Is there a Kixtart FAQ on running part of script with elevated privileges - KiXtart.org - official site

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Basic Scripting » Is there a Kixtart FAQ on running part of script with elevated privileges

Page 1 of 2

1

Topic Options

#205663 - 2012-09-03 04:41 AM Is there a Kixtart FAQ on running part of script with elevated privileges
Robdutoit Robdutoit Hey THIS is FUN Registered: 2012-03-27 Posts: 363 Loc: London, England	In line with improving my networks, I have gone down the route of not making domain users a member of the local administrators group on the pc the employee logs onto. I have modified the kixtart script to use the hkey-local-machine registry setting and have this running in the startup script for any settings that are not being applied because domain users don't have local admin rights. All well and good, however, I have a couple of registry settings that need to be applied per user, not per computer and I cannot apply the settings unless they are local admins on their pc. There are many different suggestions out there with regards to how to run the script with elevated privileges, but some such as runas or SU are quite dated and also not very secure. I have looked on the kixtart forum in best practices etc to see what is the recommended way of running scripts with elevated privileges. I don't need the entire script to run elevated. I think there are only 8 settings that need to be applied per user. It might also be interesting to see if there are any best practices guides with regards to running things in the startup script or using the runonce setting in the registry (obviously that would run in the context of the logged on user, which would presumably be the administrator). In short, can someone point me to where the best practice for running a script as admin is, as the only one that looked relevant was the scriptlogic one where all the links no longer work unfortunately. Thank you.
Top

#205666 - 2012-09-03 10:42 AM Re: Is there a Kixtart FAQ on running part of script with elevated privileges [Re: Robdutoit]
Arend_ Arend_ MM club member Registered: 2005-01-17 Posts: 1895 Loc: Hilversum, The Netherlands	HKEY_CURRENT_USER settings do not need elevated privileges. I use Startup scripts for HKLM, and Logon scripts for HKCU, and this works fine. None of my users have Local Administrator rights. Keep in mind, the Startup scripts run with the Local System Account, so you can not do per-user settings there. The Logon scripts run in the Logged on User context.
Top

#205667 - 2012-09-04 07:42 PM Re: Is there a Kixtart FAQ on running part of script with elevated privileges [Re: Arend_]
Robdutoit Robdutoit Hey THIS is FUN Registered: 2012-03-27 Posts: 363 Loc: London, England	"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoDrives", "04008000", "REG_BINARY" You need to be an admin to create anything under the Policies key ! The above setting for example hides drive c: and drive X: from certain user groups. I only want this to apply to certain groups. Works fine if a local admin, but won't work as standard user because standard users on windows 7 cannot create subkeys under the policies key. Hence the question.
Top

#205668 - 2012-09-04 08:02 PM Re: Is there a Kixtart FAQ on running part of script with elevated privileges [Re: Robdutoit]
ShaneEP ShaneEP MM club member Registered: 2002-11-29 Posts: 2125 Loc: Tulsa, OK	There's no simple way around it. Normal users are locked out of those keys for a reason. I know some of the other users on here have created systems that use scheduled tasks and what not to run administrative tasks such as registry entries and software installs on an as needed basis. I myself used the easier (lazier) route in the past. I used sanur.exe to pipe the admin user/pw to the install script and just tokenized the calling scripts to make it harder for prying eyes. But even this is not considered secure, and I'm not sure I would do it that way today. I have not interacted with active directory in many years, but aren't there GPOs that can be set for stuff like this so that it doesn't have to be done via login script?
Top

#205669 - 2012-09-04 08:08 PM Re: Is there a Kixtart FAQ on running part of script with elevated privileges [Re: ShaneEP]
ShaneEP ShaneEP MM club member Registered: 2002-11-29 Posts: 2125 Loc: Tulsa, OK	Perhaps these instructions can be of assistance. http://superuser.com/questions/238235/how-to-hide-drive-for-specific-users-in-windows-7
Top

#205670 - 2012-09-04 08:41 PM Re: Is there a Kixtart FAQ on running part of script with elevated privileges [Re: ShaneEP]
Robdutoit Robdutoit Hey THIS is FUN Registered: 2012-03-27 Posts: 363 Loc: London, England	Yes you can do it via group policies. The reason that I don't use group policies is so that I can take one script that does everything that group policy could do and use it at different clients and all I have to do is modify txt files to add the printers etc. It actually saves time! Secondly group policy actually increases the login time over using kixtart scripts ! kixtart scripts are faster than gpo's. I will see if I can create those 8 policies using another key where the user has permission. Thanks
Top

#205671 - 2012-09-05 04:43 PM Re: Is there a Kixtart FAQ on running part of script with elevated privileges [Re: Robdutoit]
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	what kind of settings you need per user? I know some applications have insane behavior but sometimes you can work around it by using environment variables in the registry. say, username for instance. instead of using the actual name try %username% given, doesn't always work, but also don't know what kind of issues you are actually facing either $;\)$ _________________________ ! download KiXnet
Top

#205672 - 2012-09-06 10:49 AM Re: Is there a Kixtart FAQ on running part of script with elevated privileges [Re: Lonkero]
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11624 Loc: CA	You should be using GPO for this. There are other methods but they are not as secure. http://technet.microsoft.com/en-us/library/ee390958.aspx http://www.chicagotech.net/netforums/viewtopic.php?t=447 You can also search the board for Runnas (notice there are 2 n's) written by one of the old time Moderators here named Shawn Tassie (this is not the recommended way though, using GPO is the recommended and appropriate way) Good luck
Top

#205681 - 2012-09-07 02:45 PM Re: Is there a Kixtart FAQ on running part of script with elevated privileges [Re: NTDOC]
Glenn Barnas Glenn Barnas KiX Supporter Registered: 2003-01-28 Posts: 4396 Loc: New Jersey	I have a Kix app that runs as a service on my file server. The login script uses a set of APIs to return the result of a user query to this file server. Since the user has READ rights, they can detect if the required settings are present, and if not, submit a request. If the user submits a request, the server pushes a bat file out to the client and uses the task schedule to immediately execute it with the desired credentials. The updates complete within 20-30 seconds of the login process. When updating HKCU entries that are secured (as above), the detection returns the user ID so the correct HKU key can be updated by the task. I push a BAT file because it runs everywhere.. it can make use of network-based locations that contain more sophisticated scripts to do the actual work. Plus, it's much faster to push a 1-2 line BAT file than a copy of Kix and a large script. I've deployed this at several clients to aid in desktop management, particularly when a policy could not be applied without complex filtering. The advantage of this is that credentials are never exposed, and the user session never runs an elevated context command. Glenn _________________________ Actually I am a Rocket Scientist! $\:D$
Top

#205692 - 2012-09-08 08:32 AM Re: Is there a Kixtart FAQ on running part of script with elevated privileges [Re: Glenn Barnas]
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11624 Loc: CA	I may have to take a look at your script myself Glenn as some basic testing I performed a while back would not modify restricted HKCU keys of a limited user. Though I'm not a big fan of GPO control freak admins myself, but for the advanced admin there is just about nothing a GPO can't be made to do and should be able to be used on other Domains as well. One of the International Domains from my old company ran a ton of customized GPO stuff that was not built-in and it works well but I hate the long logon process when you would log onto their Domain - for me it was overkill. I'll try to stop by your site next week if it's available to the public. Don't see you on IM anymore these days. Hope all is going well for you.
Top

#205696 - 2012-09-08 05:15 PM Re: Is there a Kixtart FAQ on running part of script with elevated privileges [Re: NTDOC]
Robdutoit Robdutoit Hey THIS is FUN Registered: 2012-03-27 Posts: 363 Loc: London, England	Yes NTDoc, this is one of the reasons why I don't like GPO's - the long login time. Glenn Barnas, you probably get this a lot, but you are brilliant. That is a very good idea. I will test your idea out and see if I can get this to work. You have also solved another problem for me simultaneously with this solution. Is there any reason why you don't run the scheduled task directly from the logon script. I am assuming that the scheduled tasks are created locally on each computer? I will get back to you with my hopefully successful results !
Top

#205699 - 2012-09-08 09:19 PM Re: Is there a Kixtart FAQ on running part of script with elevated privileges [Re: Robdutoit]
Glenn Barnas Glenn Barnas KiX Supporter Registered: 2003-01-28 Posts: 4396 Loc: New Jersey	If you run the task from the login script, you potentially expose the admin credentials to the users, since the script / config file is readable to all users from the netlogon share. My tools send a request to the server. Only the server knows the admin credentials associated with the desired task, and the file that holds the task/credential data is restricted to Administrators only. I can brush the dust off of the script and make sure there's sufficient docs if you or Doc want to give it a whirl. Basically, you Extract the server tool to a file server Configure an INI file to define the task - NAME, BAT file, User Credentials, Drop Folder, and such You write a Kix script to detect a specific condition and call it from your login script. The script uses the APIs - a set of Kix UDFs - to communicate with the server. When the server receives the file from the client, it immediatey performs the command(s) associated with the task. This allows a single script to report multiple conditions and initiate multiple admin-level commands. This is software that we sell to our clients through implementation. I'm offering you and Doc a copy if you are interested. Your cost will be feedback - tell me what can be improved in the API, User Guide, etc. I've been considering making this an add-on to our Universal Login Script. PM me with your email address and I'll send the ZIP package once I clean it up a bit. Glenn _________________________ Actually I am a Rocket Scientist! $\:D$
Top

#205767 - 2012-09-16 05:02 PM Re: Is there a Kixtart FAQ on running part of script with elevated privileges [Re: Glenn Barnas]
Robdutoit Robdutoit Hey THIS is FUN Registered: 2012-03-27 Posts: 363 Loc: London, England	HELP !! To Glenn, I decided to see if I could get it to work myself as I wanted a setup that didn't require anything to be installed on the server and running as a service. I am happy to say that I managed to get 99% of the way there. What I have done is the following: I have created a batch file and put this in the netlogon folder on the server Code: PATH \\%userdnsdomain%\netlogon\policies \\%userdnsdomain%\netlogon\policies\kix32.exe policies.kix As you can see it simply calls the policies.kix script running it with kix32.exe I then copied the bat file from the netlogon directory to every computer in the domain using this code in my startup script: Code: ;=============================================================== ;Copies the Policy Scripts to the local computer so that can run ;=============================================================== Filexist("\\" + $MyDomain + "\netlogon\policies\", "c:\profiles\policies\", "policy.bat", "Kixtart executable") I then created a task in windows 7 which called the bat file locally and configured it to run as one of the domain admin accounts. It doesn't work with system because system cannot access network resources. I told the task to run whenever a user logs on - yes, I know not the most elegant solution but I discovered that standard users are unable to run tasks. I exported the dear little task onto the server in the netlogon folder and in my startup script I created a code to copy the task to each computer in the domain Code: ;============================================================================================================================================ ; This requires Admin Priviliges Copies the Task for the Policy Task so that standard users can run the Policy Script ;============================================================================================================================================ if exist ("%windir%\system32\tasks\microsoft\windows\policies\Policy") = 0 ? "Setting Policies " $ShellCMD = "schtasks.exe /create /RU SYSTEM /TN \Microsoft\Windows\Policies\RMDPolicy /XML " + "\\" + $MyDomain + "\netlogon\patches\Policy.xml" Shell $ShellCMD Else ? "Policies already scheduled " Endif NOW: If I login as the domain admin account that the scheduled task runs as, everything works beautifully, however even if I login as another domain admin account, the script is not being applied - the reason being - the script is running in the user context of the scheduled task not the logged on user which means its not saving to the hkey_current_users area. I have searched on the Internet to find out exactly how one uses the @userid variable to update the correct HKCU area. I admit defeat on this point. I cannot work out how to make the script write to the HKCU area of the logged on user and not the user context of the scheduled task user! I am quite happy to have a look at your program Glenn - more to review it for you as I found everyone on this forum quite helpful, but I feel for my needs, the program would be overkill as I only want to modify about 8 policy subkeys in the HKCU area for standard users. When I have time to review your program, I will let you know. It's probably going to be around November when I will have time to have a look at it. In the meantime, if anyone can tell me how to make the script write to the correct Hkey_current_user location, I would be very grateful. The script works perfectly writing to Hkey_Local_machine, just not the current user. And there you go, you have the procedure to enable your scripts to run admin settings under a standard user account. Providing we can work out how to write to logged on current user keys! Cheers Rob
Top

#205768 - 2012-09-16 05:10 PM Re: Is there a Kixtart FAQ on running part of script with elevated privileges [Re: Robdutoit]
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	Originally Posted By: Robdutoit NOW: If I login as the domain admin account that the scheduled task runs as, everything works beautifully, however even if I login as another domain admin account, the script is not being applied - the reason being - the script is running in the user context of the scheduled task not the logged on user which means its not saving to the hkey_current_users area. HKCU is a smoke and mirrors view of HKU\SID. You cannot run the shed task as the user (to use HKCU) as the user hasn't the rights. You need to map the reg to HKU\SID instead. _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#205771 - 2012-09-17 10:31 AM Re: Is there a Kixtart FAQ on running part of script with elevated privileges [Re: Les]
Robdutoit Robdutoit Hey THIS is FUN Registered: 2012-03-27 Posts: 363 Loc: London, England	Hi Les, Yes I am aware that HKCU doesn't actually exist and that its merely a reflection of how the HKU area. You misunderstood me - I don't want to run the sched task as the user, because that defeats the whole point of running it as a scheduled task - ie to elevate the privileges in order to have the right to write to the registry keys required. Perhaps a better way to rephrase it would be to say that I want to run the scheduled task as the domain admin account, but tell the script to write to the logged on user area of the registry and not the scheduled task user. I did look into how to write to the HKU\SID area and ran into a stumbling block in that I can't see how to tell the script which SID to write to as obviously this will change with each user and no doubt each computer! I don't recall that I have ever asked for a fish, but I like your way of thinking lol !
Top

#205772 - 2012-09-17 02:37 PM Re: Is there a Kixtart FAQ on running part of script with elevated privileges [Re: Robdutoit]
Robdutoit Robdutoit Hey THIS is FUN Registered: 2012-03-27 Posts: 363 Loc: London, England	A free chocolate will be awarded to anyone who can solve my HKCU problem $\:\)$
Top

#205773 - 2012-09-17 03:13 PM Re: Is there a Kixtart FAQ on running part of script with elevated privileges [Re: Robdutoit]
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	I may have stated the obvious but only because you seem to have overlooked it. The hint between the lines is that you need to get the SID of the user in order to write to HKU\SID... Originally Posted By: Robdutoit A free chocolate will be awarded to anyone who can solve my HKCU problem $\:\)$ Then you owe Glenn some chocolate cuz he solved it for you. I'm sure he has the bits to get the SID. Originally Posted By: Glenn Barnas When updating HKCU entries that are secured (as above), the detection returns the user ID so the correct HKU key can be updated by the task. _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#205776 - 2012-09-18 01:39 AM Re: Is there a Kixtart FAQ on running part of script with elevated privileges [Re: Les]
Robdutoit Robdutoit Hey THIS is FUN Registered: 2012-03-27 Posts: 363 Loc: London, England	Just to save people time, I think that I have come up with a solution that actually works ! So I don't at this point, need anyone to spend time trying to answer the question. consider the question on closed for the moment. I have managed to get a standard user to run the scheduled task so will not be running the scheduled task on login as I discovered that there was no way to prevent the settings being applied to the admin account as you need to be a member of the admins account to run the script ! I managed to find a solution to the Sid problem unbelievably in a macro called @SID - how ironic. However, I now need to write into the script that the logged on user must write their SID number to a file and then the scheduled task must read the sid number from the file and execute the script accordingly using the correct SID. Unfortunately if I use the @SID variable in the policy script it returns the SID of the scheduled task user and not the logged on user. I will immediately go out and buy Glenn some chocolate Les as he has set me on the right track. Its been a bloody nightmare getting the scheduled tasks working properly in windows 7, but its a brilliant way to run a script with elevated privileges without ever revealing the admin credentials. So I am very pleased with Glenn's solution. While I am out buying that chocolate, I just may buy some hard liquor as well. after spending the entire day messing around with scheduled tasks I need it!
Top

#205777 - 2012-09-18 03:18 AM Re: Is there a Kixtart FAQ on running part of script with elevated privileges [Re: Robdutoit]
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	Originally Posted By: Robdutoit I managed to find a solution to the Sid problem unbelievably in a macro called @SID - how ironic. However, I now need to write into the script that the logged on user must write their SID number to a file and then the scheduled task must read the sid number from the file and execute the script accordingly using the correct SID. Unfortunately if I use the @SID variable in the policy script it returns the SID of the scheduled task user and not the logged on user. Ja, well... I did write the GetSID() UDF to get the SID of another user but then Jooel put my UDF to shame with his. http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Number=83064 http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Number=84323 http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Number=175771 _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#205779 - 2012-09-18 03:12 PM Re: Is there a Kixtart FAQ on running part of script with elevated privileges [Re: Les]
Glenn Barnas Glenn Barnas KiX Supporter Registered: 2003-01-28 Posts: 4396 Loc: New Jersey	Funny - I was going to point you to the @SID macro yesterday but got involved with another issue and came back just now to discover you found it.. $;\)$ With our tool, many standard objects about the computer and current user are returned automagically, so only a few key parameters need to be extracted by your code and added to the parameter list. When the admin task runs, it has the computer name, user name, SID, and other values discovered by the user logging in, eliminating some of the issues you encountered. You should also look at the tcLib UDF library on my web site. There are two versions - V2 uses JT.EXE from the resource kit, while V3 uses SchTasks.exe. V2 is for use on XP/W2K3 and earler systems, while V3 is for Vista and higher. Both libraries are syntax-identical and can manipulate tasks on any target platform. It provides a standard interface to create, modify, run/terminate, and query Scheduled Tasks on any Windows platform without needing to create cumbersome command lines or complex TSK or XML files. This library is what makes the server based solution so powerful - just 4 lines of code to init, define, save, and then run a task on a remote system with any desired account. The task deletes itself when done, resulting in a very clean solution. _________________________ Actually I am a Rocket Scientist! $\:D$
Top

Page 1 of 2

1

Previous Topic

Previous Topic View All Topics

View All Topics

Index Next Topic

Next Topic

Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart

Hop to:

Shout Box

Who's Online

1 registered (Allen) and 313 anonymous users online.

Newest Members

Jojo67, MaikSimon, kvn317, kixtarts2025, SERoyalty
17873 Registered Users

Generated in 0.074 seconds in which 0.023 seconds were spent on a total of 15 queries. Zlib compression enabled.

click tracking