| ItsaCat |
| (Fresh Scripter) |
| 2003-01-16 02:50 PM |
winNT:// object authentication.
|
I'm hoping someone can help me. The background to my problem is I need to restrict users on my domain to one login. It's a windows 2000 domain. Microsoft's recommended solution is to use Cconnect.exe which maintains a list of logged on users in an SQL database. But this list immediately becomes inacurate if a user doesn't loggof properly. with 15,000+ users many of them with basic IT skills only, resseting the logon count for people who dont loggof correctly will be a nightamre...
So I'm trying to write a Kix script which checks a particular drive share on a server to see if there is a session from that user already and if so logs them off. The following works fine for me.
$lanserv = GetObject("WinNT://servername/LanmanServer")
if @error <> 0
? @error + " / " @serror
else
for each $session in $lanserv.sessions
if $session.user = "username"
logoff(1)
end if
next
endif
But normal users dont have permissions to access the winNT object on the server.
Is there a way to specify a username to use when connecting to the object? Anyone have any ideas? Help would be very much appreciated!
Thanx
Talwyn
| Les |
| (KiX Master) |
| 2003-01-16 02:53 PM |
Re: winNT:// object authentication.
|
The oldest trick in the book is to limit the number of users on their homeshare. Then just see if their homeshare mapped OK and if not log them off.
| ItsaCat |
| (Fresh Scripter) |
| 2003-01-16 03:00 PM |
|
Re: winNT:// object authentication.
|
Ahhh I forgot to mention....
With 10,000+ shares (approximately) windows NT4, Windows 2000, (and probably win .NET) blue screens, because the size of the .system registry file becomes too big to load into memory when the server boots up (16mb limit for registry and kernel at that point - yes shit i know!)
So i've had to use DFS, hence can't use the "oldest trick in the book", but thank you anyway!!
| Les |
| (KiX Master) |
| 2003-01-16 03:06 PM |
|
Re: winNT:// object authentication.
|
I can't believe you'd have 10,000 shares on one server!
The second oldest trick, albeit less accurate, is to query WINS with NBTSTAT for the UserID. WINS only allows one UserID so if it doesn't return one for the PC you cann assume:
1. the user haqsn't logged off
2. there is another user with the same NetBIOS name
3. the record hasn't aged out of WINS
Don't tell me... you're running without WINS...
This topic has been discussed several times. Try using the search tools.
| ItsaCat |
| (Fresh Scripter) |
| 2003-01-16 03:09 PM |
|
Re: winNT:// object authentication.
|
heheh, yes i'm running WINS, I will give that a try, thanx.
| Les |
| (KiX Master) |
| 2003-01-16 03:26 PM |
|
Re: winNT:// object authentication.
|
Well, seeing as you laugh at my humor...
Topic: Roaming profile
BTW, Welcome to the board.
| ItsaCat |
| (Fresh Scripter) |
| 2003-01-16 04:21 PM |
|
Re: winNT:// object authentication.
|
Thanks again... but I don't see how it is going to work. When I try nbtstat on both the first and second machine i log onto i get the same result, it says my username is registered. Also when I check the WINS server database, while it does only have one record it is updated by the last machine i logged onto. So there is no way (that I can see) of determining from WINS if I am logged on elsewhere....?
| Sealeopard |
| (KiX Master) |
| 2003-01-16 04:24 PM |
|
|
Re: winNT:// object authentication.
|
IIRC, the WINS entry will point to the first computer a user logged into. The NET SEND is using this to resolve where to send a message to. If you are logged into two computers at the same time, then the computer where you logged into the first time will receive the NET SEND message.
| ItsaCat |
| (Fresh Scripter) |
| 2003-01-16 04:29 PM |
|
Re: winNT:// object authentication.
|
No it's not, it is pointing to the LAST computer i logged onto....
| Les |
| (KiX Master) |
| 2003-01-16 04:31 PM |
|
Re: winNT:// object authentication.
|
DOn't know what to say... it works for me. Have you modified the code?
| ItsaCat |
| (Fresh Scripter) |
| 2003-01-16 04:39 PM |
|
Re: winNT:// object authentication.
|
Break on
$ShellCMD='%comspec% /c NBTSTAT -S |FIND /I "<03>"|FIND /I " '+@UserID+' "'
Shell $ShellCMD
If not @Error
'@@UersID - '+@UserID+' found!'
EndIf
get $_
Thats what I tried, and got the same output on both logged on PC's....
sigh
![[Frown]](images/icons/frown.gif){kind=icon}
ahhh well, i guess it not me who will be resseting that SQL database with Cconnect.exe...
![[Smile]](images/icons/smile.gif){kind=icon}
I just wont ever get invited to the pub by the helpdesk techies again...!
But back to my original query, is it possible at all to use different credentials to connect to that COM object?
| Les |
| (KiX Master) |
| 2003-01-16 04:41 PM |
|
Re: winNT:// object authentication.
|
what do you get... 'found' or nothing?
Is the userID in the computername?
| ItsaCat |
| (Fresh Scripter) |
| 2003-01-16 04:45 PM |
|
Re: winNT:// object authentication.
|
THAYES <03> Listening
@UersID - thayes found!
thats the exact output... on both PC's
the computer names are TEH-1667 and BURNBABY repectively... so if thats what you mean, no the username is different from the computer name.
| Les |
| (KiX Master) |
| 2003-01-16 04:49 PM |
|
Re: winNT:// object authentication.
|
Spark up a DOS box and enter:
NBTSTAT -S
What does it show?
| Bonji |
| (Starting to like KiXtart) |
| 2003-01-16 04:52 PM |
|
|
Re: winNT:// object authentication.
|
You can run the script with different credentials by using RUNAS (WindowsXP). Other then that, I do not know of a way. However, this usually involves including the password in a script which is not preferred. I've seen information on a service that can be used to run scripts with different credentials as the service itself is initialized with the necessary ID.
Hope this helps.
-Ben
http://www.rgcweb.org/kix
| ItsaCat |
| (Fresh Scripter) |
| 2003-01-16 04:53 PM |
|
Re: winNT:// object authentication.
|
Node IpAddress: [my IP address] Scope Id: []
NetBIOS Connection Table
Local Name State In/Out Remote Host Input Output
----------------------------------------------------------------------------
TEH-1667 <03> Listening
THAYES <03> Listening
Exactly the same on the second machine only differing on the IP and name of the machine.
| Les |
| (KiX Master) |
| 2003-01-16 05:03 PM |
|
Re: winNT:// object authentication.
|
I'm stumped... anyone?
| ItsaCat |
| (Fresh Scripter) |
| 2003-01-16 05:41 PM |
|
Re: winNT:// object authentication.
|
Thanx Ben for the idea,
I think you mean srvany.exe which runs an application as a service, but I would have the same problem in that the user would then need permissions to start the service to run the script.
RunAs is included in windows 2000 too, but it doesn't allow you to put the password in as a parameter using the command line. I am going to try and get kix to pass it over using SENDKEYS.
T
| Les |
| (KiX Master) |
| 2003-01-16 05:47 PM |
|
Re: winNT:// object authentication.
|
RunAs and SendKeys() is a security risk unless you encrypt. There is an wrapper for RunAS in the PD and/or AutoIT in place of SendKeys.
| ShaneEP |
| (MM club member) |
| 2003-01-22 11:56 PM |
|
|
Re: winNT:// object authentication.
|
I have had luck using RunAS in conjuntion with SendKeys and then using the KixCrypt.exe program to convert it to an .exe file. You can search the board and find all kinds of stuff on KixCrypt.exe.