I need to create a scheduled logon script that will be running on each logon (Until I choose to stop it) just like in GPO but with SCCM
is that possible? the script must run as admin
Well the options are there. You can configure a Program to run
"Only when a user is logged on"
"Run with administrative rights" in the "Environment" properties of the program and to "Run once for every user who logs on" in the "Advanced" settings. Then in the deployment "Scheduling" settings create an assignment and choose "Assign immediately after this event" "Log on" with Rerun behavior set to "Always rerun program"
In theory this should do the trick. That being said I never tried it nor would i necessarily trust the SCCM to be super reliable with such settings.
May I ask why GPOs are not an option? There are also less awkward workarounds such as just using SCCM to write the reg keys a GPO would set fo a start script, creating a scheduled task with the System account, triggered at log on, or maybe if it fits the description in some way using sccm configuration baselines instead of a program.
Related
I want to install a TeamCity BuildAgend as a user. When entering my user credentials here:
I always get this error:
NOTE: My account (user) is Administrator with full permission!
How can I do this?
The error message says it does not have "enough rights to run as a service",
this is slightly different from just being an administrator.
Go to Control Panel> Administrative Tools> Local Security Policy.
Select Local Policies> User Rights Assignment.
Scroll down through the list of policies and look for Log on as a service.
Add the account you're using to the list of accounts with this right.
That should in theory be all you need to allow the service to run under that user.
The best powershell command that I have found for this is:
Grant-Privilege -Identity $SERVICE_USERNAME -Privilege SeServiceLogonRight
Requires use of the Carbon framework.
I'm a Windows 10 Home user and the steps above did not work for me, but the following did:
Enable gpedit.msc by running the batch file as explained here under Method 1: https://www.askvg.com/how-to-enable-group-policy-editor-gpedit-msc-in-windows-7-home-premium-home-basic-and-starter-editions/
Run gpedit.msc
Go to Local Computer Policy / Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment
Double-click Log on as a service
On the window that appears, click Add User or Group...
Enter your username and click the Check Names button
Your name will be modified, adding the machine name as the prefix. Click OK
Click OK on the Log on as a service Properties window to apply the change.
It is a little bit of a pain, but after doing that, I was able to continue installing TeamCity
We have a subversion system up and runnuing at a central server. At the moment I can access that svn repository over a network share. As this is not good practice I will close that network share and will access my svn only over the "svn" command (I use TortoiseSVN Client for that).
As new Projects will be started in the future, me and my fellow colleagues must be able to create new repositorys on that server. For the creation you would need write-rights on that server directory, but I don't want that. Also I don't want to run to our Admin every time (all this is ok with our admin and I have his support).
First, my idea: Trigger a process on the server which will create the Repository. But here I am stuck with how to trigger a process if I am not the server admin (tried a WMI VB Script) So here would be the question, how to elevate the rights of the caller during the script execution? I do not want to store the admin password in plain text in a script or batch file.
Second, can this be done in some other forms? how do you guys create your repositorys?
Afaik there is no way of auto-elevation in CMD. The only way to do that I can think of is to use the windows schduler. You could write a bat file that executes all the commands you need. Then create a task with the scheduler and tell it to run the bat file. During the creation leave the "Triggers" section empty, check the "run with highest privileges" box, enter a user account that has the rights you need and enter the password. Then go to "Settings" and check the "Allow task to be run on demand" box.
Now the second part (OPTIONAL). Adept the user policy on the server so that the users you want to be able to execute the process are allowed to trigger scheduled tasks on the server. You could also enter the users PCs as "trusted" on your server. There are several ways to achieve that. However, afterwards the users must be able to execute scheduled tasks on the server.
Now you are done! If you've done the optional section your users can trigger the task with SCHTASKS /RUN /S <RemoteServerName> /TN "<task name>". No stored credentials needed and the script runs with elevetad rights.
If you didn't use SCHTASKS /RUN /S <RemoteServerName> /U username /P password /TN "<task name>".
Is it possible to give a (non admin) user permissions to recycle a specific application pool? This is specifically for IIS 6.
I found a kind of round about way to get this done, as I couldn't find a simple way either. There may be some security concerns I've missed, so I would approach this with caution. My scenario involved a trusted, non-malicious user who requested less access.
I created a batch file with the command to reset the app pool in IIS. From there I created a single run scheduled task to run that batch file with an administrator user set up on the scheduled task. I then gave the required user read,write,and execute security permissions on that scheduled task.
I then gave the user read permission on c:\windows\tasks through the cacls command line utility. This then let that user access the scheduled tasks in control panel. From there, he could manually execute the scheduled task to reset the app pool. It works since the scheduled task is running under admin privileges.
You'll want to make sure that the user doesn't have access to modify the batch file, otherwise, you've basically given them an admin command prompt. If the scheduled task is modified, the password has to be reentered (at least on my server 2003 machine) so they can't just point the task to any executable.
My coworker is trying to register some COM components (which I wrote) via RegAsm.exe and it says he needs Administrator privileges. His account has admin privileges but he is not logged in as Administrator. Is there a way to use his regular user account and succeed at this task?
I work in an environment/jurisdiction where giving local admin access to all users is simply not possible (legal/compliance/regulations will not allow).
It appears there is no equivalent of this function in .NET world: AtlSetPerUserRegistration
Try this: Using regasm, generate the registry entries with /regfile argument. By default, registry entries should use HKEY_CLASSES_ROOT (HKCR) as a root. Modify the entries (manually, or by script) to use HKEY_CURRENT_USER (HKCU).
Finally, distribute your .NET DLL with the registry script. You can still run regedit without admin rights to register your .NET DLL. Manually from the command line, using a batch file, or a (tiny) separate installation program can handle the registration.
Admin privileges are required to allow Regasm.exe to update the registry. If this is a UAC restriction then create a shortcut on the desktop for cmd.exe and check the "Run this program as an administrator" checkbox. Or change this setting on the Visual Studio Command Prompt shortcut, that's easier.
I think this question belongs elsewhere, but Windows uses least privilege so if he is a user that is both a normal user and an Administrator than he gets normal user privileges. Use runas to make this work or right click the item and "run as administrator"
Why don't you use registration free com? Its only been supported since 2003 and obviates the need for UAC / administrative access to install COM components.
With RegFree COM you can just bundle the COM dlls with the application that uses them as a private assembly - but that doesn't mean they can't be properly installed - either in the registry or in WinSxS by the final deployment install.exe/msi
Subtext wrt the actual query: no - COM registration is in the HKEY_LOCAL_MACHINE key that always requires administrative access.
I lied: Actually you can. If you create a application with no manifest at all, Windows deduces that its an XP era application that expects administrative access to run and will activate a compatibility mode that, amongst other features, redirects write access to HKLM to a writable location under HKCU. So the COM component registration "succeeds" - but is registered for the current user only.
Im not sure why the ability to register for just the current account isn't supported generally outside the compatibility framework.
Check this out: https://gist.github.com/florentbr/6be960752fc852ee99eece6b4acb8ba7
I was trying to do the same thing and was about to give up when I came upon it.
It's a cmd script that will register the SeleniumBasic.dll in the registry without having admin privileges. With a bit of work you should be able to repurpose the code to register your COM components.
Many, many thanks to Florent Breheret for SeleniumBasic and this cmd script to register it!
I am logged into an account that has Administrator privileges. But RegAsm.exe still says it needs Administrator privileges.
[From some notes I have for Windows 2008 R2. Confirm on other Windows operating systems that support UAC. The following assumes that you are permitted to make changes to the Local Security Policy. ]
In its default configuration, User Account Control (UAC) settings give the local Administrator full privileges, but restrict the privileges of other members of the Administrators group. To lift the UAC restrictions on other members of the Administrators group, do the following:
Select Start -> All Programs -> Administrative Tools -> Local Security Policy.
Select Local Policies -> Security Options.
In the right panel, double-click the third entry from the bottom which reads User Account Control: Run all administrators in Admin Approval Mode.
Click Disabled.
Click OK to close the dialog and close the Local Security Policy configuration tool.
Reboot the computer to complete this change to the UAC settings.
Using Windows 2003, I'm look for a way to create a "logoff script" that will continue with the current logoff then immediately login another user. So, "UserA" logs off. Script fires to login "UserB".
This is part of an application upgrade for a computer where we have written the 'shell'; similar to a kiosk application. For the upgrade we need to logon as 'Adminstrator' then, when the upgrade has completed, logoff 'Administrator' and logon as 'sample_user'. We would like to accomplish this WITHOUT rebooting.
Note, I do not want a script that will initiate the logoff (i.e. "shutdown"). I'm looking for a script that will run upon the user logging off (set via Group Policies). As above, the script should log a different user on.
Thanks.
Don't think it's possible in the stated way (script at logoff).
You'd have to set the machine to logon automatically as a specified account and then log off (having it log on automatically for you) and then you'd have to disable that feature again afterwards, by placing a temporary logon script... generally sounds messy.
The actual setting can be made using tools like Microsofts Shared Computer Toolkit or similar (not so sure how the "normal" registry auto-login behaves at manual logout but I've had an XP kiosk that would automatically log on instantly, even if you logged out manually - you had to override it using some key like shift+logoff to be able to manually specify the login again, so somehow it can be made).
The "easiest" way might be to replace msgina.dll with someone of your own making...
But why are you doing this? Just use runas and start whatever you need to do as that other user without logging off the console user - it's a multi-user system afterall? The desktop is just fluff ^^
(This will anyhow require that the user credentials are available to your script, which kind of makes it redundant as you compromise the security of that account - defying the purpose of having that second account in the first place, for whatever purpose it exists?)
I would try setting the registry to autologon with the user you want, and then simply logging off the admin user. That should log your kiosk-user right back on.
Not sure how to login another user once the current user logs off (not sure if windows would let you...)
But you can use shutdown to logoff:
shutdown /?
Here's some ideas that probaly fall into the "cheap hack" category:
How about logging in at UserB in the first place, and then using runas /user:userA <cmd> to run the first part of the install process?
If that's unacceptable, I know there's a way to make Windows workstations (those that aren't part of a Domain) automatically log in into a certain user account after a restart. Perhaps if you looked into which Registry changes happen, and duplicated them, a reboot would automatically log in that user. (Of course, as a final stage, after userB logs in, you would have to revert those changes :-)
It also occurs to me to wonder if perhaps there's a way for a service to force an open "login screen" to log in as a certain user. Maybe using some method like the way the Remote Desktop does it remotely... If that's possible, then you could create a service that you install before logoff of userA, that would trigger the login of userB.
You can script it with VNC (there are many free versions, take your pick). Set up a VNC server process on the machine to listen on localhost. When the user logs off, your logoff script will connect to the machine using VNC and send the keystrokes necessary to log on the next user. VNC uses the RFB (remote framebuffer) protocol; there are libraries for most popular languages, so you should be able to get something working quickly. Or there are related tools that might help.
If you were to run something like this as a normal script in a given language, it would most likely not work as when you log out of your account, all processes should be killed along with your running script.
You might be able to create some sort of 'service' that would run on a service account (i.e. always active) that would automatically do this user switching for you.
My bets are on Windows Powershell, although I'm not entirely sure what functionality it has as far as actually creating a service.
A quick search brings up the following (The second link is to a forum but it mentions running Powershell as a service and sending that service a parameter which would be the path to your user switching script)
How to Create a Windows Service using Powershel
Powershell Script as a Windows Service
I don't have a Windows 2003 server or a system with a "Group Policies" setup to test my hunch but you could take a look at SU ("switch user") for Windows. Originally part of the Resource Toolkit this has been extended to a new SUperior SU. Do post the results/script if this works.
You could approach this from the perspective of building a remote control utility (like VNC, etc). The big thing here is that if you want access to the Logon screen (i.e. the CTRL + ALT + DEL / username/password) part, the only kicker is that a Windows Service is the only component that can access this, so you'd have to create one.
The only problem I see with this technique as a whole is that even if you spent a great deal of effort getting it to work (and it would be a pretty big effort), the chances of this working successfully with the whole thing originating from a logoff script (i.e. when stuff is shutting down) are low even due to the number of things that can go wrong when logging back on as Administrator.
Just remember that for anything you need to run as an Administrator, there are easier ways in Windows to make that happen (such as Run As, changing the user permissions on the items that need to update, etc).