Page 1 of 1 1
Topic Options
#40180 - 2003-05-14 07:45 PM YES, I've read the FAQ...
search66 Offline
Fresh Scripter

Registered: 2003-05-07
Posts: 25
Loc: Baltimore, MD USA
[Smile]

When I searched for my topic, most replies to the subject lead me to sealeps faq (which is brilliant btw), but I still have no resolve..

Trying to use/run su.exe... I've installed the service and exe's, but first I get prompted for a pw (which I shouldn't) and secondly I'm getting an error about not have the SeTcbPrivelege. I thought the su service nuked that from happening?

I tried just making a simple script (from a link from the faq) and it just don't work.

Running Win2000 sp3, fyi...

$program = “notepad.exe”
$userid = “admin”
$password = “1234”

setl "SU_COMMANDLINE=notepad.exe"
setl "SU_DOMAIN=@domain"
setl "SU_PASSWORD=$password"
shell "%comspec% /c su $userid"

Here's the script I copied and pasted to test. I of course changed the variables...
_________________________
God bless Opera. God bless netjak.

Top
#40181 - 2003-05-14 07:56 PM Re: YES, I've read the FAQ...
Jochen Administrator Offline
KiX Supporter
*****

Registered: 2000-03-17
Posts: 6380
Loc: Stuttgart, Germany
Are you sure that you use curly quotes [“] in your script instead of straight ["] ?

[Eek!]

[Big Grin] and where is Balitmore ? [Razz]

Oh hey, Welcome onboard [little late but was quite busy recently]

[ 14. May 2003, 19:59: Message edited by: Jochen ]
_________________________



Top
#40182 - 2003-05-14 07:59 PM Re: YES, I've read the FAQ...
search66 Offline
Fresh Scripter

Registered: 2003-05-07
Posts: 25
Loc: Baltimore, MD USA
Uhm... different types of quotes? Cripes.

/me searches keyboard for more than one type of quotes.
_________________________
God bless Opera. God bless netjak.

Top
#40183 - 2003-05-14 08:01 PM Re: YES, I've read the FAQ...
Jochen Administrator Offline
KiX Supporter
*****

Registered: 2000-03-17
Posts: 6380
Loc: Stuttgart, Germany
Quite lethal for a Script [Wink]

Almost sure that you don't have these in your original one, do you ?

[ 14. May 2003, 20:02: Message edited by: Jochen ]
_________________________



Top
#40184 - 2003-05-14 08:02 PM Re: YES, I've read the FAQ...
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
What version of SU/SUSS are you using?

From the W2K Reskit help:
quote:
SU lets you start a process running as an arbitrary user. It is named after the SU (Switch Users) utility of the UNIX family of operating systems.

Providing that the specified domain, user name, and password are correct, the new process runs in the security context of that user.

The new process starts with an environment block representing the per-user environment variables that Windows 2000 maintains. When the new process starts, the registry hive representing the target user, accessed through the HKEY_CURRENT_USER key, is available to the process. Both of these behaviors can be disabled.

The logon type equates to the logon right required by the target user (who was granted the privileges). Furthermore, the logon type dictates how the access token representing the target user is populated. The security identifier (SID) with type SE_GROUP_LOGON_ID in the access token for the new process represents the type of logon: Batch, Interactive, or Service. Logon rights can be granted through the Local Security Policy snap-in, an Administrative Tool included with Windows 2000 (or User Manager, a Resource Kit Tool, for Windows NT version 4.0).



Note

Local Security Policy tells you if local settings are being overridden by settings applied through Group Policy at the site, domain, or organizational unit level. If this is the case, then you will not be able to change them at the local level.

Open Local Security Policy snap-in now.

Privileges and SU Service
In this release of SU, the caller no longer needs the following privileges:

SeTcbPrivilege "Act as part of the operating system"
SeIncreaseQuotaPrivilege "Increase Quotas"
SeAssignPrimaryTokenPrivilege "Replace a process level token"
SeRestorePrivilege "Restore files and directories" (required only for preparation of user registry hive)
In order to obtain these privileges before running SU, the user must install a new service-based component used by SU. The service component is encapsulated in the executable Suss.exe, and this is installed by entering the following command at the command prompt:

suss.exe -install

Open command prompt now.

You must be an administrator in order to install the service in this manner. The name of the service installed, as listed in the in the Services snap-in, is SU Service.

Once SU Service is installed, users may use SU without having the four privileges mentioned above. If you are upgrading over an previous installation of SU, you should revoke the above mentioned privileges from any users or groups to whom they were previously granted. You can do this with the Local Security Policy snap-in (or User Manager for Windows NT 4.0).

SU Service can be configured to run in the Local System account or any account that has been assigned the privileges that were previously necessary in the stand-alone version. By default, the service allows anybody to use SU, but that can be regulated by changing the ACL on a particular registry key (the ACL itself will map to whom the service allows to use SU).



Note

If you receive the error "LogonUser error! (rc=1722)" when using SU, you may not have properly installed SU Service from Suss.exe or the service may be stopped. Verify that SU Service is included in the list in the Services snap-in. If its status is not shown as Started on the list, start the service by right-clicking it and then clicking Start. If the service does not appear in the list, please follow the above instructions to install the service.

Open MMC Service snap-in now.

RunAs
Most of the functionality of SU is included in RunAs, a command-line tool included with the Windows 2000 operating system. For information on this tool, see Windows 2000 Help. However, SU still includes two features not available in RunAs:

SU can target other desktops.
SSP logons using the -n switch are not supported by Runas.

Open command prompt now.

SU Limitations
Environment variables contained in Autoexec.bat are not populated to the environment of the new process.
Environment variables HOMEDRIVE and HOMEPATH are not populated to the environment of the new process.
Mandatory profiles are not supported. Furthermore, if a profile does not exist for the target user, a default profile is not prepared and registry operations against HKEY_CURRENT_USER are not be persistent.
Network drives are not connected for the target process. Windows 2000 makes drive letter mappings global, which could cause collisions when multiple users are logged on; for this reason, network drives are not reconnected.

_________________________
Home page: http://www.kixhelp.com/hb/

Top
#40185 - 2003-05-14 08:02 PM Re: YES, I've read the FAQ...
Sealeopard Offline
KiX Master
*****

Registered: 2001-04-25
Posts: 11162
Loc: Boston, MA, USA
See also this FAQ: Curly quotes “ and ”
_________________________
There are two types of vessels, submarines and targets.

Top
#40186 - 2003-05-14 08:03 PM Re: YES, I've read the FAQ...
search66 Offline
Fresh Scripter

Registered: 2003-05-07
Posts: 25
Loc: Baltimore, MD USA
Thanks for the welcome... Baltimore is in Maryland, USA...

Anyway. I've never heard of more than one type of " before in my life.
_________________________
God bless Opera. God bless netjak.

Top
#40187 - 2003-05-14 08:04 PM Re: YES, I've read the FAQ...
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
Ignore my ramblings...missed the "curly quotes" [Embarrassed]
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#40188 - 2003-05-14 08:07 PM Re: YES, I've read the FAQ...
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
The "curly quotes" come from HTML text (read M$ Frontpage, etc.). These cause all kinds of grief. We tried to stamp them out of existence in the examples last year.

[ 14. May 2003, 20:09: Message edited by: Howard Bullock ]
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#40189 - 2003-05-14 08:10 PM Re: YES, I've read the FAQ...
search66 Offline
Fresh Scripter

Registered: 2003-05-07
Posts: 25
Loc: Baltimore, MD USA
Wow. I had no idea. Ok, even after I replaced da curlies... this is the error msg I get.

Error: you do not have the SeTcbPrivilege (act as part of OS) privilege.
Error: Can't get current Console Mode. Error Code: 6
_________________________
God bless Opera. God bless netjak.

Top
#40190 - 2003-05-14 08:11 PM Re: YES, I've read the FAQ...
Howard Bullock Offline
KiX Supporter
*****

Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
In this case, please do not ingore my previous quote then and check your version and read my post. Apparently some version need the privilege and newer version don't.

[ 14. May 2003, 20:12: Message edited by: Howard Bullock ]
_________________________
Home page: http://www.kixhelp.com/hb/

Top
#40191 - 2003-05-14 08:14 PM Re: YES, I've read the FAQ...
search66 Offline
Fresh Scripter

Registered: 2003-05-07
Posts: 25
Loc: Baltimore, MD USA
Huhm. I think I had the wrong version of su.exe

Lemme play with that and I'll bug everyone later.
_________________________
God bless Opera. God bless netjak.

Top
#40192 - 2003-05-14 09:35 PM Re: YES, I've read the FAQ...
search66 Offline
Fresh Scripter

Registered: 2003-05-07
Posts: 25
Loc: Baltimore, MD USA
Thanks to everyone. Everything runs great now... except for one thing.

To make a long story short, I'm running a McAfee update kix. The full install and virus update works beautifully; but the SP1 doesn't.

I think it has to do with the switch at the end. I tried to remove the switch (/silent) and it runs fine. But (of course) I don't want the user to be prompted and want it to be done silently. Does my syntax look right? Cuz with the 4.5.1 full install switch (/s) works fine.

Thanks for the help, this is driving me batty.

shell '%comspec% /c su "\\BOMREC1\PUBLIC\VIRUSU~1\McAffee\451\sp1\VSC451S1.EXE /silent" < pass.txt'
_________________________
God bless Opera. God bless netjak.

Top
Page 1 of 1 1


Moderator:  Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart 
Hop to:
Shout Box

Who's Online
0 registered and 315 anonymous users online.
Newest Members
Praveer, Ollero, rayyo, Foxlicht, DonChild
17742 Registered Users

Generated in 0.039 seconds in which 0.011 seconds were spent on a total of 12 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org