#40181 - 2003-05-14 07:56 PM
Re: YES, I've read the FAQ...
|
Jochen
KiX Supporter
Registered: 2000-03-17
Posts: 6380
Loc: Stuttgart, Germany
|
|
Top
|
|
|
|
#40182 - 2003-05-14 07:59 PM
Re: YES, I've read the FAQ...
|
search66
Fresh Scripter
Registered: 2003-05-07
Posts: 25
Loc: Baltimore, MD USA
|
Uhm... different types of quotes? Cripes.
/me searches keyboard for more than one type of quotes.
_________________________
God bless Opera.
God bless netjak.
|
Top
|
|
|
|
#40184 - 2003-05-14 08:02 PM
Re: YES, I've read the FAQ...
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
What version of SU/SUSS are you using?
From the W2K Reskit help: quote: SU lets you start a process running as an arbitrary user. It is named after the SU (Switch Users) utility of the UNIX family of operating systems.
Providing that the specified domain, user name, and password are correct, the new process runs in the security context of that user.
The new process starts with an environment block representing the per-user environment variables that Windows 2000 maintains. When the new process starts, the registry hive representing the target user, accessed through the HKEY_CURRENT_USER key, is available to the process. Both of these behaviors can be disabled.
The logon type equates to the logon right required by the target user (who was granted the privileges). Furthermore, the logon type dictates how the access token representing the target user is populated. The security identifier (SID) with type SE_GROUP_LOGON_ID in the access token for the new process represents the type of logon: Batch, Interactive, or Service. Logon rights can be granted through the Local Security Policy snap-in, an Administrative Tool included with Windows 2000 (or User Manager, a Resource Kit Tool, for Windows NT version 4.0).
Note
Local Security Policy tells you if local settings are being overridden by settings applied through Group Policy at the site, domain, or organizational unit level. If this is the case, then you will not be able to change them at the local level.
Open Local Security Policy snap-in now.
Privileges and SU Service In this release of SU, the caller no longer needs the following privileges:
SeTcbPrivilege "Act as part of the operating system" SeIncreaseQuotaPrivilege "Increase Quotas" SeAssignPrimaryTokenPrivilege "Replace a process level token" SeRestorePrivilege "Restore files and directories" (required only for preparation of user registry hive) In order to obtain these privileges before running SU, the user must install a new service-based component used by SU. The service component is encapsulated in the executable Suss.exe, and this is installed by entering the following command at the command prompt:
suss.exe -install
Open command prompt now.
You must be an administrator in order to install the service in this manner. The name of the service installed, as listed in the in the Services snap-in, is SU Service.
Once SU Service is installed, users may use SU without having the four privileges mentioned above. If you are upgrading over an previous installation of SU, you should revoke the above mentioned privileges from any users or groups to whom they were previously granted. You can do this with the Local Security Policy snap-in (or User Manager for Windows NT 4.0).
SU Service can be configured to run in the Local System account or any account that has been assigned the privileges that were previously necessary in the stand-alone version. By default, the service allows anybody to use SU, but that can be regulated by changing the ACL on a particular registry key (the ACL itself will map to whom the service allows to use SU).
Note
If you receive the error "LogonUser error! (rc=1722)" when using SU, you may not have properly installed SU Service from Suss.exe or the service may be stopped. Verify that SU Service is included in the list in the Services snap-in. If its status is not shown as Started on the list, start the service by right-clicking it and then clicking Start. If the service does not appear in the list, please follow the above instructions to install the service.
Open MMC Service snap-in now.
RunAs Most of the functionality of SU is included in RunAs, a command-line tool included with the Windows 2000 operating system. For information on this tool, see Windows 2000 Help. However, SU still includes two features not available in RunAs:
SU can target other desktops. SSP logons using the -n switch are not supported by Runas.
Open command prompt now.
SU Limitations Environment variables contained in Autoexec.bat are not populated to the environment of the new process. Environment variables HOMEDRIVE and HOMEPATH are not populated to the environment of the new process. Mandatory profiles are not supported. Furthermore, if a profile does not exist for the target user, a default profile is not prepared and registry operations against HKEY_CURRENT_USER are not be persistent. Network drives are not connected for the target process. Windows 2000 makes drive letter mappings global, which could cause collisions when multiple users are logged on; for this reason, network drives are not reconnected.
|
Top
|
|
|
|
#40186 - 2003-05-14 08:03 PM
Re: YES, I've read the FAQ...
|
search66
Fresh Scripter
Registered: 2003-05-07
Posts: 25
Loc: Baltimore, MD USA
|
Thanks for the welcome... Baltimore is in Maryland, USA...
Anyway. I've never heard of more than one type of " before in my life.
_________________________
God bless Opera.
God bless netjak.
|
Top
|
|
|
|
#40187 - 2003-05-14 08:04 PM
Re: YES, I've read the FAQ...
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
Ignore my ramblings...missed the "curly quotes"
|
Top
|
|
|
|
#40188 - 2003-05-14 08:07 PM
Re: YES, I've read the FAQ...
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
The "curly quotes" come from HTML text (read M$ Frontpage, etc.). These cause all kinds of grief. We tried to stamp them out of existence in the examples last year. [ 14. May 2003, 20:09: Message edited by: Howard Bullock ]
|
Top
|
|
|
|
#40189 - 2003-05-14 08:10 PM
Re: YES, I've read the FAQ...
|
search66
Fresh Scripter
Registered: 2003-05-07
Posts: 25
Loc: Baltimore, MD USA
|
Wow. I had no idea. Ok, even after I replaced da curlies... this is the error msg I get.
Error: you do not have the SeTcbPrivilege (act as part of OS) privilege. Error: Can't get current Console Mode. Error Code: 6
_________________________
God bless Opera.
God bless netjak.
|
Top
|
|
|
|
#40190 - 2003-05-14 08:11 PM
Re: YES, I've read the FAQ...
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
In this case, please do not ingore my previous quote then and check your version and read my post. Apparently some version need the privilege and newer version don't. [ 14. May 2003, 20:12: Message edited by: Howard Bullock ]
|
Top
|
|
|
|
#40191 - 2003-05-14 08:14 PM
Re: YES, I've read the FAQ...
|
search66
Fresh Scripter
Registered: 2003-05-07
Posts: 25
Loc: Baltimore, MD USA
|
Huhm. I think I had the wrong version of su.exe
Lemme play with that and I'll bug everyone later.
_________________________
God bless Opera.
God bless netjak.
|
Top
|
|
|
|
#40192 - 2003-05-14 09:35 PM
Re: YES, I've read the FAQ...
|
search66
Fresh Scripter
Registered: 2003-05-07
Posts: 25
Loc: Baltimore, MD USA
|
Thanks to everyone. Everything runs great now... except for one thing.
To make a long story short, I'm running a McAfee update kix. The full install and virus update works beautifully; but the SP1 doesn't.
I think it has to do with the switch at the end. I tried to remove the switch (/silent) and it runs fine. But (of course) I don't want the user to be prompted and want it to be done silently. Does my syntax look right? Cuz with the 4.5.1 full install switch (/s) works fine.
Thanks for the help, this is driving me batty.
shell '%comspec% /c su "\\BOMREC1\PUBLIC\VIRUSU~1\McAffee\451\sp1\VSC451S1.EXE /silent" < pass.txt'
_________________________
God bless Opera.
God bless netjak.
|
Top
|
|
|
|
Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart
|
0 registered
and 507 anonymous users online.
|
|
|