Creating NT User Accounts w/ Perl 5

I am attempting to have one of my CGI programs create NT user accounts via Perl 5 (hip port) --  Logged onto the NT server at the main console I can execute the script and it will properly generate the User Account and give it the Proper group assignments via the NET USER and NET GROUP commands... however this does not function when accessed via CGI.

What process must I go through to allow this CGI Perl program the proper permissions to follow through with the generation of the User account and group assignments?  Is there an easier way which I am overlooking?

Regards,

Art
aconnerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tarkCommented:
Hi Art,
  Don't know much about doing this on the NT side, but I suspect you'll want to try getting 'taintperl' (or equivalent) for NT.  Then, I would bet you'd have to make the script run as user 'Administrator'.  I'm afraid I can't help you there, but I know that on the Unix side, I would use 'taintperl', and make the script setuid.
  I suspect that what you're running into is that the web server invoking the CGI script is running as 'guest' or something.  Whatever the case, the only permissions your CGI script will have are whatever the web server runs as, because it is the web server that actually invokes it.
hth
0
henryjCommented:
Just wondering if there is a good reason for doing this anyway (as creating user accounts via CGI seems a bit risky security wise). What is the intended use? I presume you know that there are already web based system administration tools for NT if that's the reason why you want it?

henry

0
nunamaktCommented:
Second Henryj's comment.  You're opening the door to a hacker to give him/herself admin rights on your server if they can only break one password.  If you don't care if your server get reformatted, or any of the data on the server gets stolen and used somewhere else...then that's OK I guess.

The Air Force has REALLY cracked down on security lately.  Take a look at the AFCERT (AF Computer Emergency Response Team) page on system security...its at:

http://kumi.kelly.af.mil/wks.html


0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

aconnerAuthor Commented:
Then what would be a better way of adding "automated" user accessiblity to certain areas of the system? I will provide the following scenario for further understanding...

A user accesses a webpage but it is a "subscription" based webpage.  So then the user fills out a form with payment information of by completing a questionnaire (or whatever) once this task is successfully accomplished they are provided a userid and password to access the "subscription" based webpage.

Is there something really simple here that I am missing?  Perhaps I am approching this from the wrong angle.

Art
0
tmetzgerCommented:
I believe that most systems of this type maintain a database of users
and passwords that is completely separate from the one maintained by the
system.  The user specifies his/her subscription username and enters the
subscription password, rather than the system username/password.  That way, security risks are confined to the scope of your web site.

Perl lets you manage access with a DBM file full of users/passwords.  I haven't done it myself, but I know it can be done.
0
furuCommented:
Also with IIS 3.0 you can use ASP to manage user-databases very easily. But take care to download the patch from Microsoft, or anyone could read your passwords.
0
matisseCommented:
We have looked at a similar problem - on UNIX servers it is easy, the user file used can be completly different from the one for "rea" user accounts.

Under NT, you really should look into using a different web server instead of the MS one - O'Reilly's Website or Netscape's server both allow this seperate user file.
0
igrooveCommented:
Use PerlWin32...And they've got a module called Win32::NetAdmin in which (direct manual quote):

UserCreate($server, $userName, $password,$passwordAge,$privilege,$homeDir, $comment, $flags, $scriptPath)

$server
The name of the server

$userName
The name of the new user.

$password
The users password

$PasswordAge
Time before password expires.

$privilege
The Privileges of the new user(see below for options)

$homeDir
The home directory of the user.

$comment
A relevant comment about the user.

$flag
A flag controlling user creation (see below for options)

$scriptPath
Pathname of the login script. Creates a user on server with password, passwordAge, privilege,homeDir, comment, flags, and scriptPath

$Privilege options:
USER_PRIV_MASK
USER_PRIV_GUEST
USER_PRIV_USER
USER_PRIV_ADMIN

$flag options:
UF_TEMP_DUPLICATE_ACCOUNT
UF_NORMAL_ACCOUNT
UF_INTERDOMAIN_TRUST_ACCOUNT
UF_WORKSTATION_TRUST_ACCOUNT
UF_SERVER_TRUST_ACCOUNT
UF_MACHINE_ACCOUNT_MASK
UF_ACCOUNT_TYPE_MASK
UF_DONT_EXPIRE_PASSWD
UF_SETTABLE_BITS
UF_SCRIPT
UF_ACCOUNTDISABLE
UF_HOMEDIR_REQUIRED
UF_LOCKOUT
UF_PASSWD_NOTREQD
UF_PASSWD_CANT_CHANGE

UserDelete($server, $user)

$server
The name of the server.

$user
The name of the user to delete.

Deletes a user from server

And an example:

       use Win32::NetAdmin;
       # set info for the user.
       $userName = 'TestUser';
       $password = '';
       $passwordAge = 0;
       $privilege = USER_PRIV_USER;
       $homeDir = 'c:\\';
       $comment = 'This is a test user';
       $flags = UF_SCRIPT;
       $scriptpath = 'C:\\';
       $groupName = 'TestGroup';
       $groupComment = "This is a test group";
       Win32::NetAdmin::UserCreate('', $userName,
                              $password,
                              $passwordAge,
                              $privilege,
                              $homeDir,
                              $comment,
                              $flags,
                              $scriptpath) || print "not ";
   
       Win32::NetAdmin::UserGetAttributes('',$userName,
                              $Getpassword,
                              $GetpasswordAge,
                              $Getprivilege,
                              $GethomeDir,
                              $Getcomment,
                              $Getflags,
                              $Getscriptpath) || warn();

       ($password eq $Getpassword) || warn();
       ($passwordAge == $GetpasswordAge) || warn();
       ($homeDir eq $GethomeDir) || warn();
       ($comment eq $Getcomment) || warn();
       ($flags == ($Getflags&USER_PRIV_MASK)) || warn();
       ($scriptpath eq $scriptpath) || warn();

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Scripting Languages

From novice to tech pro — start learning today.