Impersonation - How To - KiXtart.org

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Basic Scripting » Impersonation - How To

Page 1 of 1

Topic Options

#168204 - 2006-09-21 10:10 PM

Impersonation - How To

abaldwin Offline

Fresh Scripter

Registered: 2006-09-12
Posts: 7

As you may know I am new to the KiXtart scripting and am loving it. I have written and converted most of our users profiles (Still nt domain for 2 months, no AD).

In my script, I utilize kixforms (well I did in the beginngin until I realized I am much better at coding my own form objects) to create a GUI login form that simply presents some information daily to users such as scheduled maintenance etc. The following two sections are in my script, I can post the entire script if for some reason you want it.

The problem that I have is that users are not local admins (for obvious reasons) and on those machines the following two sections are failing. Can someone give me an example or a snippet that would allow me at logon to execute the following two sections from the script or by calling some other script and run these two sections using elevated priviledges.

Some of the machines have had the Domain Admins group left off by accident or removed (intentionally or otherwise) by users when they did have priviledges.

Code:

If InStr(@PRODUCTTYPE,"Server") Or InStr(@PRODUCTTYPE,"XP") Or InStr(@PRODUCTTYPE,"2000")
    	/*Add Domain admins to the local administrator group */
		$null = Groupadd(@WKSTA, "Administrators", "Deschamps\Domain Admins")
		
		/*Set the login scripts to run syncronously */
		$null = SetMessage("Setting RunLogonScriptsSync = True.")
		SyncLogonScripts() /*Replicated here to allow for unintentionall changes made to the registry after inital install.*/
	EndIf

The group add function, I put together after a previous post combining and disecting other scripts I found.
Code:

Function GroupAdd($Target, $Group, $ObjToAdd)
	/*Adds the target user to the local group */
	Dim $target, $group, $OBJToAdd, $obj, $objhome
	$null = setmessage("Adding Domain Admins.")
	If SubStr($target,1,2) = '\\'
		$target = SubStr($target,3,Len($target))
	EndIf
	
	If InStr($objtoadd,'\') <> 0
		$objtoadd = Split($objtoadd,'\')
	
	If UBound($objtoadd) <> 1 Exit 13 EndIf
		$objhome = $objtoadd[0]
		$obj = $objtoadd[1]
	Else
		$objhome = $target
		$obj = $objtoadd
	EndIf
	
	$group = GetObject('WinNT://' + $target + '/' + $group)
	If VarType($group) = 9 And @ERROR = 0
		$group.Add ('WinNT://'+$objhome+'/'+$obj)
		? @Error
	Else
		$GroupAdd = @ERROR
		Exit @ERROR
	EndIf
	$GroupAdd = @ERROR
	Exit @ERROR
EndFunction

And the part that runs initially if kixforms.dll is not installed and registerd.

Code:

 Function InstKixForms
	/*Install KixForm.dll and Register the dll since it is not available on this machine. */
	SyncLogonScripts()	/*Insures the RunLogonScriptSync is set during the initial install 
	and on future regens of a users machine.*/
	If Not Exist ("%windir%\KixForms.dll")
		Copy "\\nb-resources\data\public\kixforms.dll" "%Windir%"
		Shell "REGSVR32 /S %WinDir%\KIXFORMS.DLL"
		Shutdown("","Reboot Required after install.",3,1,1)
	EndIf
	
EndFunction

Thanks in advance for any help.
Andy

Top

#168205 - 2006-09-22 12:46 AM Re: Impersonation - How To
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11631 Loc: CA	The only thing not considered hacking the system would be a Policy. I'm not sure though that an NT4 system would support that type of policy. Which means you're basically stuck either going out and fixing these systems manually or via a WMI method if you have / know a local user Admin credentials. There are a couple other methods but not considered SAFE practice.
Top

#168206 - 2006-09-22 12:47 AM Re: Impersonation - How To
Witto Witto MM club member Registered: 2004-09-29 Posts: 1828 Loc: Belgium	Hey, About the kixforms.dll, I remember I warned you twice for this issue: Brand New to KiXtart and KiXForms First Post Maybe you can obfuscate an admin password by creating a package. See http://www.adminscripteditor.com/ or http://kix2exe.ramonitor.nl/. I prefer a distribution of an MSI via Active Directory and group policy. I also avoid screen output and messages during logon. [Edit] Whoops, NT4... Well, maybe try to package something to register the DLL and to ad the domain admins group to the local administrators. Even tokenizing a sript can obfuscate a password. But I have to agree with Doc... [/Edit] Edited by Witto (2006-09-22 12:53 AM)
Top

#168207 - 2006-09-22 06:35 AM Re: Impersonation - How To
Sealeopard Sealeopard KiX Master Registered: 2001-04-25 Posts: 11165 Loc: Boston, MA, USA	Why do people always want to do admin work as part of login scripts? Add the admins from a central admin script instead that runs on a regular basis. _________________________ There are two types of vessels, submarines and targets.
Top

#168208 - 2006-09-22 09:21 AM Re: Impersonation - How To
Witto Witto MM club member Registered: 2004-09-29 Posts: 1828 Loc: Belgium	Maybe schedule the installation to the computers with SCHEDULETASK() Only problem today is finding that jt.exe...
Top

#168209 - 2006-09-22 03:38 PM Re: Impersonation - How To
abaldwin abaldwin Fresh Scripter Registered: 2006-09-12 Posts: 7	Thanks for the input. Witto to quote your previous post "via a group policy in active directory." I thought I was pretty clear that we are NT4 preparing to upgrade to AD 2003. Some of these "Admin" items are in preparation for policies later on. So back to the original question.......How about an example of the elusive impersonation capabilities.
Top

#168210 - 2006-09-22 04:04 PM Re: Impersonation - How To
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	KiX has no impersonation built in. You need to either purchase a commercial product like AdminScriptEditor or hack together freeware stuff at your own risk. This has been discussed here at great length many times and a quick search would reveal much.
Top

#168211 - 2006-09-22 05:24 PM Re: Impersonation - How To
Witto Witto MM club member Registered: 2004-09-29 Posts: 1828 Loc: Belgium	Quote: I thought I was pretty clear that we are NT4 preparing to upgrade to AD 2003. Well, I corrected myself Quote: [Edit] Whoops, NT4...
Top

#168212 - 2006-09-22 07:07 PM Re: Impersonation - How To
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11631 Loc: CA	Part of the issue is that I believe you said that some of the systems no longer have the Domain Admins in the Administrators group. That problem will not be easy to bypass unless you know the credentials of another account on the system that does have Admin rights. One thing you can do is use the users own rights to put the Domain Admins back. If they took them out then they must have Admin rights. During every logon put the Domain Admins back. After a while they will get tired of removing them. If you don't know the Admin account or equivalent password then you will have to walk out and manually reset the Admin password and then setup security properly so it doesn't happen again. If you know the credentials then WMI / ADSI will easily allow you to add an account from your workstation.
Top

#168213 - 2006-09-22 07:17 PM Re: Impersonation - How To
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	Watch it DOC, you'll get flamed like Witto did. Quote: The problem that I have is that users are not local admins (for obvious reasons)... It sounds like he no longer owns those machines in which case they will need to be visited.
Top

#168214 - 2006-09-22 08:09 PM Re: Impersonation - How To
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	Just out of curiosity... if the LUser is not an admin and Domain Admins have no rights on the boxes, just what account would you still own that you might impersonate?
Top

#168215 - 2006-09-27 05:36 PM Re: Impersonation - How To
abaldwin abaldwin Fresh Scripter Registered: 2006-09-12 Posts: 7	Having just taken over this old network, I have found the following to answer your question Les. For some unGodly reason the domain admins group was removed when some of these machines were setup. A particular user was added to each machine as a local admin. We dug up this user name and pw combination a while back and want to use it to set up some very simple settings prior to migrating to AD. After the migration I should be able to do most admin task through GP's but until then, this is my backdoor. Thanks
Top

#168216 - 2006-09-27 05:44 PM Re: Impersonation - How To
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	how about "simple" remoteexec on those machines that calls "net localgroup add" with the admin user credentials...
Top

#168217 - 2006-09-28 05:58 AM Re: Impersonation - How To
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11631 Loc: CA	Don't need to do remoteexec. If you have the username/password then ADSI/WMI can add any account back in. Just provide those credentials for the connection.
Top

#168218 - 2006-09-29 05:45 PM Re: Impersonation - How To
abaldwin abaldwin Fresh Scripter Registered: 2006-09-12 Posts: 7	Thanks Doc
Top

#168219 - 2006-10-03 07:48 PM Re: Impersonation - How To
Skatterbrainz Skatterbrainz Starting to like KiXtart Registered: 2002-10-17 Posts: 172 Loc: Virginia, USA	The issue I've encountered is when users have changed the local admin password. That blocks remote options like WMI, scripts, etc. The best solution is to have the computer invoke a startup script to run in the local system context and reset itself. That works great, but the concern is locking down the script from all sides of hacking. Not always 100% obviously. That leaves GPO and MSI pushing, but that's typically a one-time thing (software install), not a recurring event (every reboot). There are retail products to handle this, but the appeal of Kix is that it's (a) free (b) powerful and flexible and (c) free.
Top

#168220 - 2006-10-03 08:14 PM Re: Impersonation - How To
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11631 Loc: CA	Quote: startup script to run in the local system context and reset itself. He is running NT4 which doesn't really support any type of GPO that would allow a local admin password change. Now that doesn't mean that possibly some type of local policy might be able to be crafted. Have never looked into that myself as I've not had the need. Normally rarely run into the issue and I'm on a 2003 AD myself. If I have to I use Ultimate Boot CD 4 Windows with a tool to reset the local admin password. If this is happening so many times that you need a policy or some type of automation then you really need to get back control of your network and rethink security.
Top

#168221 - 2006-10-04 04:32 AM Re: Impersonation - How To
Skatterbrainz Skatterbrainz Starting to like KiXtart Registered: 2002-10-17 Posts: 172 Loc: Virginia, USA	NO argument here. The problem we've had is with remote offices (really remote) and rogue IT groups that resist conforming and upper mgt who is averse to upsetting their loyalty to the dept. Sad. But in our AD2k3 environment, the GPO/computer startup script option seems to work well for those. Cutting them out of local admins also helps.
Top

#168222 - 2006-10-04 03:36 PM Re: Impersonation - How To
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	LOL I am one of those so called "rogue IT groups", being divisional IT. CorpIT who hasn't a clue tries to foist upon the divisions, their half-baked brain farts and it is only because local upper management supports us that we still have a functional network.
Top

Page 1 of 1

Previous Topic View All Topics

Index Next Topic

Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart

Hop to:

Shout Box

Search the board with:
superb Board Search
or try with google:

	Web kixtart.org