Everybody:

Every couple of days I'm reading postings about how to use SU.EXE to run something under an administrative account. A lot of people have difficulties getting it to work since it requires a service to be installed on the computer running SU. Additionally, providing the account name and password is not entirely secure.

I have been working on a client-server-based maintenance script for the last couple of weeks that runs under Kixtart 4.0.

I opted not to use the SUSS service and SU due to security concerns. Alternatively, one can set the scheduler service in Windows NT to run under an administrative account instead of the SYSTEM account. This is also not a practical solution if you're maintaining tens or hundreds of computers.
Fortunately, all our computers are running at least Microsoft Internet Explorer 5. IE 5.x+ comes with a component ('offline synchronization') that replaces the scheduler service with the 'Task Scheduler'. The task scheduler runs under the SYSTEM account which cannot be changed. The advantage of the task scheduler over the scheduler service is that the task scheduler allows to run scheduled commands under arbitrary user accounts.

What does that mean?
It means that I can scheduler a command to run every night under the user account COMPUTERNAME\Administrator. This command runs with all the rights of the assigned user regardless of whether another user is logged in or not. Additionally, the task scheduler prevents users to see what other users have scheduled. Thus, I can schedule administrative scripts without ordinary users knowing that there is something running in the background.

How do I do it?
The easiest solution is to use the task scheduler wizard to set up a task for a specific user. This task is saved in a special task scheduler folder under %SYSTEMROOT% and can be copied for one computer to another.
Another solution is to download the Task Scheduler Command line Interface which is part of the Windows 2000 Resource Kit Supplement 3 (ftp://ftp.microsoft.com/reskit/win2000/jt.zip).

This CLI is the holy grail to the task scheduler and explaining every option is beyond the scope of this HOW-TO. Thus I will only hightlight features:
- remote scheduling of tasks
- load and save predefined tasks
- execute tasks once, daily, weekly, on-idle, at-startup, at-logon (useful features for laptops)
- delete tasks
- triggers

I really recommend downloading the CLI and reading the documentation, it comes very close to all the powerful *NIX schedulers.

Following is an example of how to use the CLI:
code:
$schedulercmd = 'jt.exe'
$schedulercmd = $schedulercmd + ' /CTJ StartDate=TODAY'
$schedulercmd = $schedulercmd + ' StartTime=NOW'
$schedulercmd = $schedulercmd + ' HasEndDate=0'
$schedulercmd = $schedulercmd + ' KillAtDuration=0'
$schedulercmd = $schedulercmd + ' Disabled=0'
$schedulercmd = $schedulercmd + ' Type=ONCE'
$schedulercmd = $schedulercmd + ' /SC DOMAIN\adminuser adminuserpassword'
$schedulercmd = $schedulercmd + ' /SJ ApplicationName="maintenance_server.bat"'
$schedulercmd = $schedulercmd + ' Parameters=""'
$schedulercmd = $schedulercmd + ' WorkingDirectory="%SYSTEMROOT%"'
$schedulercmd = $schedulercmd + ' Comment="Kixtart Maintenance Server Script"'
$schedulercmd = $schedulercmd + ' Creator="Administrator"'
$schedulercmd = $schedulercmd + ' Priority=Normal'
$schedulercmd = $schedulercmd + ' MaxRunTime=21600000'
$schedulercmd = $schedulercmd + ' DontStartIfOnBatteries=0'
$schedulercmd = $schedulercmd + ' KillIfGoingOnBatteries=0'
$schedulercmd = $schedulercmd + ' RunOnlyIfLoggedOn=0'
$schedulercmd = $schedulercmd + ' SystemRequired=0'
$schedulercmd = $schedulercmd + ' DeleteWhenDone=1'
$schedulercmd = $schedulercmd + ' Suspend=0'
$schedulercmd = $schedulercmd + ' StartOnlyIfIdle=0'
$schedulercmd = $schedulercmd + ' KillOnIdleEnd=0'
$schedulercmd = $schedulercmd + ' RestartOnIdleResume=0'
$schedulercmd = $schedulercmd + ' Hidden=0'
$schedulercmd = $schedulercmd + ' TaskFlags=0'
$schedulercmd = $schedulercmd + ' /SM \\'+@WKSTA
$schedulercmd = $schedulercmd + ' /SAJ maintenance_server_once.job'
$schedulercmd = $schedulercmd + ' /SAC maintenance_server_once.job'
$schedulercmd = $schedulercmd + ' /RJ'

shell $schedulercmd

The batch file I'm calling creates a drive share to the Z: drive and connects to a hidden fileshare on the PDC containing the Kixtart scripts and utilities. Thus, the real stuff is hidden from the user.

How to implement this?
I created an administrative group called KIXTART on my PDC and created a user KIXTARTUSER wich is a domain administrator. Thus, this user has full administrative rights on all client computers and has access to networked resources, something that a local administrator might not have. I'm running a script called MAINTENANCE_SERVER on my PDC which reads an INI file containing a list of Windows NT/2000 computers and the type of scheduler they are using (scheduler, or task scheduler). This INI file is updated throught a login script, thus if somebody logs into a computer, the information gets written into the INI file and tasks can be scheduler the next time the MAINTENANCE_SERVER script runs.
The server script checks whether the computer is accessible through an admin share ADMIN$. If this is not the case the server script sends a magic packet to the specified computer and if the computer has a WOL ethernet adapter, it'll start up. Then the server script waits a couple of minutes until either the computer woke up or no successful wake-up is detected (no access to ADMIN$ after five minutes).
If the computer is accessible the server script sends a task scheduler command via the JT.EXE CLI to the remote computer. The remote computer then executes the scheduled command at the specified time under the KIXTARTUSER administrator context. The maintenance client script does its thing, mainly adjusting registry keys in the HKEY_LOCAL_MACHINE part, installs software updates, and whatever other task requiring admin privileges. I'm also using the Kixtart SHUTDOWN command to reboot computers and use the auto-login to set up e.g. Internet Explorer 5.5 SP2 with a package prepared with the Internet Explorer Administrator Kit 5.5.

I hope this rather long post give you some food-for-thought. The setup I'm using in our production environment consists of a simle login script, the maintenance_server and the maintenance_client scripts. The maintenance scripts are only accessible to administrators, thus there is not chance that users will discover admin passwords since the Task Scheduler does not provide a clear-text display of the account passwords.

Jens

P.S.: I'm willing to sanitize my scripts a little bit and make them publicly accessible if there is interest. The complete package will be about 1 MB uncompressed and will contain the scripts, UDFs, required executables and some configuration files.

[ 02. June 2003, 21:51: Message edited by: sealeopard ]
_________________________
There are two types of vessels, submarines and targets.