Page 1 of 1 1
Topic Options
#209630 - 2014-11-07 12:45 PM Is this a bug with readprofilestring?
Robdutoit Offline
Hey THIS is FUN
***

Registered: 2012-03-27
Posts: 363
Loc: London, England
I don't need this anymore as I will be changing to using different filtering groups based on proxy port number rather than digest authentication. However, I discovered something rather interesting with this particular line of coding.

If I logon as a pupil it will fill in the details for the username and password in the credentials manager in windows 7. If I logon as a manager account that is also a member of the domain admins account, the script doesn't do anything while logging on. Curiously enough the script works when I run the script manually. The script is obviously running during logon because it works for the pupils and all the other code in the main script is running. I just wonder why this code does not work on logon if you are a member of the domain admins account in addition to the managers global group.

I am not worried about it as I will no longer be using this coding after December, but I just thought that I would report it as a possible bug. I am using kixtart version 4.62

Thanks

Code in main script

 Code:
proxyauthenticate ($servername + "\profiles$\all\software\patches\proxies\", "proxyauth.ini")


Function

 Code:
Function proxyauthenticate ($Installs, $File)

$groups = "Pupils", "Students", "Staff", "OfficeAdmin", "Managers", "Visitors"
$inifile = $Installs + $File

For Each $group in $groups
	If InGroup($group)
		$proxyuser = ReadProfileString($inifile, $group, "username")
		$proxypass = ReadProfileString($inifile, $group, "password")
		$proxyserver = ReadProfileString($inifile, $group, "proxy")
$shellcmd = 'cmdkey /generic:$ProxyServer /user: $proxyuser /pass: $proxypass'
Shell $ShellCMD		
	EndIf
Next
EndFunction

Top
#209631 - 2014-11-07 02:03 PM Re: Is this a bug with readprofilestring? [Re: Robdutoit]
Lonkero Administrator Offline
KiX Master Guru
*****

Registered: 2001-06-05
Posts: 22346
Loc: OK
Because domain admins should never browse the internet?

On more serious note, it's uac.
_________________________
!

download KiXnet

Top
#209632 - 2014-11-07 02:07 PM Re: Is this a bug with readprofilestring? [Re: Lonkero]
Lonkero Administrator Offline
KiX Master Guru
*****

Registered: 2001-06-05
Posts: 22346
Loc: OK
Oh... and why did you not use domain authentication? It should be easily doable in squid...
_________________________
!

download KiXnet

Top
#209633 - 2014-11-07 02:08 PM Re: Is this a bug with readprofilestring? [Re: Lonkero]
Robdutoit Offline
Hey THIS is FUN
***

Registered: 2012-03-27
Posts: 363
Loc: London, England
oh well, if thats all it is, its not a problem, especially as I don't plan on using that coding anymore. but it was just curious as to what was causing it. I don't think the account really needs to be a domain admins, but I will check as that particular account is used to autologin after using windows deployment services.

Once again Lonk to the rescue! I still need to get back to you about my database work, but once again I have had to put that on hold!

Top
#209634 - 2014-11-07 05:12 PM Re: Is this a bug with readprofilestring? [Re: Robdutoit]
Glenn Barnas Administrator Offline
KiX Supporter
*****

Registered: 2003-01-28
Posts: 4396
Loc: New Jersey
Aaaagh! Are you using Domain Administrators to do computer administration?

Domain Admins have no business connecting to the Internet.. their only purpose is to administer the domain, as in create or modify the AD Structure and group policies. A domain account / group for Computer Admins is sufficient to manage computers if it is a member of the Administrators group on all computers. This is simplistic for small organizations, but the point is not to use a Domain Admin account for regular computer management.

Glenn
_________________________
Actually I am a Rocket Scientist! \:D

Top
#209635 - 2014-11-07 06:36 PM Re: Is this a bug with readprofilestring? [Re: Lonkero]
Robdutoit Offline
Hey THIS is FUN
***

Registered: 2012-03-27
Posts: 363
Loc: London, England
 Originally Posted By: Lonkero
Oh... and why did you not use domain authentication? It should be easily doable in squid...


I must have posted at the same time as you. I didn't use domain authentication at the time of setting it up because I have clients with different versions of windows servers and different client operating systems and also because of the complexity of integrating the active directory user accounts with the filtering system. Also it does not work with ipads, cell phones etc.

But a new feature has come out in the program that I am using where you can use different proxy port numbers for different users. Same proxy, just a different port number. So I will be moving to this as proxy authentication is a pain in the arse!

Top
#209636 - 2014-11-07 06:43 PM Re: Is this a bug with readprofilestring? [Re: Glenn Barnas]
Robdutoit Offline
Hey THIS is FUN
***

Registered: 2012-03-27
Posts: 363
Loc: London, England
 Originally Posted By: Glenn Barnas
Aaaagh! Are you using Domain Administrators to do computer administration?

Glenn


I know I am terrible. My excuse is I tend to use an account with full privileges as my time at each client is limited and I have learnt the hard way that running as a non admin and elevating admin privileges does not always work. I remember spending over an hour trying to get something to work and finding out that the reason it did not work was because I needed to logon as administrator as elevation of privileges did not work!

But I will be reviewing the use of domain accounts as I don't think that the accounts needs to be a domain admin as you rightly pointed out. Not good practice admittedly, but sometimes I just don't have enough time to get all the work done, so I don't need to create complications by logging on with an account that does not have the admin rights. I am hoping by August next year that I will get there eventually as I have caught up on a lot of things. Sometimes I wonder if I should work for a big company so that there are enough people to do the work lol.

At least I have got my clients running as standard users - only took me about two years to get that accomplished!

Top
#209638 - 2014-11-08 12:46 PM Re: Is this a bug with readprofilestring? [Re: Robdutoit]
Glenn Barnas Administrator Offline
KiX Supporter
*****

Registered: 2003-01-28
Posts: 4396
Loc: New Jersey
No - not the point...
1. You create your admin account in AD, NOT a member of domain admins.
2. You create a group called Computer Admins, make your account a member of that group.
(in larger organizations, you also create Workstation Admins and Server Admins to split the authority across groups/teams.)
3. You make the Computer Admins group a member of every local system's Administrators group.

When you log in, you have admin access to manage computers, without being a DOMAIN admin. You can assign your account permissions to create/unlock accounts and reset passwords as well, so you can do 96% of admin work without exposing all the rights to AD. You log in with the domain admin account only when making changes to AD itself - OU structure, GPO, etc.

Glenn
_________________________
Actually I am a Rocket Scientist! \:D

Top
#209639 - 2014-11-08 12:54 PM Re: Is this a bug with readprofilestring? [Re: Glenn Barnas]
Glenn Barnas Administrator Offline
KiX Supporter
*****

Registered: 2003-01-28
Posts: 4396
Loc: New Jersey
And, BTW, time is not an excuse.. there are plenty of tools/examples/UDFs here on KORG to automate the process. \:D

There's a UDF that gets the names of every computer - write these to a file. There's a UDF to create AD Groups and populate them. There's an example that reads a list of computers and uses PSEXEC (or the Kix WMIRemoteExec UDF) to define group settings using NET LOCALGROUP.

Thus, if you used the same admin account at all clients, you could create the group, add your account, and push that group into all local Administrators groups with a single script. I used to do this as part of client on-boarding, along with a bunch of other things that made my administration tasks easier for me and safer for the client.

Glenn
_________________________
Actually I am a Rocket Scientist! \:D

Top
Page 1 of 1 1


Moderator:  Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart 
Hop to:
Shout Box

Who's Online
0 registered and 248 anonymous users online.
Newest Members
gespanntleuchten, DaveatAdvanced, Paulo_Alves, UsTaaa, xxJJxx
17864 Registered Users

Generated in 0.059 seconds in which 0.024 seconds were spent on a total of 13 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org