|
|
|||||||
Hy all I have a problem to run a kixtart script. The script has to add a folder and a DLL on the c:\progam files\infostrait\ directory. But there is one problem! If i'm a normal user i can't create folders there, it needs administrator right's to do so. Is there a simpel way to run around that? I need to run this script at the logon. Here is a piece of the script i have now. IF EXIST("c:\program files\infostrait\OutlookToSmarTeam\OutlookToSmarTeam.dll") GOTO MAPPING else CD "c:\program files\infostrait" md "OutlookToSmarTeam" copy "\\server\SmData\ClientSoftware\VB6\OutlookToSmarTeam" "c:\program files\infostrait\OutlookToSmarTeam" /s cd "OutlookToSmarTeam" Shell "regsvr32 /s OutlookToSmarTeam.dll" I hope you can help me out. (srry for my bad english) |
||||||||
|
|
|||||||
You could do a search on runnas or runas (watch the double and single n). You will still need to know the username and password of the admin account. If you are not an admin why are you adding DLL's to the system? It can seriously screw-up the system. Maybe you could ask your admin to do this for you? KiXtart FAQ & How to's » Installing an Application as an Admin |
||||||||
|
|
|||||||
Well i am a admin here. The dll is for an application that allows useres to save emails in smarteam. but anyway i can't just type something like: runas user="admin" pass="xxxx" ??? |
||||||||
|
|
|||||||
Sure you can but that makes the password readable for all users. If you are running GPO you can run the script as a Startup script. This way you do not need to specify the username and password in the script because the startup scripts run on the local system account that has admin privileges. You can use the build-in runas in WinXP but like said that is not secure and everybody can read the username and password. IMHO one should not use runas. |
||||||||
|
|
|||||||
I will try it in a couple of hours. I will let you know if it worked. |
||||||||
|
|
|||||||
Unless I'm wrong, the XP Pro version of RUNAS won't accept a password as an argument - it must be entered interactively. Specifying the password directly after the user ID, as well as using "/PASS:xx" and "/PASSWORD:xx" switches fail. Even piping fails, as shown below. Code: PW1 - C:\Temp>echo PassWord | runas /user:domain\administrator cmd Enter the password for domain\administrator: Attempting to start cmd as user "gbcs\administrator" ... RUNAS ERROR: Unable to run - cmd 1326: Logon failure: unknown user name or bad password. I believe RUNnAS (double "n") is the form that will work, but you'll need to make it available to every system (via NetLogon share, possibly). It will also encode the password. It's an external tool you'll need to download. Realize that there are tools to define and manage scheduled tasks, which can run as any user. The tcLib UDF library can create a task with specific credentials in as little as 4 lines of code, and then cause it to run immediatly. The CoDec UDF can obfuscate the account credentials stored in a file or even within the script, and these scripts should be tokenized to further hide the data and the methods of operation from casual users. The latest tcLib can be downloaded from my web site, and CoDec is avaialble here on KORG, and in the KixDev package on my site. Glenn |
||||||||
|
|
|||||||
Quote: Unless I'm wrong, the XP Pro version of RUNAS won't accept a password as an argument - it must be entered interactively .... Yes. You are correct. Missed that. Code: U:\>runas /? RUNAS USAGE: RUNAS [ [/noprofile | /profile] [/env] [/netonly] ] /user:<UserName> program RUNAS [ [/noprofile | /profile] [/env] [/netonly] ] /smartcard [/user:<UserName>] program /noprofile specifies that the user's profile should not be loaded. This causes the application to load more quickly, but can cause some applications to malfunction. /profile specifies that the user's profile should be loaded. This is the default. /env to use current environment instead of user's. /netonly use if the credentials specified are for remote access only. /savecred to use credentials previously saved by the user. This option is not available on Windows XP Home Edition and will be ignored. /smartcard use if the credentials are to be supplied from a smartcard. /user <UserName> should be in form USER@DOMAIN or DOMAIN\USER program command line for EXE. See below for examples Examples: > runas /noprofile /user:mymachine\administrator cmd > runas /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.msc" > runas /env /user:user@domain.microsoft.com "notepad \"my file.txt\"" [b]NOTE: Enter user's password only when prompted.[/b] NOTE: USER@DOMAIN is not compatible with /netonly. NOTE: /profile is not compatible with /netonly. |
||||||||
|
|
|||||||
not one comment about the use of goto?? |
||||||||
|
|
|||||||
Originally Posted By: Bryce not one comment about the use of goto?? All right, all right. Goto sucks |
||||||||
|
|
|||||||
is there really not an otherway around? it's not like that i have to install a whole program. it's just for making a dir and copy one file into that dir. For the rest of the script it works fine. |
||||||||
|
|
|||||||
You can also use a startup script or a scheduled task to do the things you want done. |
||||||||
|
|
|||||||
It has to be done in the login script. Thats what the boss wants *edit* post of the whole script */edit* Code: IF EXIST("c:\program files\infostrait\OutlookToSmarTeam\OutlookToSmarTeam.dll") GOTO MAPPING else ; --Hier maak je een een nieuwe map aan in de infostrait map. En er wordt een dll in de nieuwe map gekopieerd. CD "c:\program files\infostrait" md "OutlookToSmarTeam" copy "\\serverxx\SmData\ClientSoftware\VB6\OutlookToSmarTeam" "c:\program files\infostrait\OutlookToSmarTeam" /s ; -- hier registreer je de dll. cd "OutlookToSmarTeam" Shell "regsvr32 /s OutlookToSmarTeam.dll" ; -- hier kopieer je 2 bestandjes voor de save in smarteam knop. copy "\\serverxx\NETLOGON\Kixscripts\OLtoST\" "%userprofile%\Application Data\Microsoft\Outlook" /s ; -- hier zet je de macro security level in outlook op low WriteValue("HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Security\","Level","00000001","REG_DWORD") ; -- hier maak je een nieuwe map aan op de netwerk Y schijf. CD "y:" MD "outlookmsg" :MAPPING |
||||||||
|
|
|||||||
So security is not an issue for your boss. Then you might as well make everyone admin. If it has to be done in the logon script you are stuck with something like runas which is a huge security risk |
||||||||
|
|
|||||||
so you say the best thing to do is to install it manualy on every pc with the admin acc? |
||||||||
|
|
|||||||
That would be a lot more secure the using something like runas. A GPO startup script (runs with elevated privileges) or a scheduled task (runs with whatever account you specify) would also be a secure option and they prevent you from running around in the office because a scheduled task can be scheduled from a remote computer and a GPO only has to be created once. Sure you can use runas but it is almost the same as sending an e-mail to everyone telling them the admins username and password and asking them to (ab)use it. But hey, it’s not my network so you should use whatever you want. If runas is your choice then I’m not gonna to stop you from using it. I’m only saying that runas sucks and is a huge security risk. SCHEDULETASK() - Schedules a task on any computer using the Task Scheduler |
||||||||
|
|
|||||||
Originally Posted By: Glenn Barnas Unless I'm wrong, the XP Pro version of RUNAS won't accept a password as an argument - it must be entered interactively. |
||||||||
|
|
|||||||
why don't you convert a bat into a com or a kix into an exe? so users can't see the administrator password. is it possible? |
||||||||
|
|
|||||||
Sure you can package a kix script in an executable file (for example with ASE or Kix2Exe by Senser). Imho these are all workarounds. Imho runas is only to be used in these cases where nothing else (better/more secure) can be done and these cases are very, VERRY, VERRY rare almost nonexistent. |
||||||||
|
|
|||||||
Originally Posted By: Adolfo why don't you convert a bat into a com or a kix into an exe? so users can't see the administrator password. is it possible? ASE can do things differently whereby you don't have to elevate with a runas type utility and embed a password. Using ASE to make an EXE is less secure than using the ASE alternate creds feature. If you don't understand the implications of security you should not be trying to elevate permissions. |
||||||||
|
|
|||||||
I think a startup script is not going to work becaus that the script is also making a folder on a network drive that is nessesary for the application to run. i shall try to make an exe file. Maby that will do the trick. |
||||||||
|
|
|||||||
ok. I want to try an another thing now. i will put in the script that a user group is added in the security of the map with full controll. maybe that is the sollution to my problem. does someone know what i have to put in my script to let that thing work :$? |
||||||||
|
|
|||||||
I'd send my pennies on doing this with runnas, and then 'encrypt' the scriptfile into a kx, if you still need to do this with a script. check the InGroup in the kix ref-guide. Second, even if you alter the security settings for that map, you still wanna kick off the adding of the dll, right? |
||||||||
|
|
|||||||
after doing some talking with my boss i found out that the users have the rights to have full controll at the c:\program files\infostrait dir so i can make a new folder end put a dll file in it. it's only at a couple of pc's where it goes wrong. (from the 10 pc i tested 2 didn't work) so i want to add the user group "werknemers" with full controll to the folder. |
||||||||
|
|
|||||||
anyone ?????? |
||||||||
|
|
|||||||
Roedie Keep present the Mart and Les recommendations. |
||||||||
|
|
|||||||
Roedie Keep present the Mart and Les recommendations. |
||||||||
|
|
|||||||
I never changed the file or folder permissions using pure kix but you might take a look at xcacls.exe. HOW TO: Use Xcacls.exe to modify NTFS permissions Or you could use the just a few minutes ago posted code from: COM Scripting » NTFSPerms.... Finally!. Beware that this not a final release. Read the rest of the post before using the code. |
||||||||
|
|
|||||||
Xcacls.exe is indeed a nice tool to use. but it does not work for me.. yet :p. I will try some lines and i will let you know if it worked. |
||||||||
|
|
|||||||
I got some working stuff with xcacls at home. Sadly I temporarily have no internet at home. I'll see if I can remember to bring it to work Monday. |
||||||||
|
|
|||||||
Originally Posted By: Mart So security is not an issue for your boss. Then you might as well make everyone admin. If it has to be done in the logon script you are stuck with something like runas which is a huge security risk Actually that idea isn't as bad as you think. Everyone could be made LOCAL admins. That way there is no real security issue and this can be done trough GPO. Also this poses not treat to network security. |
||||||||
|
|
|||||||
i have now this line: shell "run xcacls "c:\program files\infostrait" /g "DOMAIN\Werknemers":f;f /E" this command runs perfect in batch (without the shell & run command) but not yet in kix.. has anyone an idea to let it work? |
||||||||
|
|
|||||||
It is all about the quotes.. Code: shell "xcacls 'c:\program files\infostrait' /g 'Domain\Werknemers':f;f /E" That and you have both shell and run in the command, just one or the other. |
||||||||
|
|
|||||||
hm.. it's still not working.. i also tryd to run it with cmd.exe but then i get a message that there is an infalid flag files\infostrait.. but anyway.. i shall try some other things.. |
||||||||
|
|
|||||||
Quote: .... infalid flag files\infostrait.. .... That would be because of missing quotes. Because there are spaces in the path you need to protect them by wrapping it in quotes. |
||||||||
|
|
|||||||
its about this part of the code. 'c:\program files\infostrait' the script sees c:\progam as a seperate part of the whole thing. |
||||||||
|
|
|||||||
Keep in mind that many "DOS" commands only work with double quotes! I've gotten into the habit of using single quotes for nearly all Kix strings, so embedding double quotes into commands are not an issue. Also - you should try this when building Shell or Run commands: Code: $Cmd = 'xcacls "c:\program files\infostrait" /g "Domain\Werknemers":f;f /E' 'running: ' $Cmd ? Shell $Cmd @SERROR ? I'd even comment out the shell command the first time - you should be able to copy the command from the screen and run it manually - successfully. If that's so - then you know the command will work from within the script. Again, it's my "best practice" for any scripts I write - lets me confirm what's being run. Glenn |
||||||||
|
|
|||||||
when i run your script Glenn i get this message C:\kix>kix32.exe test4.kix running: xcacls.exe "c:\program files\infostrait" /g "DOMAIN\Werknemers":f;f /E The system cannot find the file specified. |
||||||||
|
|
|||||||
This works. Code: Break on Shell 'xcacls.exe "c:\new folder" /E /G "domain\Group":F' |
||||||||
|
|
|||||||
Mart the code that you gave i already tried but that one doesnt work nighter. I will stop with it for today on monday i will continu this thing. if anyone has an sollution please post it then i wil test is monday morning. Roedie |
||||||||
|
|
|||||||
Changed the folder to the folder you use and it works great. Code: Break on Shell 'xcacls.exe "c:\program files\infostrait" /E /G "domain\group":F' The user running the code should also have permission on c:\program files. if not he/she cannot set permissions on sub folders. It does shout a bit when checking the permissions on the folder that they are not in the correct order. You will have to watch out for that. |
||||||||
|
|
|||||||
For set permissions on sub folders Code: echo. > "c:\program files\infostrait\UserDirs.txt" for /R "c:\program files\infostrait" %%i in (.) do echo. %%~si >> "c:\program files\infostrait\UserDirs.txt" For /F %%i in ("c:\program files\infostrait\UserDirs.txt") do xcacls %%i /E /G "domain\group":F |
||||||||
|
|
|||||||
Code: for /R "c:\program files\infostrait" %%i in (.) do xcacls %%~si /E /T /C /G "domain\group":F |
||||||||
|
|
|||||||
Originally Posted By: Mart It does shout a bit when checking the permissions on the folder that they are not in the correct order. |
||||||||
|
|
|||||||
Originally Posted By: Les Are we talking about CACLS or XCACLS? I use XCACLS. |
||||||||
|
|
|||||||
Code: Break on Shell 'xcacls "c:\program files\infostrait" /E /G "DOMAIN\Werknemers":F;F' But if i remove the single quotes and Shell (just dos command's): Code: xcacls "c:\program files\infostrait" /E /G "DOMAIN\Werknemers":F;F Then it runs without any problem. ahh found it! This code works for me. Code: Break on Shell 'cmd.exe /c xcacls "c:\program files\infostrait" /E /G "DOMAIN\Werknemers":F;F' |
||||||||
|
|
|||||||
Originally Posted By: Les Originally Posted By: Mart It does shout a bit when checking the permissions on the folder that they are not in the correct order. Xcacls.exe. I never tried the vbs version. Xcacls.vbs |
||||||||
|
|
|||||||
another question. Do you need to add spcial command lines to let an kix script to run in a startup script of an GPO? |
||||||||
|
|
|||||||
No. You only have to set it in a GPO and place the script in the sysvol folder. |
||||||||
|
|
|||||||
I have kix32.exe and the script.kix in the netlogon dir. Now i added blabla\netlogon\kix32.exe to the SCRIPT NAME and blabla\netlogon\script.kix to the SCRIPT PARAMETER but still it won't work. i also tried to do blabla\netlogon\kix32.exe to the parameter and the blabla\netlogon\script.kix to the name but that doesnt work neighter. |
||||||||
|
|
|||||||
Setting the script name to \\domain\sysvol\kix32.exe \\domain\sysvol\script.kix should work I guess. I have to say that I never did anything with batch-less scripts and always used a cmd file to kickoff the script. |
||||||||
|
|
|||||||
maybe i have an another idea.. when you have an msi file you can add it to an gpo. i know that there is an kix2exe. But is there also an kix to msi ?? |
||||||||
|
|
|||||||
Nope. EXE files are executables and MSI files are installers. |
||||||||
|
|
|||||||
hmm ok.. i also tried to run the script as how you said it a couple of post's above. and i tried to start it with an *.bat file. and it still won't work |
||||||||
|
|
|||||||
i have the script working good now.. but there is still one problem left. there are 2 files that need to be copyd to the : C:\Documents and Settings\%user%\Application Data\Microsoft\Outlook. but at the most clients the application data folder is hidden so the script cannot copy the two files. the sring i use now = COPY "\\server\SmData\ClientSoftware\VB6\OutlookToSmarTeam" "c:\program files\infostrait\OutlookToSmarTeam" /s is there a way to copy files also in hidden folders without make them visible? |
||||||||
|
|
|||||||
Kix can copy files to hidden folder. The hidden part is only so the user cannot see and therefore can not mess with the folder. What does @error and @serror show after your copy line? I guess you ussed @userid insted of %user% right? |
||||||||
|
|
|||||||
i already found a solution. instead of %userprofile%\application data\ i used %appdata%\ that worked |
||||||||
|
|
|||||||
I have all the scripts working now. but still there is one litle problem. for the startup script i want to let the script read a regkey so if that one exist it will skip the rest of the script. the script itself in a name.cmd so NOT a kix script. What is the correct syntax of the if statement in do to see is an key exist? i tried: IF EXIST ("HKEY_LOCAL_MACHINE\SOFTWARE\Installed\OutlookTool") GOTO :end ELSE IF EXIST ('HKEY_LOCAL_MACHINE\SOFTWARE\Installed\OutlookTool') GOTO :end ELSE IF EXIST (HKEY_LOCAL_MACHINE\SOFTWARE\Installed\OutlookTool) GOTO :end ELSE IF EXIST HKEY_LOCAL_MACHINE\SOFTWARE\Installed\OutlookTool GOTO :end ELSE But none of those worked. so if someone has the answer to that plz tell me. |
||||||||
|
|
|||||||
Use KeyExist() Also please try to prevent the use of Goto. Code: If KeyExist("HKEY_LOCAL_MACHINE\SOFTWARE\Installed\OutlookTool") ;Do something besides Goto :P EndIf |
||||||||
|
|
|||||||
SELECT / CASE would be a good choice here. Something like: Code: Select Case ExistKey("HKLM\first key...") ; ok - do nothing Case ExistKey("HKLM\second key...") ; ok - do nothing again (an again.. as needed) Case 1 ; No required keys were found - do something, install something! Shell "%COMSPEC% /c D:\some\app\install.exe /silent /successful" ; check for errors {won't be any, chose the successful install option ;)} EndSelect Glenn |
||||||||
|
|
|||||||
Quote: GOTO :end That is just wrong. you define the label with the colon but should not reference it with a colon. |
||||||||
|
|
|||||||
Glen, he was attempting one registry key tried different ways. Btw ExistKey was replaced by KeyExist Also he never states "EndIf" I think he was just demonstrating his different attempts at the Exist() Function. |
||||||||
|
|
|||||||
Yeah, I see that NOW! When I replied, I was struggling to wake up after only 3 hours of sleep. I should'a had a pot of coffee first. Well, if he HAD been looking at different values, and I HAD correctly typed KeyExist instead of ExistKey, my example might have been appropriate. G- |
||||||||
|
|
|||||||
Well good morning to you then |
||||||||
|
|
|||||||
Hy The scripts are working good now and there are no problems anymore. Also the problem with the security could be easly solved to put that in a policy. Thanx for all you comment. Roedie. |