We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

Creating NT User Accounts w/ Perl 5

aconner
aconner asked
on
Medium Priority
247 Views
Last Modified: 2013-12-25
I am attempting to have one of my CGI programs create NT user accounts via Perl 5 (hip port) --  Logged onto the NT server at the main console I can execute the script and it will properly generate the User Account and give it the Proper group assignments via the NET USER and NET GROUP commands... however this does not function when accessed via CGI.

What process must I go through to allow this CGI Perl program the proper permissions to follow through with the generation of the User account and group assignments?  Is there an easier way which I am overlooking?

Regards,

Art
Comment
Watch Question

Commented:
Hi Art,
  Don't know much about doing this on the NT side, but I suspect you'll want to try getting 'taintperl' (or equivalent) for NT.  Then, I would bet you'd have to make the script run as user 'Administrator'.  I'm afraid I can't help you there, but I know that on the Unix side, I would use 'taintperl', and make the script setuid.
  I suspect that what you're running into is that the web server invoking the CGI script is running as 'guest' or something.  Whatever the case, the only permissions your CGI script will have are whatever the web server runs as, because it is the web server that actually invokes it.
hth

Commented:
Just wondering if there is a good reason for doing this anyway (as creating user accounts via CGI seems a bit risky security wise). What is the intended use? I presume you know that there are already web based system administration tools for NT if that's the reason why you want it?

henry

Commented:
Second Henryj's comment.  You're opening the door to a hacker to give him/herself admin rights on your server if they can only break one password.  If you don't care if your server get reformatted, or any of the data on the server gets stolen and used somewhere else...then that's OK I guess.

The Air Force has REALLY cracked down on security lately.  Take a look at the AFCERT (AF Computer Emergency Response Team) page on system security...its at:

http://kumi.kelly.af.mil/wks.html


Author

Commented:
Then what would be a better way of adding "automated" user accessiblity to certain areas of the system? I will provide the following scenario for further understanding...

A user accesses a webpage but it is a "subscription" based webpage.  So then the user fills out a form with payment information of by completing a questionnaire (or whatever) once this task is successfully accomplished they are provided a userid and password to access the "subscription" based webpage.

Is there something really simple here that I am missing?  Perhaps I am approching this from the wrong angle.

Art

Commented:
I believe that most systems of this type maintain a database of users
and passwords that is completely separate from the one maintained by the
system.  The user specifies his/her subscription username and enters the
subscription password, rather than the system username/password.  That way, security risks are confined to the scope of your web site.

Perl lets you manage access with a DBM file full of users/passwords.  I haven't done it myself, but I know it can be done.

Commented:
Also with IIS 3.0 you can use ASP to manage user-databases very easily. But take care to download the patch from Microsoft, or anyone could read your passwords.

Commented:
We have looked at a similar problem - on UNIX servers it is easy, the user file used can be completly different from the one for "rea" user accounts.

Under NT, you really should look into using a different web server instead of the MS one - O'Reilly's Website or Netscape's server both allow this seperate user file.
Commented:
Use PerlWin32...And they've got a module called Win32::NetAdmin in which (direct manual quote):

UserCreate($server, $userName, $password,$passwordAge,$privilege,$homeDir, $comment, $flags, $scriptPath)

$server
The name of the server

$userName
The name of the new user.

$password
The users password

$PasswordAge
Time before password expires.

$privilege
The Privileges of the new user(see below for options)

$homeDir
The home directory of the user.

$comment
A relevant comment about the user.

$flag
A flag controlling user creation (see below for options)

$scriptPath
Pathname of the login script. Creates a user on server with password, passwordAge, privilege,homeDir, comment, flags, and scriptPath

$Privilege options:
USER_PRIV_MASK
USER_PRIV_GUEST
USER_PRIV_USER
USER_PRIV_ADMIN

$flag options:
UF_TEMP_DUPLICATE_ACCOUNT
UF_NORMAL_ACCOUNT
UF_INTERDOMAIN_TRUST_ACCOUNT
UF_WORKSTATION_TRUST_ACCOUNT
UF_SERVER_TRUST_ACCOUNT
UF_MACHINE_ACCOUNT_MASK
UF_ACCOUNT_TYPE_MASK
UF_DONT_EXPIRE_PASSWD
UF_SETTABLE_BITS
UF_SCRIPT
UF_ACCOUNTDISABLE
UF_HOMEDIR_REQUIRED
UF_LOCKOUT
UF_PASSWD_NOTREQD
UF_PASSWD_CANT_CHANGE

UserDelete($server, $user)

$server
The name of the server.

$user
The name of the user to delete.

Deletes a user from server

And an example:

       use Win32::NetAdmin;
       # set info for the user.
       $userName = 'TestUser';
       $password = '';
       $passwordAge = 0;
       $privilege = USER_PRIV_USER;
       $homeDir = 'c:\\';
       $comment = 'This is a test user';
       $flags = UF_SCRIPT;
       $scriptpath = 'C:\\';
       $groupName = 'TestGroup';
       $groupComment = "This is a test group";
       Win32::NetAdmin::UserCreate('', $userName,
                              $password,
                              $passwordAge,
                              $privilege,
                              $homeDir,
                              $comment,
                              $flags,
                              $scriptpath) || print "not ";
   
       Win32::NetAdmin::UserGetAttributes('',$userName,
                              $Getpassword,
                              $GetpasswordAge,
                              $Getprivilege,
                              $GethomeDir,
                              $Getcomment,
                              $Getflags,
                              $Getscriptpath) || warn();

       ($password eq $Getpassword) || warn();
       ($passwordAge == $GetpasswordAge) || warn();
       ($homeDir eq $GethomeDir) || warn();
       ($comment eq $Getcomment) || warn();
       ($flags == ($Getflags&USER_PRIV_MASK)) || warn();
       ($scriptpath eq $scriptpath) || warn();

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.