirs!