How can I do Admin. tasks when non-admin logged in?

[MaestroG]

I find myself often needing to make a change to a shortcut in the All Users group or modify a registry key. The changes are superficial, quick and easy to do, but I end up having to log-off and back on as me or Administrator which means waiting on the user to get where they can halt their work, then close all their applications and go through the waiting process of logging off and back on. Then when I'm done, to make sure I did everything right, I have to get the user to log back in or find where they wandered off to (since I don't know their password) and check to see that my changes worked.

Boy it would be easier if I could find a way to sit down at an NT Workstation that an end-user is already logged into and do administrative tasks (using my admin username(s) and password(s) without having to fully log-off and back on as Administrator and then log-off again and back on as the user to check the changes.

Anyone know how to do this or a better way of accomplishing these superficial duties?

I can, of course, connect to their admin shares (c$, d$, etc) from my admin workstation, but 9 times out of 10 I will need to see what is happening and sometimes modify registry settings. I have remote control capabilities, but I still have to log-off and back on to get admin capabilities. I've also tried VDESK from the NTRESKIT, but I haven't been able to get the "logon" to one of the other shells to work correctly (where the logon as Administrator actually has admin rights...sometimes it doesn't even let me login). If any of you have extensive experience with VDESK, that would prove most helpful, otherwise:

(1) How can I modify the registry remotely OR
(2) How can I get administrator rights for tasks I need to perform using the appropriate passwords when a non-admin is currently logged in???

Thanks for your help in advance!

:-I G

 

[TheVMan]

As a former Sys Admin in a non-Sys Admin role, I've come to rely on SMS Installer when I deploy applications to end users. It is an app where you can wrap files, registry entries, .ini updates, etc, into an executable file. I then put these "packages" out on a network share that I can get access to and run them. The beauty is, with SMS Installer Packages, the installer goes "under the radar" and installs without Admin privledges. I'm not certain, but I believe the SMS Installer comes with the SMS application on the BackOffice suite. Can anybody back me up on that one.

Good Luck
V

 

[MaestroG]

Sounds like a good utility to have in my arsenal!
However, often I just need to do really quick things like change a desktop icon's shortcut, but the darned icon is in the All Users profile and I have to log off and back on as Administrator. If I try to change it from my desk remotely through the Admin share (C$ on that PC), the shortcut tries to use the UNC path first instead of the relative path which needs access to an administrative share that they don't have. Then I have to go there (or remote control) and log them off and login as Administrator to change the darned Shortcut path to the relative path instead of the UNC one. Then it works. I know about the registry fix for this (

http://registry.winguides.com/display.php/230/),

but to make that change, I'd still have to logon as Administrator to get change permission to the registry.

AAAAaaaahhhhhh!!!! Do you see why I am looking for a way to change or add something that will help me gain (with appropriate passwords) administrative rights temporarily in the non-admin's session?

G :~/

 

[MaestroG]

DUDE!!! An experienced NT Admin in another forum said, "what about the su.exe utility in the NTRESKIT?"

Doh! Should've known the solution would be right under my nose.

Once you get the hang of it, it works nicely.

MaestroG :-0

 

[snicks2]

I have been trying to use the SU command in my login script and have been unsuccesful. Can anyone help me? I want to add a "legalnoticetext" to each computers regisrty. I have a notice.reg file that has all the appropriate keys replaced but all of the machines require admin rights to change the registry. I tried regini but I would have to change the workstation 300 times from here to do it. I'd like for the su command to run my .reg file as the domain admin to replace the registry key and I'd like for it to be run as part of everyones login script. Possible? This is what I tried but it didn't work...su domainadmin notice.reg
It asks me for a password and I know that I could put it in a non-accesible script but when I type it in manually it says it is the wrong one. Not sure what it is looking for.

Any other suggestions on how to do this would be appreciated.

 

[MaestroG]

Snicks2,

I ended up using PSEXEC from

http://www.sysinternals.com.

It worked better than SU. I created a temporary account with administrative priveledges so I could delete it when I was done (and not worry if anyone got ahold of the password), then fully automated the process by putting in the username and password.

It looked something like this (each one is one long line):


xcopy &quot;\\<servername>\<sharename>\script.bat&quot; \\<destination machine>\C$\ /c /q

psexec \\<destination machine> -u <DOMAIN>\<username> -p <password> &quot;C:\script.bat&quot;


Hope this helps.

G

 

[snicks2]

How do you change the destination computer name? Manually? I was trying to avoid that.

 

[MaestroG]

Well, when I needed to do the same, I was needing to do this from an NT4 Workstation. I searched around and found a batch command string that would cause a script to prompt you for input and you could use that input as a variable. Thing is, I haven't tested this on Win2K and if I remember right, there was an easier and correct way to prompt for input and use it as a variable for Win2K. Can't remember it though. Just be aware that the variable part of this script works from NT4 certifiably. This will look all messed up because of word-wrap. Highlight it all from the first &quot;rem&quot; to the &quot;pause&quot; and then paste it into notepad. It should copy correctly without the word-wrap (if not the batch file will not work properly). If it doesn't copy correctly, send a not here of your e-mail address and I'll forward it to you.

rem
rem &quot;Copy and Execute Remotely as Administrator&quot; Script (execute from NT4)
rem
rem This script copies files to the computername you specify and then runs the
rem executable file you specify in the psexec commands with the user's credentials.
rem -NOTE: Psexec is necessary to run executables remotely with administrative rights.
rem
cls
@echo off
echo.
echo Enter ComputerName:
for /f &quot;tokens=*&quot; %%a in ('format/f:160 a: ^|find &quot;...&quot;') do set Input=%%a
set Input=%Input:~30%
echo.
echo.
echo Computer &quot;%Input%&quot; will be updated now.
echo.
echo Please be patient while large files are copied...
echo.
echo.
echo.
xcopy &quot;\\<servername>\updates$\script.bat&quot; \\%Input%\c$\ /c /q
xcopy &quot;\\<servername>\updates$\sp6i386.exe&quot; \\%Input%\c$\ /d /c /q /h /r
psexec \\%Input% -u <DOMAIN>\<username> -p <password> &quot;C:\script.bat&quot;
psexec \\%Input% -u <DOMAIN>\<username> -p <password> &quot;C:\sp6i386.exe&quot;
erase /q \\%Input%\c$\copy.bat
erase /q \\%Input%\c$\copy.bat
echo.
echo.
echo.
echo Goodbye...Process finished!
echo.
pause

 

[MaestroG]

Doh! The two &quot;erase&quot; commands should reflect the appropriate names of the file(s) you copied which in my example should be:

erase /q \\%Input%\c$\script.bat
erase /q \\%Input%\c$\spi386.exe

 

[snicks2]

Thanks - I would prefer no intervention (and my users don't know their workstation names!). Maybe I could pull the variable from a database of workstation names.. Aargh this is getting complicated.

 

[MaestroG]

You could setup this script as a logon script but without the prompting part and instead of %input%, just use %computername%. Since the script would run locally on the workstations (since it is a logon script) you could use that built in variable to get the computer name.

Have the logon script copy the psexec.exe program to the c:\winnt directory with copy or xcopy and then run psexec like this:

psexec \\%computername% -u <DOMAIN>\<username> -p <password> &quot;\\<servername>\<share>\file.bat&quot;

This way, you are using the local machine running the logon script to your advantage to get the local machine name with %computername% and you are using psexec to your advantage to specify a temporary account and password you've given administrator rights to for accomplishing this particular task.

Would that work?

 

[snicks2]

I think it will work! After getting so wrapped up in this I forgot about the login script variables. I'll let you know how it works. Thanks for your help!!

 

[snicks2]

Boo! I am getting access denied. I think it is because since it is running in their login script the &quot;caller&quot; is the user and not admin. The computername is working fine. My command looks just like yours above but instead of a script (.bat) file, I am running a .reg file that changes those keys.

 

[MaestroG]

I guess you'd need to logon as a regular user and see if psexec is working properly.

Why can't the user themself click on and run the .reg file to add something to the registry? One thing we did her recently was put a .reg file out on our Intranet and asked all users to go there and double click on it to run it. It added an entry into the registry and the regular user ran it. Our users are running all flavors of Windows. I think it worked for everyone. I wonder if there is a specific security permission on the registry key you are trying to modify that only allows the Administrator to do the update.

Other than finding a way to get NT or Win2K to let a regular user perform this function that requires admin rights (with an appropriate password), I don't know...

Can you perform the action yourself remotely even with psexec? If so, maybe you could use some tool to get all your computernames on your network and then you could cut and paste those names into the script and kick it off yourself. That way you take the user's out of it.

I'm running out of ideas. I'm sure it can be done, but you've got some hurdles to jump. You need to figure out exactly why the access denied is happening and find a scenario where you CAN accomplish the task or even some subtasks. Then find a way to put it all together maybe with compromise or maybe with a little innovation.

I'm almost certain VBScript (or even PERL) could handle this perfectly, but I've not had the chance to develope any VBScript skills.

Good luck!

 

[Mturner]

where would i get a copy of &quot;SMS Installer&quot; from and for how much!.

is there a trial version or freeware even! which i could try?

thanks

MT

 

[MaestroG]

It's been a while since I worked with SMS, but I am pretty sure the SMS Installer is a part of SMS (Microsoft's System Management Server

http://www.microsoft.com/sms).

Microsoft's SMS is quite expensive and a very complex product.

You might be better off finding another solution for whatever your needs are.

Anyway, that's my 2-cents.

G