Solved

Creating NT User Accounts w/ Perl 5

Posted on 1997-02-18
8
219 Views
Last Modified: 2013-12-25
I am attempting to have one of my CGI programs create NT user accounts via Perl 5 (hip port) --  Logged onto the NT server at the main console I can execute the script and it will properly generate the User Account and give it the Proper group assignments via the NET USER and NET GROUP commands... however this does not function when accessed via CGI.

What process must I go through to allow this CGI Perl program the proper permissions to follow through with the generation of the User account and group assignments?  Is there an easier way which I am overlooking?

Regards,

Art
0
Comment
Question by:aconner
8 Comments
 
LVL 1

Expert Comment

by:tark
ID: 1827798
Hi Art,
  Don't know much about doing this on the NT side, but I suspect you'll want to try getting 'taintperl' (or equivalent) for NT.  Then, I would bet you'd have to make the script run as user 'Administrator'.  I'm afraid I can't help you there, but I know that on the Unix side, I would use 'taintperl', and make the script setuid.
  I suspect that what you're running into is that the web server invoking the CGI script is running as 'guest' or something.  Whatever the case, the only permissions your CGI script will have are whatever the web server runs as, because it is the web server that actually invokes it.
hth
0
 

Expert Comment

by:henryj
ID: 1827799
Just wondering if there is a good reason for doing this anyway (as creating user accounts via CGI seems a bit risky security wise). What is the intended use? I presume you know that there are already web based system administration tools for NT if that's the reason why you want it?

henry

0
 

Expert Comment

by:nunamakt
ID: 1827800
Second Henryj's comment.  You're opening the door to a hacker to give him/herself admin rights on your server if they can only break one password.  If you don't care if your server get reformatted, or any of the data on the server gets stolen and used somewhere else...then that's OK I guess.

The Air Force has REALLY cracked down on security lately.  Take a look at the AFCERT (AF Computer Emergency Response Team) page on system security...its at:

http://kumi.kelly.af.mil/wks.html


0
 

Author Comment

by:aconner
ID: 1827801
Then what would be a better way of adding "automated" user accessiblity to certain areas of the system? I will provide the following scenario for further understanding...

A user accesses a webpage but it is a "subscription" based webpage.  So then the user fills out a form with payment information of by completing a questionnaire (or whatever) once this task is successfully accomplished they are provided a userid and password to access the "subscription" based webpage.

Is there something really simple here that I am missing?  Perhaps I am approching this from the wrong angle.

Art
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Expert Comment

by:tmetzger
ID: 1827802
I believe that most systems of this type maintain a database of users
and passwords that is completely separate from the one maintained by the
system.  The user specifies his/her subscription username and enters the
subscription password, rather than the system username/password.  That way, security risks are confined to the scope of your web site.

Perl lets you manage access with a DBM file full of users/passwords.  I haven't done it myself, but I know it can be done.
0
 
LVL 4

Expert Comment

by:furu
ID: 1827803
Also with IIS 3.0 you can use ASP to manage user-databases very easily. But take care to download the patch from Microsoft, or anyone could read your passwords.
0
 

Expert Comment

by:matisse
ID: 1827804
We have looked at a similar problem - on UNIX servers it is easy, the user file used can be completly different from the one for "rea" user accounts.

Under NT, you really should look into using a different web server instead of the MS one - O'Reilly's Website or Netscape's server both allow this seperate user file.
0
 
LVL 2

Accepted Solution

by:
igroove earned 100 total points
ID: 1827805
Use PerlWin32...And they've got a module called Win32::NetAdmin in which (direct manual quote):

UserCreate($server, $userName, $password,$passwordAge,$privilege,$homeDir, $comment, $flags, $scriptPath)

$server
The name of the server

$userName
The name of the new user.

$password
The users password

$PasswordAge
Time before password expires.

$privilege
The Privileges of the new user(see below for options)

$homeDir
The home directory of the user.

$comment
A relevant comment about the user.

$flag
A flag controlling user creation (see below for options)

$scriptPath
Pathname of the login script. Creates a user on server with password, passwordAge, privilege,homeDir, comment, flags, and scriptPath

$Privilege options:
USER_PRIV_MASK
USER_PRIV_GUEST
USER_PRIV_USER
USER_PRIV_ADMIN

$flag options:
UF_TEMP_DUPLICATE_ACCOUNT
UF_NORMAL_ACCOUNT
UF_INTERDOMAIN_TRUST_ACCOUNT
UF_WORKSTATION_TRUST_ACCOUNT
UF_SERVER_TRUST_ACCOUNT
UF_MACHINE_ACCOUNT_MASK
UF_ACCOUNT_TYPE_MASK
UF_DONT_EXPIRE_PASSWD
UF_SETTABLE_BITS
UF_SCRIPT
UF_ACCOUNTDISABLE
UF_HOMEDIR_REQUIRED
UF_LOCKOUT
UF_PASSWD_NOTREQD
UF_PASSWD_CANT_CHANGE

UserDelete($server, $user)

$server
The name of the server.

$user
The name of the user to delete.

Deletes a user from server

And an example:

       use Win32::NetAdmin;
       # set info for the user.
       $userName = 'TestUser';
       $password = '';
       $passwordAge = 0;
       $privilege = USER_PRIV_USER;
       $homeDir = 'c:\\';
       $comment = 'This is a test user';
       $flags = UF_SCRIPT;
       $scriptpath = 'C:\\';
       $groupName = 'TestGroup';
       $groupComment = "This is a test group";
       Win32::NetAdmin::UserCreate('', $userName,
                              $password,
                              $passwordAge,
                              $privilege,
                              $homeDir,
                              $comment,
                              $flags,
                              $scriptpath) || print "not ";
   
       Win32::NetAdmin::UserGetAttributes('',$userName,
                              $Getpassword,
                              $GetpasswordAge,
                              $Getprivilege,
                              $GethomeDir,
                              $Getcomment,
                              $Getflags,
                              $Getscriptpath) || warn();

       ($password eq $Getpassword) || warn();
       ($passwordAge == $GetpasswordAge) || warn();
       ($homeDir eq $GethomeDir) || warn();
       ($comment eq $Getcomment) || warn();
       ($flags == ($Getflags&USER_PRIV_MASK)) || warn();
       ($scriptpath eq $scriptpath) || warn();

0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

The following is a collection of cases for strange behaviour when using advanced techniques in DOS batch files. You should have some basic experience in batch "programming", as I'm assuming some knowledge and not further explain the basics. For some…
In this tutorial I will focus on how to use WhizBase as a tool for sending ICQ messages to ICQ. Here I will use a new technology in WhizBase, published in WhizBase 5.1 version. In this tutorial I will use 3 files, pager.wbsp for the processing, e…
Learn the basics of strings in Python: declaration, operations, indices, and slicing. Strings are declared with quotations; for example: s = "string": Strings are immutable.: Strings may be concatenated or multiplied using the addition and multiplic…
Learn the basics of if, else, and elif statements in Python 2.7. Use "if" statements to test a specified condition.: The structure of an if statement is as follows: (CODE) Use "else" statements to allow the execution of an alternative, if the …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now