|
I thought I posted this early.. but I do not see it. Pardon if this is redundant.
We recently moved to Windows XP SP2 and learned that su no longer functions.
The runnas utility is a great. However, I am looking for suggestions to resolve a problem.
ENVIRONMENT
We try to insure redundancy in our systems, and stive for simplistic solutions that we can maintain balanced with performance and security
To this end we distribute our login scripts across the doamin using the netlogon share. The Kix32.exe, Runnas utilities are copied to C:\Windows for performance. Scripts are kept on the server for maintenance. We also have software download points distributed through out our sites.
In our scripts we use three server variables. LogonServer, HomeServer, and DownLoadServer. The logon server is the first responding server. However, this is not always the closest server nor located on a high speed link. The DownLoadServer is the server located at the site accessible via a high speed link. The HomeServer houses thier default user directory and shared file location. For roaming users the HomeServer may not be local.
By default the main body of our script runs as user level. Configuration checks can typically be performed as user, and a script with elevated rights called when required. Some components are simple and mearly update a registry pointer for a network license manager for a roaming client. Others begin the installation of service packs.
When we need to call another script we typically reference the LogonServer. This LogonServer is reference because a) it is up and running (fault tolerance), b) first responder (least busy) and c) the next script is a small file and does not burden the link. If we need to reference a script may perform a software update, we reference the DownLoadServer location for the script. As you can see the source of execution is dynamic.
The problem we encounter is with the tokenized files. Though we can successfully pass parameters to this script, example $DownLoadServer=\\ServerName, this only influences what this script will act on. It does not change the path used to run the tokenized script. Example \\SeverName\Netlogon\ScriptName. The immediate problem is that this entry is static and not dynamic. It will not allow for fault tolerance nor dynamically allocating a download point.
I have a few solutions that I can think of but each has it's draw backs.
a) Build a seperate tokenized script for each server. Use LogonServer to call the appropriate script with the desired path recorded. PRO - Will work, CON, Maintenance intensive and does not allow for dynamically adding and removing servers.
b) Use DNS alias records to provide primary and secondary names, or use a round robin approach. PRO Will reduce to a single script and provide redundancy CON Will not select based on performance, nor best path. If link is down, it may need to timeout on dozens of servers before hitting the correct one causing excessive delays
c) Copy all tokenzid scripts to a local directory on the workstation with a common reference point. PRO - Will work and eliminates tracking servers. CON - Increased difficulty to maintain scripts. Problems can cause users to reference outdated scripts.
d) Map a drive to the logon shared and use the drive letter to referenece scripts on the server. PRO - Will work and eliminates maintenanc and redundancy issues, CON - NET USE can take 10-15 seconds to execute over a slow link. (When you are already mapping 3 drives the delays mount)
e) Enhancement request??? Modify runnas to allow passing of the executable path for a tokenized script! Example...
runnas /user cmd /password ... /Exepath:LServer\Netlogon
I know security... security. The utility has a built in /crc checker so it can perform validation of the executable that is distributed across the logon shares. The utility would need to reference this location as the default path in the event the cmd is "SourcePath\KIX32.exe SourcePath\Script.KIX" Is this a reasonable request to submit for the Runnas command or am I just overlooking the obvious?
These are a few methods I can think. I would appreciate any recommendations or suggestions you have on the subject.
Thanks in advance!
Edited by Deano (2006-01-18 03:56 AM)
| 
