#205669 - 2012-09-04 08:08 PM
Re: Is there a Kixtart FAQ on running part of script with elevated privileges
[Re: ShaneEP]
|
ShaneEP
MM club member
Registered: 2002-11-29
Posts: 2125
Loc: Tulsa, OK
|
|
Top
|
|
|
|
#205672 - 2012-09-06 10:49 AM
Re: Is there a Kixtart FAQ on running part of script with elevated privileges
[Re: Lonkero]
|
NTDOC
Administrator
Registered: 2000-07-28
Posts: 11624
Loc: CA
|
You should be using GPO for this. There are other methods but they are not as secure.
http://technet.microsoft.com/en-us/library/ee390958.aspx
http://www.chicagotech.net/netforums/viewtopic.php?t=447
You can also search the board for Runnas (notice there are 2 n's) written by one of the old time Moderators here named Shawn Tassie (this is not the recommended way though, using GPO is the recommended and appropriate way)
Good luck
|
Top
|
|
|
|
#205699 - 2012-09-08 09:19 PM
Re: Is there a Kixtart FAQ on running part of script with elevated privileges
[Re: Robdutoit]
|
Glenn Barnas
KiX Supporter
Registered: 2003-01-28
Posts: 4396
Loc: New Jersey
|
If you run the task from the login script, you potentially expose the admin credentials to the users, since the script / config file is readable to all users from the netlogon share. My tools send a request to the server. Only the server knows the admin credentials associated with the desired task, and the file that holds the task/credential data is restricted to Administrators only.
I can brush the dust off of the script and make sure there's sufficient docs if you or Doc want to give it a whirl. Basically, you- Extract the server tool to a file server
- Configure an INI file to define the task - NAME, BAT file, User Credentials, Drop Folder, and such
- You write a Kix script to detect a specific condition and call it from your login script. The script uses the APIs - a set of Kix UDFs - to communicate with the server.
- When the server receives the file from the client, it immediatey performs the command(s) associated with the task. This allows a single script to report multiple conditions and initiate multiple admin-level commands.
This is software that we sell to our clients through implementation. I'm offering you and Doc a copy if you are interested. Your cost will be feedback - tell me what can be improved in the API, User Guide, etc. I've been considering making this an add-on to our Universal Login Script.
PM me with your email address and I'll send the ZIP package once I clean it up a bit.
Glenn
_________________________
Actually I am a Rocket Scientist!
|
Top
|
|
|
|
#205767 - 2012-09-16 05:02 PM
Re: Is there a Kixtart FAQ on running part of script with elevated privileges
[Re: Glenn Barnas]
|
Robdutoit
Hey THIS is FUN
Registered: 2012-03-27
Posts: 363
Loc: London, England
|
HELP !! To Glenn, I decided to see if I could get it to work myself as I wanted a setup that didn't require anything to be installed on the server and running as a service. I am happy to say that I managed to get 99% of the way there. What I have done is the following:
I have created a batch file and put this in the netlogon folder on the server
PATH \\%userdnsdomain%\netlogon\policies
\\%userdnsdomain%\netlogon\policies\kix32.exe policies.kix
As you can see it simply calls the policies.kix script running it with kix32.exe
I then copied the bat file from the netlogon directory to every computer in the domain using this code in my startup script:
;===============================================================
;Copies the Policy Scripts to the local computer so that can run
;===============================================================
Filexist("\\" + $MyDomain + "\netlogon\policies\", "c:\profiles\policies\", "policy.bat", "Kixtart executable")
I then created a task in windows 7 which called the bat file locally and configured it to run as one of the domain admin accounts. It doesn't work with system because system cannot access network resources. I told the task to run whenever a user logs on - yes, I know not the most elegant solution but I discovered that standard users are unable to run tasks.
I exported the dear little task onto the server in the netlogon folder and in my startup script I created a code to copy the task to each computer in the domain
;============================================================================================================================================
; This requires Admin Priviliges Copies the Task for the Policy Task so that standard users can run the Policy Script
;============================================================================================================================================
if exist ("%windir%\system32\tasks\microsoft\windows\policies\Policy") = 0
? "Setting Policies "
$ShellCMD = "schtasks.exe /create /RU SYSTEM /TN \Microsoft\Windows\Policies\RMDPolicy /XML " + "\\" + $MyDomain + "\netlogon\patches\Policy.xml"
Shell $ShellCMD
Else
? "Policies already scheduled "
Endif
NOW:
If I login as the domain admin account that the scheduled task runs as, everything works beautifully, however even if I login as another domain admin account, the script is not being applied - the reason being - the script is running in the user context of the scheduled task not the logged on user which means its not saving to the hkey_current_users area.
I have searched on the Internet to find out exactly how one uses the @userid variable to update the correct HKCU area. I admit defeat on this point. I cannot work out how to make the script write to the HKCU area of the logged on user and not the user context of the scheduled task user!
I am quite happy to have a look at your program Glenn - more to review it for you as I found everyone on this forum quite helpful, but I feel for my needs, the program would be overkill as I only want to modify about 8 policy subkeys in the HKCU area for standard users.
When I have time to review your program, I will let you know. It's probably going to be around November when I will have time to have a look at it.
In the meantime, if anyone can tell me how to make the script write to the correct Hkey_current_user location, I would be very grateful. The script works perfectly writing to Hkey_Local_machine, just not the current user.
And there you go, you have the procedure to enable your scripts to run admin settings under a standard user account. Providing we can work out how to write to logged on current user keys! Cheers Rob
|
Top
|
|
|
|
#205772 - 2012-09-17 02:37 PM
Re: Is there a Kixtart FAQ on running part of script with elevated privileges
[Re: Robdutoit]
|
Robdutoit
Hey THIS is FUN
Registered: 2012-03-27
Posts: 363
Loc: London, England
|
A free chocolate will be awarded to anyone who can solve my HKCU problem
|
Top
|
|
|
|
#205779 - 2012-09-18 03:12 PM
Re: Is there a Kixtart FAQ on running part of script with elevated privileges
[Re: Les]
|
Glenn Barnas
KiX Supporter
Registered: 2003-01-28
Posts: 4396
Loc: New Jersey
|
Funny - I was going to point you to the @SID macro yesterday but got involved with another issue and came back just now to discover you found it..
With our tool, many standard objects about the computer and current user are returned automagically, so only a few key parameters need to be extracted by your code and added to the parameter list. When the admin task runs, it has the computer name, user name, SID, and other values discovered by the user logging in, eliminating some of the issues you encountered.
You should also look at the tcLib UDF library on my web site. There are two versions - V2 uses JT.EXE from the resource kit, while V3 uses SchTasks.exe. V2 is for use on XP/W2K3 and earler systems, while V3 is for Vista and higher. Both libraries are syntax-identical and can manipulate tasks on any target platform. It provides a standard interface to create, modify, run/terminate, and query Scheduled Tasks on any Windows platform without needing to create cumbersome command lines or complex TSK or XML files.
This library is what makes the server based solution so powerful - just 4 lines of code to init, define, save, and then run a task on a remote system with any desired account. The task deletes itself when done, resulting in a very clean solution.
_________________________
Actually I am a Rocket Scientist!
|
Top
|
|
|
|
Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart
|
0 registered
and 663 anonymous users online.
|
|
|