On Fri, 2004-04-02 at 21:40, Andrew Gaffney wrote: > Urs Rau wrote: > > On win XP Pro workstations it would be so convenient if the domain logon > > script which is stored on the samba pdc could be made to run with > > Administrative (or System) privileges. > > > > I know that I can interactively run another security context by choosing > > "run as user" but how could I achieve this non-interactively and domain > > wide whilst a "limited account" is loggin in? > > I asked this same question on this list a while back. There is no way to > interactively run > a script as a higher user, otherwise virus writers could take advantage of this (as > opposed to them currently taking advantage of stupid users and MS's stupid policy of > making users Administrators by default). The logon.bat runs as the currently logged > on user. > > -- > Andrew Gaffney > Network Administrator > Skyline Aeronautics, LLC. > 636-357-1548
We use a utility called Sanur (http://www.commandline.co.uk/sanur/) to script the Microsoft RunAs facility. Other than custom writing a service to implement a client side polled scripting or policy implementation (which is another project I'm working on), this is the best I've found. Microsoft LogonUser() does not allow users to impersonate the context of other users any longer unless they're running as an Administrator or SYSTEM user and as a service, which rules out making a custom executable with a hardcoded password, or something that queries via the network an authorized NTLM hash of the password, etc. At that point, it's easier to just simply write something that will trap for logins and pull down a set of actions to take (which would be easier to configure for the desktop admins I've got working in my group than DOS batch scripts). Anyways, there's my rant on the current state of Windows Security. There's nothing like sudo which is easily scriptable I'm afraid, but this Sanur utility is about the next best thing if you're willing to live with an exposed Administrator password for the duration the login script exists (about 10 seconds or so in my installation, as I use root preexec and root postexec in the netlogon share to create and destroy the script). Clint -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba