Login script with admin priveleges

[JCO]

Wondering if anyone could help me out with the following:

On NT, W2K and XP client machines I need a way to run an exe, through the
login script, with admin priveleges. I've looked into "runas" and "su",
however, they're not the best options as I run into problems with
compatability with NT or the fact that one has to insert the password when
prompted. I've also looked into "Admin Script Editor" and its packager
which lets one create and .exe to be run with alterante credentials.

Anyone know if this is possible through VBScript using impersonation?

Any enlightment into this matter would be appreciated.

Thanks!
JCOliveira

 

[Gerry Hickman]

Any enlightment into this matter would be appreciated.

In my view, this should never happen. The whole point of a logon script
is to set up the user environment, not to run silly EXE files as the admin.

 

[Roland Hall]

in message
: JCO wrote:
:
: > Any enlightment into this matter would be appreciated.
:
: In my view, this should never happen. The whole point of a logon script
: is to set up the user environment, not to run silly EXE files as the
admin.

So, what's the difference between a silly EXE file and a serious one and is
it alright to run those as the admin in a logon script? (O:=

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp

 

[Michael Bednarek]

in message
: JCO wrote:
:
: > Any enlightment into this matter would be appreciated.
:
: In my view, this should never happen. The whole point of a logon script
: is to set up the user environment, not to run silly EXE files as the
admin.

So, what's the difference between a silly EXE file and a serious one and is
it alright to run those as the admin in a logon script? (O:=

By definition, a silly (=inappropriate) EXE file in a login script is
one which requires more privileges than the current user has. They
belong in a machine startup script and necessary rights granted to
Domain Computers.

 

[Roland Hall]

in message
: in microsoft.public.scripting.vbscript,
: microsoft.public.win32.programmer.wmi, microsoft.public.windowsxp.wmi:
:
: >"Gerry Hickman" wrote in message
: >: >: JCO wrote:
: >:
: >: > Any enlightment into this matter would be appreciated.
: >:
: >: In my view, this should never happen. The whole point of a logon script
: >: is to set up the user environment, not to run silly EXE files as the
: >admin.
: >
: >So, what's the difference between a silly EXE file and a serious one and
is
: >it alright to run those as the admin in a logon script? (O:=
:
: By definition, a silly (=inappropriate) EXE file in a login script is
: one which requires more privileges than the current user has. They
: belong in a machine startup script and necessary rights granted to
: Domain Computers.

I was just being silly but the response was worth reading. Thanks.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp

 

[Gerry Hickman]

Hi Roland,

I was just being silly but the response was worth reading. Thanks.

Hehe

The point we're making is that logging on time is for getting the user's
desktop and drives up as quickly as possible, it's not the right time to
be messing around with admin programs.

Maybe there's a legitimate use for such a program (?), but in the first
instance I'd suggest trying to re-design your systems so that this kind
of thing isn't needed at logon time. e.g. on my own netowrk, I run the
admin programs overnight.

 

[Roland Hall]

: Hi Roland,
:
: > I was just being silly but the response was worth reading. Thanks.
:
: Hehe
:
: The point we're making is that logging on time is for getting the user's
: desktop and drives up as quickly as possible, it's not the right time to
: be messing around with admin programs.
:
: Maybe there's a legitimate use for such a program (?), but in the first
: instance I'd suggest trying to re-design your systems so that this kind
: of thing isn't needed at logon time. e.g. on my own netowrk, I run the
: admin programs overnight.

Yes, that makes sense. I guess I'm going to have to agree with you, but I'm
fighting it. *smirk*

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp

 

[Jaspreet Singh Jolly]

Hi Everybody,
I agree that we should avoided running SILLY programs at logon time but there may be some peculiar circumstances when we require this.
For e.g. in my network P.C's are being shared by users and users don’t have roaming profiles but still few users require TIME in PST and some other require TIME in GMT for this I cant find any option in Windows 2000 Group Policy. The only way i can do this is by doing registry changes at logon time and for running this script Admin rights would be required, so if possible give me the solution for this.

Any other solution for this problem will also be appreciated.

 

[Jim Vierra]

In a multi-user environment each user can set a separate timezone on W2K and
XP. This is saved in their profile and can be different for each user.
With Roaming Profiles this is easier to manage as it only needs to be set
once. You should also be able to change the TZ in the User registry with a
script but not the machines time zone. The machine time zone should always
reflect it's physical location for other reasons.

Try finding the setting in HKCU for time zone.

 

[maximillianx]

Also, if you want to stay with using some sort of change upon startup,
consider using a startup script rather than a login script. Startup scripts
run in the administrative context (and prior to anyone logging in) and will
get around the issue of users not having permissions to reset the zone.

In a multi-user environment each user can set a separate timezone on W2K
and XP. This is saved in their profile and can be different for each
user. With Roaming Profiles this is easier to manage as it only needs to
be set once. You should also be able to change the TZ in the User
registry with a script but not the machines time zone. The machine time
zone should always reflect it's physical location for other reasons.

Try finding the setting in HKCU for time zone.

 

[Jim Vierra]

Wit hone exceptions. "Startup" scripts change the machine permanently. TZ
can only be set once in a startup script and the machine will stay that way
until the script is changed or until the machine is put into a different OU.

Per user settings will change with user login. If TZ has not been blocked
in the control panel the user should be able to change the preference and
language settings.

--
Jim Vierra

Also, if you want to stay with using some sort of change upon startup,
consider using a startup script rather than a login script. Startup
scripts run in the administrative context (and prior to anyone logging in)
and will get around the issue of users not having permissions to reset the
zone.

 

[Arooster]

Admin Login

Working at service desk in a Government environment we often have to remote to user PC to fix problems or look up secured user information. Because of secutity reasons the programs for doing this has to run as an Admin account. I came to your forum looking for an updated way of loging in once to start these programs using Visual Studio. We are using WinAdmin (dos based) but having problems starting some of the web base programs. Can anyone point me in the right direction?


Thanks!