Dennis_Siggaard
asked on
Change hostname (computer name) for > 100 nt 4 workstations
How can I change hostname (computer name) for >100 nt 4 workstations, where the user is not administrator. And I do not want to travel to each of them.
My idea goes on something in the login script:
1. Add user to local administrator group (this one have to be done by an administrator, could i use SU.EXE, and what are the commandlines for this?)
2. Add computer name to server manager at server (almost done, but need some help)
3. Change user computer name at ws. via a scriptit script (I have done this one)
4. Remove user from local administrator group (I have done this one too)
-Dennis Siggaard (ICQ 41577345)
My idea goes on something in the login script:
1. Add user to local administrator group (this one have to be done by an administrator, could i use SU.EXE, and what are the commandlines for this?)
2. Add computer name to server manager at server (almost done, but need some help)
3. Change user computer name at ws. via a scriptit script (I have done this one)
4. Remove user from local administrator group (I have done this one too)
-Dennis Siggaard (ICQ 41577345)
I'll just 2nd tim_holman's warning NOT to add the users to your administrative group. If security is an issue (and it must be since you have the workstations locked down) you are playing with dynamite.
The problem is that NT goes out of its way to prevent users from gaining access to privileges they are not authorized for. There is a way, however, that involves a program that calls LogonUser and then CreateProcessAsUser to run the application in the context of a privileged account. Two security issues with this approach:
1) You must have an account name and password embedded in the application. The danger here can be minimized by creating an authorized administrative account that is enabled only for a specific time interval while you are deploying the script. After that time, you disable it.
2) The user accounts must have SE_TCB_NAME (Act as part of the operating system) privilege. While this one can be used for exploits, it's far less dangerous than the entire administrator set of privs.
A year ago or so I developed an application that did the above for a client who had to change some of the network properties for 140,000 workstations. Most (about 120,000) were Win95 boxes which present no security problems at all. The last 20,000 were NT. The above technique worked and solved the problem. The "window of vulnerability" if you want was only a few days and the administrator at the site closed off SE_TCB_NAME privs for each user as their computer logged on to the network and was forced to run the app via the logon script.
The problem is that NT goes out of its way to prevent users from gaining access to privileges they are not authorized for. There is a way, however, that involves a program that calls LogonUser and then CreateProcessAsUser to run the application in the context of a privileged account. Two security issues with this approach:
1) You must have an account name and password embedded in the application. The danger here can be minimized by creating an authorized administrative account that is enabled only for a specific time interval while you are deploying the script. After that time, you disable it.
2) The user accounts must have SE_TCB_NAME (Act as part of the operating system) privilege. While this one can be used for exploits, it's far less dangerous than the entire administrator set of privs.
A year ago or so I developed an application that did the above for a client who had to change some of the network properties for 140,000 workstations. Most (about 120,000) were Win95 boxes which present no security problems at all. The last 20,000 were NT. The above technique worked and solved the problem. The "window of vulnerability" if you want was only a few days and the administrator at the site closed off SE_TCB_NAME privs for each user as their computer logged on to the network and was forced to run the app via the logon script.
ASKER
Here is my idea:
First you should know that i have developed two programs. One which runs at server, and is listening for a client to tell it what to to.
And one which calls the server program with some parameters.
examples client \\servername create_hostname_in_server_ manager.ba t %USERNAME%321
i have then created a create_hostname_in_server_ manager.ba t at the server. which will be run at the server. the bat file contains following:
net computer \\%1 /add
net localgroup administrators
// this tells me who is local admin
// here i can read if user is local
// admin
if not give him local admin rights
client \\server add_user_to_local_admin.ba t %COMPUTERNAME% %USERNAME
goto END
if local admin rights
call scriptit script which change computername
net localgroup Administrators %USERDOMAIN%\%USERNAME% /DELETE
// removes the user from local admin
add_user_to_local_admin.ba t contains:
soon \\%1 500 cmd /c "net localgroup Administrators DONAIN\%2" /ADD
First you should know that i have developed two programs. One which runs at server, and is listening for a client to tell it what to to.
And one which calls the server program with some parameters.
examples client \\servername create_hostname_in_server_
i have then created a create_hostname_in_server_
net computer \\%1 /add
net localgroup administrators
// this tells me who is local admin
// here i can read if user is local
// admin
if not give him local admin rights
client \\server add_user_to_local_admin.ba
goto END
if local admin rights
call scriptit script which change computername
net localgroup Administrators %USERDOMAIN%\%USERNAME% /DELETE
// removes the user from local admin
add_user_to_local_admin.ba
soon \\%1 500 cmd /c "net localgroup Administrators DONAIN\%2" /ADD
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You could get into all sorts of predicaments !
Something like SMS / WinInstall would do this for you.
You need to change the registry key :
HKLM\CurrentControlSet\...
(Hostname is the same thing as computername under NT)
I suppose you could use a remote shell as the command needs to be run locally.
(ie regedit /s hostname.reg, where the .reg file contains this registry key and appropriate hostname).
Then change it via srvmgr to update the SAM.