Cobalt2112
Programmer
Hi Everyone, we have a 20 server IIS farm and we currently use PSEXEC to run maintenance on them. My question is, is there any VBScript of VB code that can achieve the same result as PSEXEC ?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
VBScript Remote Execute Program 1
- Thread starter Cobalt2112
- Start date
- Status
- Thread starter
- #3
Cobalt2112
Programmer
Hmm.. but this sounds like Remote Scripting... NO... I want to launch an EXE on the server. We also have Citrix servers that we maintain via PSEXEC. We pass the admin ID/PW and the EXE name.
-
1
- #4
If you don't need to view the process, you can use vbscript to remotely start a process.
Here is a sample script from Microsoft that does it:
strComputer = "webserver"
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2:Win32_Process")
Error = objWMIService.Create("notepad.exe", null, null, intProcessID)
If Error = 0 Then
Wscript.Echo "Notepad was started with a process ID of " _
& intProcessID & "."
Else
Wscript.Echo "Notepad could not be started due to error " & _
Error & "."
End If
Note that in Windows 2000 SP2 and later, the process can't be run interactively.
I hope you find this post helpful. Please let me know if it was.
Regards,
Mark
Here is a sample script from Microsoft that does it:
strComputer = "webserver"
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2:Win32_Process")
Error = objWMIService.Create("notepad.exe", null, null, intProcessID)
If Error = 0 Then
Wscript.Echo "Notepad was started with a process ID of " _
& intProcessID & "."
Else
Wscript.Echo "Notepad could not be started due to error " & _
Error & "."
End If
Note that in Windows 2000 SP2 and later, the process can't be run interactively.
I hope you find this post helpful. Please let me know if it was.
Regards,
Mark
- Thread starter
- #5
Cobalt2112
Programmer
Hi MarcMdac,
I tried the code snipped, but I then get an "Error 70: Permission Denied" That would be correct since I (my ID) do not have permission to access the server, but we do have the Admin ID that we'd like to code in. Is it possible to accomplish this?
I tried the code snipped, but I then get an "Error 70: Permission Denied" That would be correct since I (my ID) do not have permission to access the server, but we do have the Admin ID that we'd like to code in. Is it possible to accomplish this?
I use scheduled tasks and put the account name and password in the Run As. This way, I can remotely run the remote tasks (I VPN from home and kick off the scheduled task on a machine that will run my scripts from a machine that is local and has more bandwidth).
Typically this is run as the admin, but dhelmet makes a good suggestion that you could run it with a RunAs command. That would probably be the most convenient solution.
I hope you find this post helpful. Please let me know if it was.
Regards,
Mark
I hope you find this post helpful. Please let me know if it was.
Regards,
Mark
- Thread starter
- #8
Cobalt2112
Programmer
OK, I guess I have clear it up. The IIS servers are in a remote data center. We do not want the support group to terminal server into the box in order to kick off the job. And they themselves don't have any access to the boxes (Sorbaines/Oxley)
OK, so what you are saying is that you want to let people with no administrative rights on the server, run tasks that require administrative rights, right?
Even with a RunAs your users would still need the password for an admin account.
What kinds of tasks are you looking to have your users do exactly?
The only thing I can think of for you would be to use scripts in ASP. Set the scripts to be fired off from a button on a web page and have the Admin account be used instead of the I_User account within IIS. That way the script can run as admin without the user being able to see the admin ID or password. I do this to write to an ISA destination set and it works great.
I hope you find this post helpful. Please let me know if it was.
Regards,
Mark
Even with a RunAs your users would still need the password for an admin account.
What kinds of tasks are you looking to have your users do exactly?
The only thing I can think of for you would be to use scripts in ASP. Set the scripts to be fired off from a button on a web page and have the Admin account be used instead of the I_User account within IIS. That way the script can run as admin without the user being able to see the admin ID or password. I do this to write to an ISA destination set and it works great.
I hope you find this post helpful. Please let me know if it was.
Regards,
Mark
- Thread starter
- #10
Cobalt2112
Programmer
Hi Mark,
You are correct, we want to have regular joe's run tasks that require admin rights. But, your idea does have one flaw, they would have to run the ASP page on each IIS server, and what about the Citrix servers? They don't have IIS running to host ASP pages. They would normally run IISRESET, PSKILL and other administrative tasks. That is why I originally asked if there is anything that is similar to PSEXEC \\servername -u domain\userid -p Password filename.exe
You are correct, we want to have regular joe's run tasks that require admin rights. But, your idea does have one flaw, they would have to run the ASP page on each IIS server, and what about the Citrix servers? They don't have IIS running to host ASP pages. They would normally run IISRESET, PSKILL and other administrative tasks. That is why I originally asked if there is anything that is similar to PSEXEC \\servername -u domain\userid -p Password filename.exe
Have you considered delegating rights to these users? That way you don't need to make them an Admin but they can still do some admin tasks on these boxes.
I'm not trying to skirt around your question, it is just that you are trying to bypass a lot of inherrent security and I don't understand the reasons for this.
Now to your question, the only thing I can think of would be for you to write a few scripts. One that is encrypted and does the following. First prompts the user for a script to run and alsks what server to run it against. The encrypted script would then open a remote process on the target server and do a RunAs using the script name you provided. Since the remote process is nto interactive, you could have the encrypted script use SendKeys to pass on the admin password.
That's all the ideas I have. Sorry I can't be of more help, but the above should help you get to where you want to be.
I hope you find this post helpful. Please let me know if it was.
Regards,
Mark
I'm not trying to skirt around your question, it is just that you are trying to bypass a lot of inherrent security and I don't understand the reasons for this.
Now to your question, the only thing I can think of would be for you to write a few scripts. One that is encrypted and does the following. First prompts the user for a script to run and alsks what server to run it against. The encrypted script would then open a remote process on the target server and do a RunAs using the script name you provided. Since the remote process is nto interactive, you could have the encrypted script use SendKeys to pass on the admin password.
That's all the ideas I have. Sorry I can't be of more help, but the above should help you get to where you want to be.
I hope you find this post helpful. Please let me know if it was.
Regards,
Mark
- Thread starter
- #12
Cobalt2112
Programmer
Mark, because of recent bills surround Sorbaines/Oxley compliance, we cannot allow anyone to terminal server, map drives etc onto our environment. I believe that all publicly traded companies have to comply with this bill and they will be audited by the fed this year. Thanks, I will look into the remote execute function of vbscript.
- Status
Similar threads
