Re: [Samba] how to get logon.bat run with Administrator rights in domain logons?

[Clint Sharp]

On Fri, 2004-04-02 at 21:40, Andrew Gaffney wrote:
 Urs Rau wrote:
  On win XP Pro workstations it would be so convenient if the domain logon 
  script which is stored on the samba pdc could be made to run with 
  Administrative (or System) privileges.
  
  I know that I can interactively run another security context by choosing 
  run as user but how could I achieve this non-interactively and domain 
  wide whilst a limited account is loggin in?
 
 I asked this same question on this list a while back. There is no way to 
 interactively run 
 a script as a higher user, otherwise virus writers could take advantage of this (as 
 opposed to them currently taking advantage of stupid users and MS's stupid policy of 
 making users Administrators by default). The logon.bat runs as the currently logged 
 on user.
 
 -- 
 Andrew Gaffney
 Network Administrator
 Skyline Aeronautics, LLC.
 636-357-1548

We use a utility called Sanur (http://www.commandline.co.uk/sanur/) to
script the Microsoft RunAs facility.  Other than custom writing a
service to implement a client side polled scripting or policy
implementation  (which is another project I'm working on), this is the
best I've found.  Microsoft LogonUser() does not allow users to
impersonate the context of other users any longer unless they're running
as an Administrator or SYSTEM user and as a service, which rules out
making a custom executable with a hardcoded password, or something that
queries via the network an authorized NTLM hash of the password, etc. 
At that point, it's easier to just simply write something that will trap
for logins and pull down a set of actions to take (which would be easier
to configure for the desktop admins I've got working in my group than
DOS batch scripts).  Anyways, there's my rant on the current state of
Windows Security.  There's nothing like sudo which is easily scriptable
I'm afraid, but this Sanur utility is about the next best thing if
you're willing to live with an exposed Administrator password for the
duration the login script exists (about 10 seconds or so in my
installation, as I use root preexec and root postexec in the netlogon
share to create and destroy the script).

Clint

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] how to get logon.bat run with Administrator rights in domain logons?

[Urs Rau]

On win XP Pro workstations it would be so convenient if the domain logon script which is stored on 
the samba pdc could be made to run with Administrative (or System) privileges.

I know that I can interactively run another security context by choosing run as user but how could 
I achieve this non-interactively and domain wide whilst a limited account is loggin in?

Thanks for any pointers.

Urs Rau

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] how to get logon.bat run with Administrator rights in domain logons?

[Andrew Gaffney]

Urs Rau wrote:
On win XP Pro workstations it would be so convenient if the domain logon 
script which is stored on the samba pdc could be made to run with 
Administrative (or System) privileges.

I know that I can interactively run another security context by choosing 
run as user but how could I achieve this non-interactively and domain 
wide whilst a limited account is loggin in?
I asked this same question on this list a while back. There is no way to interactively run 
a script as a higher user, otherwise virus writers could take advantage of this (as 
opposed to them currently taking advantage of stupid users and MS's stupid policy of 
making users Administrators by default). The logon.bat runs as the currently logged on user.

--
Andrew Gaffney
Network Administrator
Skyline Aeronautics, LLC.
636-357-1548
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba