Page 1 of 1 1
Topic Options
#160600 - 2006-04-10 08:45 PM Logon script won't run as admin
matthewst Offline
Getting the hang of it

Registered: 2005-01-26
Posts: 89
I am calling a script from within a logon script. The called script won't run powercfg. It runs fine when I logon as admin, but it says "You do not have permission...." if I logon as a user.

In my network only admins are allowed to adjust the power configuration.


here is some of the logon script
Code:
call "\\server\share\power.kix"



then power.kix runs but gives me the permission error
Code:
shell 'powercfg /CREATE Power_Scheme'
shell 'powercfg /SETACTIVE Power_Scheme'
shell 'powercfg /CHANGE Power_Scheme /monitor-timeout-ac 15'


Top
#160601 - 2006-04-10 08:55 PM Re: Logon script won't run as admin
Radimus Moderator Offline
Moderator
*****

Registered: 2000-01-06
Posts: 5187
Loc: Tampa, FL
ok. That sounds right, what is the problem?
_________________________
How to ask questions the smart way <-----------> Before you ask

Top
#160602 - 2006-04-10 08:58 PM Re: Logon script won't run as admin
Radimus Moderator Offline
Moderator
*****

Registered: 2000-01-06
Posts: 5187
Loc: Tampa, FL
I'm guessing the Question you meant to ask was, "How can I get a script to run with admin priviledges?"

http://www.kixtart.org/ubbthreads/showflat.php?Cat=0&Number=81559&an=0&page=4#81559
_________________________
How to ask questions the smart way <-----------> Before you ask

Top
#160603 - 2006-04-10 09:00 PM Re: Logon script won't run as admin
matthewst Offline
Getting the hang of it

Registered: 2005-01-26
Posts: 89
The script processes but doesn't change anything. How can I get this script to run as admin when the users are logging on? I thought all logon scripts ran with admin permissions.
Top
#160604 - 2006-04-10 09:10 PM Re: Logon script won't run as admin
Radimus Moderator Offline
Moderator
*****

Registered: 2000-01-06
Posts: 5187
Loc: Tampa, FL
nope, all scripts run as the user that logs on... that is how a user gets their network drives.

Hoops must be gone through to give a user admin privledges for installing apps and such
_________________________
How to ask questions the smart way <-----------> Before you ask

Top
#160605 - 2006-04-10 09:14 PM Re: Logon script won't run as admin
Mart Moderator Offline
KiX Supporter
*****

Registered: 2002-03-27
Posts: 4672
Loc: The Netherlands
There are some examples here on this board that show how to run a script as an admin. One of the least secure is to use runas (provided by MS in Win2K and up). Users can read the username and password this way. There are also topics on how to do it more secure. Do a search on runas (gave me 361 hits) and sanur and you'll get some hits. Tokenizing the script is also an option. But afaik there are no 100% secure ways to run a logon script as an admin when a regular user logs on.

Logon scripts always run with the credentials of the user logging on and not as an admin of any kind unless some it is told to do so. Start-up scripts run under the system account and therefore have elevated privileges compared to a regular user but it still is not the same as a domain admin.
_________________________
Mart

- Chuck Norris once sold ebay to ebay on ebay.

Top
#160606 - 2006-04-10 09:27 PM Re: Logon script won't run as admin
Witto Offline
MM club member
*****

Registered: 2004-09-29
Posts: 1828
Loc: Belgium
If I understand well, you want to change the power scheme of a user. I think there are two easy ways to do this.
  • Via GPO: EZ GPO Tool
  • Via login script: just change "HEY_CURRENT_USER\Control Panel\PowerCfg","CurrentPowerPolicy" to the desired value

Top
#160607 - 2006-04-10 09:37 PM Re: Logon script won't run as admin
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
WHen you run under alternate creds, the HKCU is not that of the intended. You need to get fancy and navigate through HKU\SIDofIntendedUser\...
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#160608 - 2006-04-10 09:54 PM Re: Logon script won't run as admin
Witto Offline
MM club member
*****

Registered: 2004-09-29
Posts: 1828
Loc: Belgium
True. But why would I need alternate credentials As far as I know, a normal user can change "HEY_CURRENT_USER\Control Panel\PowerCfg","CurrentPowerPolicy".
Top
#160609 - 2006-04-10 10:28 PM Re: Logon script won't run as admin
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
No, not true. There has been much said about that and the consensus is that perms need to be opened up on the key.
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#160610 - 2006-04-11 03:44 PM Re: Logon script won't run as admin
matthewst Offline
Getting the hang of it

Registered: 2005-01-26
Posts: 89
I think just using runas is they way to go for me.

Code:

Run 'runas /user:USERNAME "powercfg /SETACTIVE POWER_SCHEME"'
$ReturnCode = SendKeys("PASSWORD")
$ReturnCode = SendKeys("{ENTER}")



But when I run this a box flashes on the screen to quick for me to read and the power scheme remains unchanged. The output in the original dosbox is:

C:\drive>pwrcfg.kix
Enter the password for USERNAME:
Attempting to start powercfg /SETACTIVE POWER_SCHEME as user "COMPUTERNAME\USERNAME"...

C:\drive>

Top
#160611 - 2006-04-11 03:49 PM Re: Logon script won't run as admin
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
You are obviously still in denial.
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#160612 - 2006-04-11 03:59 PM Re: Logon script won't run as admin
matthewst Offline
Getting the hang of it

Registered: 2005-01-26
Posts: 89
sorry still learnin
Top
#160613 - 2006-04-11 04:11 PM Re: Logon script won't run as admin
matthewst Offline
Getting the hang of it

Registered: 2005-01-26
Posts: 89
This works:
Code:
RUN "runas /user:USERNAME notepad.exe"
$ReturnCode = SendKeys("PASSWORD")
$ReturnCode = SendKeys("{ENTER}")



But not this:
Code:
Run "runas /user:USERNAME powercfg /SETACTIVE POWER_SCHEME"
$ReturnCode = SendKeys("PASSWORD")
$ReturnCode = SendKeys("{ENTER}")


Top
#160614 - 2006-04-11 04:20 PM Re: Logon script won't run as admin
Radimus Moderator Offline
Moderator
*****

Registered: 2000-01-06
Posts: 5187
Loc: Tampa, FL
have you read up on RUNAS?

make a bat file and RUNAS it.
_________________________
How to ask questions the smart way <-----------> Before you ask

Top
#160615 - 2006-04-11 04:29 PM Re: Logon script won't run as admin
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
When you RUNAS another user, you set the powercfg for that OTHER user. This has already been said.
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#160616 - 2006-04-11 04:45 PM Re: Logon script won't run as admin
matthewst Offline
Getting the hang of it

Registered: 2005-01-26
Posts: 89
OOHHH!!! I must have missed that one. OK, I'll have to go about this a different way.
Top
#160617 - 2006-04-11 08:35 PM Re: Logon script won't run as admin
DrillSergeant Offline
MM club member
*****

Registered: 2004-07-09
Posts: 1164
Loc: Eijsden, the Netherlands
You need to set rights on one HKEY_LOCAL_MACHINE key.
This should get you on your way:

http://blogs.msdn.com/aaron_margosis/archive/2005/02/09/370263.aspx
_________________________
The Code is out there

Top
#160618 - 2006-04-13 04:04 PM Re: Logon script won't run as admin
matthewst Offline
Getting the hang of it

Registered: 2005-01-26
Posts: 89
Thanks everyone and thanks to drillsergeant for the link.

Here is how I finally made it work.

The login script calls runas.kix
Code:
RUN "runas /user:Admin cmd"
$ReturnCode = SendKeys("password")
$ReturnCode = SendKeys("{ENTER}")

SHELL '%COMSPEC% /C "pwrcfg.bat"'
SLEEP 3
$ReturnCode = Sendkeys("exit")
$ReturnCode = SendKeys("{ENTER}")

RUN "cmd"
$ReturnCode = SendKeys("powercfg /Create ")
$ReturnCode = SendKeys('"')
$ReturnCode = SendKeys("Power_Scheme")
$ReturnCode = SendKeys('"')
$ReturnCode = SendKeys("{ENTER}")

$ReturnCode = SendKeys("powercfg /SetActive ")
$ReturnCode = SendKeys('"')
$ReturnCode = SendKeys("Power_Scheme")
$ReturnCode = SendKeys('"')
$ReturnCode = SendKeys("{ENTER}")

$ReturnCode = SendKeys("powercfg /Change ")
$ReturnCode = SendKeys('"')
$ReturnCode = SendKeys("Power_Scheme /monitor-timeout-ac 15")
$ReturnCode = SendKeys('"')
$ReturnCode = SendKeys("{ENTER}")

$ReturnCode = SendKeys("powercfg /Hibernate off")
$ReturnCode = SendKeys("{ENTER}")

$ReturnCode = SendKeys("exit")
$ReturnCode = SendKeys("{ENTER}")



runas.kix calls pwrcfg.bat
Code:
setacl.exe -on "\\%computername%\HKLM\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Controls Folder\PowerCfg\GlobalPowerPolicy" -ot reg -actn ace -ace "n:%computername%\users;p:full" 
setacl.exe -on "\\%computername%\HKLM\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Controls Folder\PowerCfg\PowerPolicies" -ot reg -actn ace -ace "n:%computername%\users;p:full"
setacl.exe -on "\\%computername%\HKLM\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Controls Folder\PowerCfg" -ot reg -actn ace -ace "n:%computername%\users;p:full"



I just need to have pwrcfg.bat, runas.kix, and SetACL.exe in the same directory. I'm also going to have the script to remove the permissions once the changes have been made.

P.S. Before I deploy runas.kix I plan on kixcrypting it so no one can trace it down and view the password.

Top
Page 1 of 1 1


Moderator:  Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart 
Hop to:
Shout Box

Who's Online
0 registered and 248 anonymous users online.
Newest Members
gespanntleuchten, DaveatAdvanced, Paulo_Alves, UsTaaa, xxJJxx
17864 Registered Users

Generated in 0.071 seconds in which 0.024 seconds were spent on a total of 12 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org