| matthewst |
| (Getting the hang of it) |
| 2006-04-10 08:45 PM |
Logon script won't run as admin
|
I am calling a script from within a logon script. The called script won't run powercfg. It runs fine when I logon as admin, but it says "You do not have permission...." if I logon as a user.
In my network only admins are allowed to adjust the power configuration.
here is some of the logon script
Code:
call "\\server\share\power.kix"
then power.kix runs but gives me the permission error
Code:
shell 'powercfg /CREATE Power_Scheme'
shell 'powercfg /SETACTIVE Power_Scheme'
shell 'powercfg /CHANGE Power_Scheme /monitor-timeout-ac 15'
| Radimus |
| (KiX Supporter) |
| 2006-04-10 08:55 PM |
|
Re: Logon script won't run as admin
|
ok. That sounds right, what is the problem?
| Radimus |
| (KiX Supporter) |
| 2006-04-10 08:58 PM |
|
|
|
Re: Logon script won't run as admin
|
I'm guessing the Question you meant to ask was, "How can I get a script to run with admin priviledges?"
http://www.kixtart.org/ubbthreads/showflat.php?Cat=0&Number=81559&an=0&page=4#81559
| matthewst |
| (Getting the hang of it) |
| 2006-04-10 09:00 PM |
|
Re: Logon script won't run as admin
|
The script processes but doesn't change anything. How can I get this script to run as admin when the users are logging on? I thought all logon scripts ran with admin permissions.
| Radimus |
| (KiX Supporter) |
| 2006-04-10 09:10 PM |
|
|
|
Re: Logon script won't run as admin
|
nope, all scripts run as the user that logs on... that is how a user gets their network drives.
Hoops must be gone through to give a user admin privledges for installing apps and such
| Mart |
| (KiX Supporter) |
| 2006-04-10 09:14 PM |
|
Re: Logon script won't run as admin
|
There are some examples here on this board that show how to run a script as an admin. One of the least secure is to use runas (provided by MS in Win2K and up). Users can read the username and password this way. There are also topics on how to do it more secure. Do a search on runas (gave me 361 hits) and sanur and you'll get some hits. Tokenizing the script is also an option. But afaik there are no 100% secure ways to run a logon script as an admin when a regular user logs on.
Logon scripts always run with the credentials of the user logging on and not as an admin of any kind unless some it is told to do so. Start-up scripts run under the system account and therefore have elevated privileges compared to a regular user but it still is not the same as a domain admin.
| Witto |
| (MM club member) |
| 2006-04-10 09:27 PM |
|
|
Re: Logon script won't run as admin
|
If I understand well, you want to change the power scheme of a user. I think there are two easy ways to do this.
- Via GPO: EZ GPO Tool
- Via login script: just change "HEY_CURRENT_USER\Control Panel\PowerCfg","CurrentPowerPolicy" to the desired value
| Les |
| (KiX Master) |
| 2006-04-10 09:37 PM |
|
Re: Logon script won't run as admin
|
WHen you run under alternate creds, the HKCU is not that of the intended. You need to get fancy and navigate through HKU\SIDofIntendedUser\...
| Witto |
| (MM club member) |
| 2006-04-10 09:54 PM |
|
|
|
Re: Logon script won't run as admin
|
True. But why would I need alternate credentials As far as I know, a normal user can change "HEY_CURRENT_USER\Control Panel\PowerCfg","CurrentPowerPolicy".
| Les |
| (KiX Master) |
| 2006-04-10 10:28 PM |
|
Re: Logon script won't run as admin
|
No, not true. There has been much said about that and the consensus is that perms need to be opened up on the key.
| matthewst |
| (Getting the hang of it) |
| 2006-04-11 03:44 PM |
|
Re: Logon script won't run as admin
|
I think just using runas is they way to go for me.
Code:
Run 'runas /user:USERNAME "powercfg /SETACTIVE POWER_SCHEME"'
$ReturnCode = SendKeys("PASSWORD")
$ReturnCode = SendKeys("{ENTER}")
But when I run this a box flashes on the screen to quick for me to read and the power scheme remains unchanged. The output in the original dosbox is:
C:\drive>pwrcfg.kix
Enter the password for USERNAME:
Attempting to start powercfg /SETACTIVE POWER_SCHEME as user "COMPUTERNAME\USERNAME"...
C:\drive>
| Les |
| (KiX Master) |
| 2006-04-11 03:49 PM |
|
Re: Logon script won't run as admin
|
You are obviously still in denial.
| matthewst |
| (Getting the hang of it) |
| 2006-04-11 03:59 PM |
|
Re: Logon script won't run as admin
|
sorry still learnin
| matthewst |
| (Getting the hang of it) |
| 2006-04-11 04:11 PM |
|
Re: Logon script won't run as admin
|
This works:
Code:
RUN "runas /user:USERNAME notepad.exe"
$ReturnCode = SendKeys("PASSWORD")
$ReturnCode = SendKeys("{ENTER}")
But not this:
Code:
Run "runas /user:USERNAME powercfg /SETACTIVE POWER_SCHEME"
$ReturnCode = SendKeys("PASSWORD")
$ReturnCode = SendKeys("{ENTER}")
| Radimus |
| (KiX Supporter) |
| 2006-04-11 04:20 PM |
|
|
|
Re: Logon script won't run as admin
|
have you read up on RUNAS?
make a bat file and RUNAS it.
| Les |
| (KiX Master) |
| 2006-04-11 04:29 PM |
|
Re: Logon script won't run as admin
|
When you RUNAS another user, you set the powercfg for that OTHER user. This has already been said.
| matthewst |
| (Getting the hang of it) |
| 2006-04-11 04:45 PM |
|
Re: Logon script won't run as admin
|
OOHHH!!! I must have missed that one. OK, I'll have to go about this a different way.
| DrillSergeant |
| (MM club member) |
| 2006-04-11 08:35 PM |
|
|
Re: Logon script won't run as admin
|
You need to set rights on one HKEY_LOCAL_MACHINE key.
This should get you on your way:
http://blogs.msdn.com/aaron_margosis/archive/2005/02/09/370263.aspx
| matthewst |
| (Getting the hang of it) |
| 2006-04-13 04:04 PM |
|
Re: Logon script won't run as admin
|
Thanks everyone and thanks to drillsergeant for the link.
Here is how I finally made it work.
The login script calls runas.kix
Code:
RUN "runas /user:Admin cmd"
$ReturnCode = SendKeys("password")
$ReturnCode = SendKeys("{ENTER}")
SHELL '%COMSPEC% /C "pwrcfg.bat"'
SLEEP 3
$ReturnCode = Sendkeys("exit")
$ReturnCode = SendKeys("{ENTER}")
RUN "cmd"
$ReturnCode = SendKeys("powercfg /Create ")
$ReturnCode = SendKeys('"')
$ReturnCode = SendKeys("Power_Scheme")
$ReturnCode = SendKeys('"')
$ReturnCode = SendKeys("{ENTER}")
$ReturnCode = SendKeys("powercfg /SetActive ")
$ReturnCode = SendKeys('"')
$ReturnCode = SendKeys("Power_Scheme")
$ReturnCode = SendKeys('"')
$ReturnCode = SendKeys("{ENTER}")
$ReturnCode = SendKeys("powercfg /Change ")
$ReturnCode = SendKeys('"')
$ReturnCode = SendKeys("Power_Scheme /monitor-timeout-ac 15")
$ReturnCode = SendKeys('"')
$ReturnCode = SendKeys("{ENTER}")
$ReturnCode = SendKeys("powercfg /Hibernate off")
$ReturnCode = SendKeys("{ENTER}")
$ReturnCode = SendKeys("exit")
$ReturnCode = SendKeys("{ENTER}")
runas.kix calls pwrcfg.bat
Code:
setacl.exe -on "\\%computername%\HKLM\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Controls Folder\PowerCfg\GlobalPowerPolicy" -ot reg -actn ace -ace "n:%computername%\users;p:full"
setacl.exe -on "\\%computername%\HKLM\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Controls Folder\PowerCfg\PowerPolicies" -ot reg -actn ace -ace "n:%computername%\users;p:full"
setacl.exe -on "\\%computername%\HKLM\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Controls Folder\PowerCfg" -ot reg -actn ace -ace "n:%computername%\users;p:full"
I just need to have pwrcfg.bat, runas.kix, and SetACL.exe in the same directory. I'm also going to have the script to remove the permissions once the changes have been made.
P.S. Before I deploy runas.kix I plan on kixcrypting it so no one can trace it down and view the password.