Privelege Vs Group access check

S

satv73

Hi,
I wanted to analyze what kind of privelege is need to launch a
specific process on a remote machine which is under the same [using
WMI].

I created a test user and granted all WMI/DCOM side accesses. Now I am
able to perform all the standard WMI calls like remote process lookup
et.c using the test user. But when I tried to launch the specific
process using "Win32_Process" create with the test user, it gives error
[=2]. I kept on adding previleges one by one from the Local security
policy on the client machine for the test user and at some point, I
ended up giving more than what Administrator has [like Part of
operating system], still the same error was occuring. But it works, if
I simply add the test user under "Administrators" group.

This made me to think whether if somewhere, the WMI Win32_Process
security is explictly looking for whether the test user is a part of
"Administrators" group, then this previlege experiment will not help.

Anybody can comment on this?

Thanks in advance
Sathish
 
M

Manbinder Pal Singh [MSFT]

Create method doesnt check Specifically for administrators group member. It
uses CreateProcessAsUser abse API and so it should work fo any user who has
access.
Can you try doing it through wbemtest or take a workign script from MSDN to
see if your test code has some problem??
Or else if you can share your code??

Thanks,
Manbinder Pal Singh

This posting is provided "AS IS" with no warranties, and confers no rights.
 
M

Manbinder Pal Singh [MSFT]

Also chekc your remote machines configuration. more details at
http://msdn2.microsoft.com/en-us/library/aa389290.aspx

Thanks,
Manbinder Pal Singh

This posting is provided "AS IS" with no warranties, and confers no rights.


Manbinder Pal Singh said:
Create method doesnt check Specifically for administrators group member.
It uses CreateProcessAsUser abse API and so it should work fo any user who
has access.
Can you try doing it through wbemtest or take a workign script from MSDN
to see if your test code has some problem??
Or else if you can share your code??

Thanks,
Manbinder Pal Singh

This posting is provided "AS IS" with no warranties, and confers no
rights.

Hi,
I wanted to analyze what kind of privelege is need to launch a
specific process on a remote machine which is under the same [using
WMI].

I created a test user and granted all WMI/DCOM side accesses. Now I am
able to perform all the standard WMI calls like remote process lookup
et.c using the test user. But when I tried to launch the specific
process using "Win32_Process" create with the test user, it gives error
[=2]. I kept on adding previleges one by one from the Local security
policy on the client machine for the test user and at some point, I
ended up giving more than what Administrator has [like Part of
operating system], still the same error was occuring. But it works, if
I simply add the test user under "Administrators" group.

This made me to think whether if somewhere, the WMI Win32_Process
security is explictly looking for whether the test user is a part of
"Administrators" group, then this previlege experiment will not help.

Anybody can comment on this?

Thanks in advance
Sathish
Click to expand...
Click to expand...
 
S

satv73

Manbinder,
Sorry about the delay. Here is a sample script that I used.
=========================================================================
strComputer = "SATHISH-VMXP1"
strCommand = "c:\windows\notepad.exe"
Set objLocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService =
objLocator.ConnectServer(strComputer,"root\cimv2",
"mydomain\normaluser","Normalpass123")

Set objNewJob = objWMIService.Get("Win32_ScheduledJob")
' Please adjust timings according to current
errJobCreate = objNewJob.Create _
(strCommand , "********151800.000000+330", _
False, 2, ,False, JobId)
If errJobCreate = 0 Then
WScript.Echo "Job created successfully: " & VBNewLine _
& "Notepad.exe scheduled to run repeately at 14.30 (2:30 P.M.)
PST" & VBNewLine _
& "on Mon, Wed, and Fri."
Else
WScript.Echo "Job not created. Error code = " & errJobCreate
End If
========================================================================

Thanks
Sathish
 
M

Manbinder Pal Singh [MSFT]

Did you go to the links I gave and configured your server machine to which
you are connecting?
Please give DCOM/wmi rights to the user with which you are connecting.

After configuring , try running the script again.


Thanks,
Manbinder Pal Singh

This posting is provided "AS IS" with no warranties, and confers no rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Remote WMI Query of Event Log with Non-Administrator Account 0
WMI remote exectution where exectuable resides on a remote share 9
Using Windows Authentication with WMI and ASP.NET 3
Run WMI operations on client from an Intranet page 0
remotely query group membership of machine via script/wmi 3
WBEM_E_OUT_OF_MEMORY Error 0
WMI Config Error Installing SQL2K5 Standard Edition 5
Issue with enabling WMI for non-admin users 0

Top