| roedie |
| (Getting the hang of it) |
| 2007-05-09 11:15 AM |
Problem!!
|
Hy all
I have a problem to run a kixtart script.
The script has to add a folder and a DLL on the c:\progam files\infostrait\ directory.
But there is one problem! If i'm a normal user i can't create folders there, it needs administrator right's to do so.
Is there a simpel way to run around that?
I need to run this script at the logon.
Here is a piece of the script i have now.
IF EXIST("c:\program files\infostrait\OutlookToSmarTeam\OutlookToSmarTeam.dll")
GOTO MAPPING
else
CD "c:\program files\infostrait"
md "OutlookToSmarTeam"
copy "\\server\SmData\ClientSoftware\VB6\OutlookToSmarTeam" "c:\program files\infostrait\OutlookToSmarTeam" /s
cd "OutlookToSmarTeam"
Shell "regsvr32 /s OutlookToSmarTeam.dll"
I hope you can help me out.
(srry for my bad english)
| Mart |
| (KiX Supporter) |
| 2007-05-09 11:41 AM |
|
|
Re: Problem!!
|
You could do a search on runnas or runas (watch the double and single n). You will still need to know the username and password of the admin account.
If you are not an admin why are you adding DLL's to the system? It can seriously screw-up the system. Maybe you could ask your admin to do this for you?
KiXtart FAQ & How to's » Installing an Application as an Admin
| roedie |
| (Getting the hang of it) |
| 2007-05-09 11:47 AM |
|
Re: Problem!!
|
Well i am a admin here.
The dll is for an application that allows useres to save emails in smarteam.
but anyway
i can't just type something like: runas user="admin" pass="xxxx"
???
| Mart |
| (KiX Supporter) |
| 2007-05-09 12:00 PM |
|
|
|
Re: Problem!!
|
Sure you can but that makes the password readable for all users.
If you are running GPO you can run the script as a Startup script. This way you do not need to specify the username and password in the script because the startup scripts run on the local system account that has admin privileges.
You can use the build-in runas in WinXP but like said that is not secure and everybody can read the username and password. IMHO one should not use runas.
| roedie |
| (Getting the hang of it) |
| 2007-05-09 12:20 PM |
|
Re: Problem!!
|
I will try it in a couple of hours. I will let you know if it worked.
Glenn Barnas
|
| (KiX Supporter) |
| 2007-05-09 01:49 PM |
|
|
Re: Problem!!
|
Unless I'm wrong, the XP Pro version of RUNAS won't accept a password as an argument - it must be entered interactively. Specifying the password directly after the user ID, as well as using "/PASS:xx" and "/PASSWORD:xx" switches fail. Even piping fails, as shown below.
Code:
PW1 - C:\Temp>echo PassWord | runas /user:domain\administrator cmd Enter the password for domain\administrator: Attempting to start cmd as user "gbcs\administrator" ... RUNAS ERROR: Unable to run - cmd 1326: Logon failure: unknown user name or bad password.
I believe RUNnAS (double "n") is the form that will work, but you'll need to make it available to every system (via NetLogon share, possibly). It will also encode the password. It's an external tool you'll need to download.
Realize that there are tools to define and manage scheduled tasks, which can run as any user. The tcLib UDF library can create a task with specific credentials in as little as 4 lines of code, and then cause it to run immediatly. The CoDec UDF can obfuscate the account credentials stored in a file or even within the script, and these scripts should be tokenized to further hide the data and the methods of operation from casual users.
The latest tcLib can be downloaded from my web site, and CoDec is avaialble here on KORG, and in the KixDev package on my site.
Glenn
| Mart |
| (KiX Supporter) |
| 2007-05-09 01:53 PM |
|
|
|
Re: Problem!!
|
Quote:
Unless I'm wrong, the XP Pro version of RUNAS won't accept a password as an argument - it must be entered interactively
....
Yes. You are correct. Missed that.
Code:
U:\>runas /?
RUNAS USAGE:
RUNAS [ [/noprofile | /profile] [/env] [/netonly] ]
/user:<UserName> program
RUNAS [ [/noprofile | /profile] [/env] [/netonly] ]
/smartcard [/user:<UserName>] program
/noprofile specifies that the user's profile should not be loaded.
This causes the application to load more quickly, but
can cause some applications to malfunction.
/profile specifies that the user's profile should be loaded.
This is the default.
/env to use current environment instead of user's.
/netonly use if the credentials specified are for remote
access only.
/savecred to use credentials previously saved by the user.
This option is not available on Windows XP Home Edition
and will be ignored.
/smartcard use if the credentials are to be supplied from a
smartcard.
/user <UserName> should be in form USER@DOMAIN or DOMAIN\USER
program command line for EXE. See below for examples
Examples:
> runas /noprofile /user:mymachine\administrator cmd
> runas /profile /env /user:mydomain\admin "mmc %windir%\system32\dsa.msc"
> runas /env /user:user@domain.microsoft.com "notepad \"my file.txt\""
[b]NOTE: Enter user's password only when prompted.[/b]
NOTE: USER@DOMAIN is not compatible with /netonly.
NOTE: /profile is not compatible with /netonly.
| Bryce |
| (KiX Supporter) |
| 2007-05-09 02:44 PM |
|
|
Re: Problem!!
|
not one comment about the use of goto??
| Mart |
| (KiX Supporter) |
| 2007-05-09 03:02 PM |
|
|
|
Re: Problem!!
|
Originally Posted By: Bryce
not one comment about the use of goto??
All right, all right. Goto sucks
| roedie |
| (Getting the hang of it) |
| 2007-05-09 03:03 PM |
|
Re: Problem!!
|
is there really not an otherway around? it's not like that i have to install a whole program. it's just for making a dir and copy one file into that dir. For the rest of the script it works fine.
| Mart |
| (KiX Supporter) |
| 2007-05-09 03:07 PM |
|
|
|
Re: Problem!!
|
You can also use a startup script or a scheduled task to do the things you want done.
| roedie |
| (Getting the hang of it) |
| 2007-05-09 03:09 PM |
|
Re: Problem!!
|
It has to be done in the login script. Thats what the boss wants
*edit* post of the whole script */edit*
Code:
IF EXIST("c:\program files\infostrait\OutlookToSmarTeam\OutlookToSmarTeam.dll")
GOTO MAPPING
else
; --Hier maak je een een nieuwe map aan in de infostrait map. En er wordt een dll in de nieuwe map gekopieerd.
CD "c:\program files\infostrait"
md "OutlookToSmarTeam"
copy "\\serverxx\SmData\ClientSoftware\VB6\OutlookToSmarTeam" "c:\program files\infostrait\OutlookToSmarTeam" /s
; -- hier registreer je de dll.
cd "OutlookToSmarTeam"
Shell "regsvr32 /s OutlookToSmarTeam.dll"
; -- hier kopieer je 2 bestandjes voor de save in smarteam knop.
copy "\\serverxx\NETLOGON\Kixscripts\OLtoST\" "%userprofile%\Application Data\Microsoft\Outlook" /s
; -- hier zet je de macro security level in outlook op low
WriteValue("HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Security\","Level","00000001","REG_DWORD")
; -- hier maak je een nieuwe map aan op de netwerk Y schijf.
CD "y:"
MD "outlookmsg"
:MAPPING| Mart |
| (KiX Supporter) |
| 2007-05-09 03:25 PM |
|
|
|
Re: Problem!!
|
So security is not an issue for your boss. Then you might as well make everyone admin.
If it has to be done in the logon script you are stuck with something like runas which is a huge security risk
| roedie |
| (Getting the hang of it) |
| 2007-05-09 03:27 PM |
|
Re: Problem!!
|
so you say the best thing to do is to install it manualy on every pc with the admin acc?
| Mart |
| (KiX Supporter) |
| 2007-05-09 03:35 PM |
|
|
|
Re: Problem!!
|
That would be a lot more secure the using something like runas.
A GPO startup script (runs with elevated privileges) or a scheduled task (runs with whatever account you specify) would also be a secure option and they prevent you from running around in the office because a scheduled task can be scheduled from a remote computer and a GPO only has to be created once.
Sure you can use runas but it is almost the same as sending an e-mail to everyone telling them the admins username and password and asking them to (ab)use it. But hey, it’s not my network so you should use whatever you want. If runas is your choice then I’m not gonna to stop you from using it. I’m only saying that runas sucks and is a huge security risk.
SCHEDULETASK() - Schedules a task on any computer using the Task Scheduler
| Les |
| (KiX Master) |
| 2007-05-09 03:57 PM |
|
Re: Problem!!
|
Originally Posted By: Glenn Barnas
Unless I'm wrong, the XP Pro version of RUNAS won't accept a password as an argument - it must be entered interactively.
| Adolfo |
| (Fresh Scripter) |
| 2007-05-09 05:01 PM |
|
Re: Problem!!
|
why don't you convert a bat into a com or a kix into an exe? so users can't see the administrator password. is it possible?
| Mart |
| (KiX Supporter) |
| 2007-05-09 05:09 PM |
|
|
|
Re: Problem!!
|
Sure you can package a kix script in an executable file (for example with ASE or Kix2Exe by Senser). Imho these are all workarounds.
Imho runas is only to be used in these cases where nothing else (better/more secure) can be done and these cases are very, VERRY, VERRY rare almost nonexistent.
| Les |
| (KiX Master) |
| 2007-05-09 06:17 PM |
|
Re: Problem!!
|
Originally Posted By: Adolfo
why don't you convert a bat into a com or a kix into an exe? so users can't see the administrator password. is it possible?
ASE can do things differently whereby you don't have to elevate with a runas type utility and embed a password. Using ASE to make an EXE is less secure than using the ASE alternate creds feature.
If you don't understand the implications of security you should not be trying to elevate permissions.
| roedie |
| (Getting the hang of it) |
| 2007-05-10 08:53 AM |
|
Re: Problem!!
|
I think a startup script is not going to work becaus that the script is also making a folder on a network drive that is nessesary for the application to run.
i shall try to make an exe file. Maby that will do the trick.
| roedie |
| (Getting the hang of it) |
| 2007-05-10 09:14 AM |
Re: Problem!!
|
ok. I want to try an another thing now.
i will put in the script that a user group is added in the security of the map with full controll. maybe that is the sollution to my problem.
does someone know what i have to put in my script to let that thing work :$?
| Björn |
| (Korg Regular) |
| 2007-05-10 10:41 AM |
|
Re: Problem!!
|
I'd send my pennies on doing this with runnas, and then 'encrypt' the scriptfile into a kx, if you still need to do this with a script.
check the InGroup in the kix ref-guide.
Second, even if you alter the security settings for that map, you still wanna kick off the adding of the dll, right?
| roedie |
| (Getting the hang of it) |
| 2007-05-10 10:49 AM |
|
Re: Problem!!
|
after doing some talking with my boss i found out that the users have the rights to have full controll at the c:\program files\infostrait dir so i can make a new folder end put a dll file in it.
it's only at a couple of pc's where it goes wrong. (from the 10 pc i tested 2 didn't work)
so i want to add the user group "werknemers" with full controll to the folder.
| roedie |
| (Getting the hang of it) |
| 2007-05-10 01:22 PM |
|
Re: Problem!!
|
anyone ??????
| Adolfo |
| (Fresh Scripter) |
| 2007-05-10 04:30 PM |
|
Re: Problem!!
|
Roedie
Keep present the Mart and Les recommendations.
| Adolfo |
| (Fresh Scripter) |
| 2007-05-10 04:31 PM |
|
Re: Problem!!
|
Roedie
Keep present the Mart and Les recommendations.
| Mart |
| (KiX Supporter) |
| 2007-05-10 04:56 PM |
|
|
|
Re: Problem!!
|
I never changed the file or folder permissions using pure kix but you might take a look at xcacls.exe.
HOW TO: Use Xcacls.exe to modify NTFS permissions
Or you could use the just a few minutes ago posted code from: COM Scripting » NTFSPerms.... Finally!. Beware that this not a final release. Read the rest of the post before using the code.
| roedie |
| (Getting the hang of it) |
| 2007-05-11 09:17 AM |
|
Re: Problem!!
|
Xcacls.exe is indeed a nice tool to use. but it does not work for me.. yet :p.
I will try some lines and i will let you know if it worked.
| Mart |
| (KiX Supporter) |
| 2007-05-11 09:19 AM |
|
|
|
Re: Problem!!
|
I got some working stuff with xcacls at home. Sadly I temporarily have no internet at home. I'll see if I can remember to bring it to work Monday.
| Arend_ |
| (MM club member) |
| 2007-05-11 09:21 AM |
|
|
Re: Problem!!
|
Originally Posted By: Mart
So security is not an issue for your boss. Then you might as well make everyone admin.
If it has to be done in the logon script you are stuck with something like runas which is a huge security risk
If it has to be done in the logon script you are stuck with something like runas which is a huge security risk
Actually that idea isn't as bad as you think. Everyone could be made LOCAL admins. That way there is no real security issue and this can be done trough GPO. Also this poses not treat to network security.
| roedie |
| (Getting the hang of it) |
| 2007-05-11 09:39 AM |
|
Re: Problem!!
|
i have now this line:
shell "run xcacls "c:\program files\infostrait" /g "DOMAIN\Werknemers":f;f /E"
this command runs perfect in batch (without the shell & run command) but not yet in kix..
has anyone an idea to let it work?
| Gargoyle |
| (MM club member) |
| 2007-05-11 01:48 PM |
|
|
Re: Problem!!
|
It is all about the quotes..
Code:
shell "xcacls 'c:\program files\infostrait' /g 'Domain\Werknemers':f;f /E"
That and you have both shell and run in the command, just one or the other.
| roedie |
| (Getting the hang of it) |
| 2007-05-11 02:28 PM |
|
Re: Problem!!
|
hm.. it's still not working.. i also tryd to run it with cmd.exe but then i get a message that there is an infalid flag files\infostrait.. but anyway.. i shall try some other things..
| Mart |
| (KiX Supporter) |
| 2007-05-11 02:32 PM |
|
|
|
Re: Problem!!
|
Quote:
....
infalid flag files\infostrait..
....
That would be because of missing quotes. Because there are spaces in
the path you need to protect them by wrapping it in quotes.
| roedie |
| (Getting the hang of it) |
| 2007-05-11 02:35 PM |
|
Re: Problem!!
|
its about this part of the code. 'c:\program files\infostrait'
the script sees c:\progam as a seperate part of the whole thing.
|
Glenn Barnas
|
| (KiX Supporter) |
| 2007-05-11 02:51 PM |
|
|
|
Re: Problem!!
|
Keep in mind that many "DOS" commands only work with double quotes! I've gotten into the habit of using single quotes for nearly all Kix strings, so embedding double quotes into commands are not an issue. Also - you should try this when building Shell or Run commands:
Code:
$Cmd = 'xcacls "c:\program files\infostrait" /g "Domain\Werknemers":f;f /E' 'running: ' $Cmd ? Shell $Cmd @SERROR ?
I'd even comment out the shell command the first time - you should be able to copy the command from the screen and run it manually - successfully. If that's so - then you know the command will work from within the script.
Again, it's my "best practice" for any scripts I write - lets me confirm what's being run.
Glenn
| roedie |
| (Getting the hang of it) |
| 2007-05-11 03:04 PM |
|
Re: Problem!!
|
when i run your script Glenn i get this message
C:\kix>kix32.exe test4.kix
running: xcacls.exe "c:\program files\infostrait" /g "DOMAIN\Werknemers":f;f /E
The system cannot find the file specified.
| Mart |
| (KiX Supporter) |
| 2007-05-11 03:09 PM |
|
|
|
Re: Problem!!
|
This works.
Code:
Break on Shell 'xcacls.exe "c:\new folder" /E /G "domain\Group":F'
| roedie |
| (Getting the hang of it) |
| 2007-05-11 03:26 PM |
|
Re: Problem!!
|
Mart the code that you gave i already tried but that one doesnt work nighter.
I will stop with it for today on monday i will continu this thing.
if anyone has an sollution please post it then i wil test is monday morning.
Roedie
| Mart |
| (KiX Supporter) |
| 2007-05-11 03:48 PM |
|
|
|
Re: Problem!!
|
Changed the folder to the folder you use and it works great.
Code:
Break on Shell 'xcacls.exe "c:\program files\infostrait" /E /G "domain\group":F'
The user running the code should also have permission on c:\program files. if not he/she cannot set permissions on sub folders. It does shout a bit when checking the permissions on the folder that they are not in the correct order. You will have to watch out for that.
| Adolfo |
| (Fresh Scripter) |
| 2007-05-12 04:06 AM |
|
Re: Problem!!
|
For set permissions on sub folders
Code:
echo. > "c:\program files\infostrait\UserDirs.txt"
for /R "c:\program files\infostrait" %%i in (.) do echo. %%~si >> "c:\program files\infostrait\UserDirs.txt"
For /F %%i in ("c:\program files\infostrait\UserDirs.txt") do xcacls %%i /E /G "domain\group":F
| Adolfo |
| (Fresh Scripter) |
| 2007-05-12 07:06 PM |
|
Re: Problem!!
|
Code:
for /R "c:\program files\infostrait" %%i in (.) do xcacls %%~si /E /T /C /G "domain\group":F
| Les |
| (KiX Master) |
| 2007-05-12 07:21 PM |
|
Re: Problem!!
|
Originally Posted By: Mart
It does shout a bit when checking the permissions on the folder that they are not in the correct order.
| roedie |
| (Getting the hang of it) |
| 2007-05-14 08:04 AM |
|
Re: Problem!!
|
Originally Posted By: Les
Are we talking about CACLS or XCACLS?
I use XCACLS.
| roedie |
| (Getting the hang of it) |
| 2007-05-14 08:16 AM |
Re: Problem!!
|
Code:
Break on Shell 'xcacls "c:\program files\infostrait" /E /G "DOMAIN\Werknemers":F;F'
But if i remove the single quotes and Shell (just dos command's):
Code:
xcacls "c:\program files\infostrait" /E /G "DOMAIN\Werknemers":F;F
Then it runs without any problem.
ahh found it! This code works for me.
Code:
Break on Shell 'cmd.exe /c xcacls "c:\program files\infostrait" /E /G "DOMAIN\Werknemers":F;F'
| Mart |
| (KiX Supporter) |
| 2007-05-14 09:33 AM |
|
|
|
Re: Problem!!
|
Originally Posted By: Les
Originally Posted By: Mart
It does shout a bit when checking the permissions on the folder that they are not in the correct order.
Xcacls.exe.
I never tried the vbs version.
Xcacls.vbs
| roedie |
| (Getting the hang of it) |
| 2007-05-14 01:36 PM |
|
Re: Problem!!
|
another question.
Do you need to add spcial command lines to let an kix script to run in a startup script of an GPO?
| Mart |
| (KiX Supporter) |
| 2007-05-14 02:00 PM |
|
|
|
Re: Problem!!
|
No. You only have to set it in a GPO and place the script in the sysvol folder.
| roedie |
| (Getting the hang of it) |
| 2007-05-14 03:32 PM |
|
Re: Problem!!
|
I have kix32.exe and the script.kix in the netlogon dir.
Now i added blabla\netlogon\kix32.exe to the SCRIPT NAME and blabla\netlogon\script.kix to the SCRIPT PARAMETER
but still it won't work.
i also tried to do blabla\netlogon\kix32.exe to the parameter and the blabla\netlogon\script.kix to the name but that doesnt work neighter.
| Mart |
| (KiX Supporter) |
| 2007-05-14 03:59 PM |
|
|
|
Re: Problem!!
|
Setting the script name to \\domain\sysvol\kix32.exe \\domain\sysvol\script.kix should work I guess.
I have to say that I never did anything with batch-less scripts and always used a cmd file to kickoff the script.
| roedie |
| (Getting the hang of it) |
| 2007-05-15 09:43 AM |
|
Re: Problem!!
|
maybe i have an another idea.. when you have an msi file you can add it to an gpo.
i know that there is an kix2exe. But is there also an kix to msi ??
| Mart |
| (KiX Supporter) |
| 2007-05-15 09:59 AM |
|
|
|
Re: Problem!!
|
Nope.
EXE files are executables and MSI files are installers.
| roedie |
| (Getting the hang of it) |
| 2007-05-15 10:26 AM |
|
Re: Problem!!
|
hmm ok.. i also tried to run the script as how you said it a couple of post's above. and i tried to start it with an *.bat file. and it still won't work
| roedie |
| (Getting the hang of it) |
| 2007-05-25 08:27 AM |
|
Re: Problem!!
|
i have the script working good now.. but there is still one problem left.
there are 2 files that need to be copyd to the : C:\Documents and Settings\%user%\Application Data\Microsoft\Outlook.
but at the most clients the application data folder is hidden so the script cannot copy the two files.
the sring i use now = COPY "\\server\SmData\ClientSoftware\VB6\OutlookToSmarTeam" "c:\program files\infostrait\OutlookToSmarTeam" /s
is there a way to copy files also in hidden folders without make them visible?
| Mart |
| (KiX Supporter) |
| 2007-05-25 10:06 AM |
|
|
|
Re: Problem!!
|
Kix can copy files to hidden folder. The hidden part is only so the user cannot see and therefore can not mess with the folder. What does @error and @serror show after your copy line?
I guess you ussed @userid insted of %user% right?
| roedie |
| (Getting the hang of it) |
| 2007-05-25 11:18 AM |
|
Re: Problem!!
|
i already found a solution. instead of %userprofile%\application data\ i used %appdata%\ that worked
| roedie |
| (Getting the hang of it) |
| 2007-05-30 11:04 AM |
|
Re: Problem!!
|
I have all the scripts working now.
but still there is one litle problem.
for the startup script i want to let the script read a regkey so if that one exist it will skip the rest of the script.
the script itself in a name.cmd so NOT a kix script.
What is the correct syntax of the if statement in do to see is an key exist?
i tried:
IF EXIST ("HKEY_LOCAL_MACHINE\SOFTWARE\Installed\OutlookTool")
GOTO :end
ELSE
IF EXIST ('HKEY_LOCAL_MACHINE\SOFTWARE\Installed\OutlookTool')
GOTO :end
ELSE
IF EXIST (HKEY_LOCAL_MACHINE\SOFTWARE\Installed\OutlookTool)
GOTO :end
ELSE
IF EXIST HKEY_LOCAL_MACHINE\SOFTWARE\Installed\OutlookTool
GOTO :end
ELSE
But none of those worked.
so if someone has the answer to that plz tell me.
| Arend_ |
| (MM club member) |
| 2007-05-30 01:36 PM |
|
|
|
Re: Problem!!
|
Use KeyExist()
Also please try to prevent the use of Goto.
Code:
If KeyExist("HKEY_LOCAL_MACHINE\SOFTWARE\Installed\OutlookTool")
;Do something besides Goto :P
EndIf
|
Glenn Barnas
|
| (KiX Supporter) |
| 2007-05-30 02:12 PM |
|
|
|
Re: Problem!!
|
SELECT / CASE would be a good choice here. Something like:
Code:
Select
Case ExistKey("HKLM\first key...")
; ok - do nothing
Case ExistKey("HKLM\second key...")
; ok - do nothing again (an again.. as needed)
Case 1
; No required keys were found - do something, install something!
Shell "%COMSPEC% /c D:\some\app\install.exe /silent /successful"
; check for errors {won't be any, chose the successful install option ;)}
EndSelect
Glenn
| Les |
| (KiX Master) |
| 2007-05-30 03:01 PM |
|
Re: Problem!!
|
Quote:
GOTO :end
That is just wrong. you define the label with the colon but should not reference it with a colon.
| Arend_ |
| (MM club member) |
| 2007-05-30 04:51 PM |
|
|
|
Re: Problem!!
|
Glen, he was attempting one registry key tried different ways.
Btw ExistKey was replaced by KeyExist
Also he never states "EndIf"
I think he was just demonstrating his different attempts at the Exist() Function.
|
Glenn Barnas
|
| (KiX Supporter) |
| 2007-05-30 06:06 PM |
|
|
|
Re: Problem!!
|
Yeah, I see that NOW! When I replied, I was struggling to wake up after only 3 hours of sleep.
I should'a had a pot of coffee first.Well, if he HAD been looking at different values, and I HAD correctly typed KeyExist instead of ExistKey, my example might have been appropriate.
G-
| Arend_ |
| (MM club member) |
| 2007-05-31 09:15 AM |
|
|
|
Re: Problem!!
|
Well good morning to you then
| roedie |
| (Getting the hang of it) |
| 2007-06-01 03:31 PM |
|
Re: Problem!!
|
Hy
The scripts are working good now and there are no problems anymore.
Also the problem with the security could be easly solved to put that in a policy.
Thanx for all you comment.
Roedie.