| Author |
Message |
wuzzyz
Guest
|
 Posted:
Fri Jan 07, 2005 8:11 am Post subject:
script to grant security rights |
|
|
I need help creating a login script that grants administrators certain
rights in the local security settings. I am using a program that
automatically turns off certain rights such as debug programs that
loads at startup. So I would like to creat a script that will turn on
and allow the user to do items such as debug programs. Any help would
be great. thank you |
|
| Back to top |
|
 |
SubnetJO
Guest
|
| Posted:
Fri Jan 07, 2005 5:57 pm Post subject:
RE: script to grant security rights |
|
|
If I understood well:
- Your users have not "some privileges"
- Your users have to use some applications that nedd those privileges to
work properly.
- You want to automatically "turn on" those privileges for your users at
"startup".
I have one question:
"Who will run the script that gives the privileges to your users"?
If you plan to run the script simply at "startup" I think it will not work.
The script will run under the same user credentials, insufficient to do the
task.
The same is if you plan to execute the script as "logon script".
To accomplish this task you should run the script under "different
credentials".
To do that "programmatically" you have to use the "SU" command, that runs
unders the "SUSS service", available with the resource kit.
Warning!
The SU service shipped with the resource kit of Windows2000 server has a bug
certified by Microsoft, but you must have a "support subscription" to have
the fix.
If plan to join WMI with "different redetials" to accomplish the task,
avoiding using the "suss solution", remember that you cannot connect WMI
service with credentials different from the locally logged user on the
console.
I hope this can help,
SubnetJO
Italy |
|
| Back to top |
|
|
Torgeir Bakken (MVP)
Guest
|
| Posted:
Fri Jan 07, 2005 5:58 pm Post subject:
Re: script to grant security rights |
|
|
wuzzyz wrote:
| Quote: | I need help creating a login script that grants administrators certain
rights in the local security settings. I am using a program that
automatically turns off certain rights such as debug programs that
loads at startup. So I would like to creat a script that will turn on
and allow the user to do items such as debug programs. Any help would
be great. thank you
Hi |
With the command line tool ntrights.exe:
ntrights.exe +r SeDebugPrivilege -u user/groupname
Use parameter "-m \\<some computer>" for remote operation.
At least the Ntrights.exe in the Win2k resource kit (not free) will
work on Win2k.
Ntrights.exe in the free Win2k3 resource kit works
on Win2k and WinXP as well:
Windows Server 2003 Resource Kit Tools
http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en
(The kit will install on WinXP or later, but you can copy Ntrights.exe
to a Win2k computer)
--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx |
|
| Back to top |
|
|
wuzzyz
Guest
|
| Posted:
Fri Jan 07, 2005 8:52 pm Post subject:
Re: script to grant security rights |
|
|
thank you for the help. I will have to look into it and see if it
works. the program that we use on our machines is called deepfreeze. it
changes 4 security settings on the machine even for the administrator.
one of them is the debugprivileges. so if I create a script or a batch
file to use ntrights i can restore these privileges correct? Thank you
for your help. |
|
| Back to top |
|
|
Roger Abell
Guest
|
| Posted:
Fri Jan 07, 2005 8:52 pm Post subject:
Re: script to grant security rights |
|
|
Hi SubnetJO,
What you say of the login script running as the user, and so
possibly not having the ability to make the changes is right.
The startup script however runs as the System and so it will
have the ability.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"SubnetJO" <SubnetJO@discussions.microsoft.com> wrote in message
news:FBC99663-A5CA-496A-B344-65BF6A065035@microsoft.com...
| Quote: | If I understood well:
- Your users have not "some privileges"
- Your users have to use some applications that nedd those privileges to
work properly.
- You want to automatically "turn on" those privileges for your users at
"startup".
I have one question:
"Who will run the script that gives the privileges to your users"?
If you plan to run the script simply at "startup" I think it will not
work.
The script will run under the same user credentials, insufficient to do
the
task.
The same is if you plan to execute the script as "logon script".
To accomplish this task you should run the script under "different
credentials".
To do that "programmatically" you have to use the "SU" command, that runs
unders the "SUSS service", available with the resource kit.
Warning!
The SU service shipped with the resource kit of Windows2000 server has a
bug
certified by Microsoft, but you must have a "support subscription" to have
the fix.
If plan to join WMI with "different redetials" to accomplish the task,
avoiding using the "suss solution", remember that you cannot connect WMI
service with credentials different from the locally logged user on the
console.
I hope this can help,
SubnetJO
Italy
|
|
|
| Back to top |
|
|
Torgeir Bakken (MVP)
Guest
|
| Posted:
Fri Jan 07, 2005 10:11 pm Post subject:
Re: script to grant security rights |
|
|
wuzzyz wrote:
| Quote: | thank you for the help. I will have to look into it and see if it
works. the program that we use on our machines is called deepfreeze. it
changes 4 security settings on the machine even for the administrator.
one of them is the debugprivileges. so if I create a script or a batch
file to use ntrights i can restore these privileges correct?
Hi |
That is correct.
--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in