Script to elevate permissions on W2K?

Posted on 2003-02-28
Medium Priority
Last Modified: 2010-05-18
Hi. We have a vendor that provides updates to it's product that run automatically on login to a machine via a shortcut to the update.exe that we (the IT staff) maintain on the network. We have recently migrated to W2K at the desktop. For security and control reasons, users are not local admins, but they are in the power users group. Since the migration, the updates to the product have not worked because the users do not have permissions to one of the Installsheild directories. I would like to run a script that would elevate the users permissions to the directory. I have never been a scripter and I have no idea how to accomplish this. Can anyone help me out?

Thank you
Question by:Toddro
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +2

Expert Comment

ID: 8045042
From the Win2k Resource kit there is a tool called Xcacls.exe.  You could implement it with the appropriate commands in a simple batch file that executes at logon and another to drop the permissions back at logoff.  This tool is a command line utility so you need to stick to the 8.3 convention for commands.  Here are a couple of examles I implemented:

xcacls.exe C:\PROGRA~1\CISCOS~1\IPTVVI~1\*.SDF /E /G Administrators:F
xcacls.exe C:\PROGRA~1\CISCOS~1\IPTVVI~1\*.SDF /E /G System:F
xcacls.exe C:\PROGRA~1\CISCOS~1\IPTVVI~1\*.SDF /E /G USERS:C

Here is a KB article on how to use it: http://support.microsoft.com/default.aspx?scid=kb;en-us;318754

One other tip, to obtain a directory listing in 8.3 if you don't know the convention use the dir command with the /x switch.

Expert Comment

ID: 8045377
Have you used the "run as" option in a shortcut to the update?

Temporarily create and activate a network admin user with appropriate "install software" permissions. Place the admin user in the shortcut. Run the shortcut over the network.

After the update is completed, disable the new admin user account until needed again.

Another option is to modify the domain security profile to allow the installation of system software but this is a matter for trust in your users.

What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.


Expert Comment

ID: 8046144
oops I missed the point, you don't need M$ updates, you need your vendors- sorry. perhaps the last link i supplied can help, but you can also make a shortcut to a scrpit that can use the runas function, read the http://www.microsoft.com/windows2000/techinfo/planning/management/seclogon.asp to see how to make the shortcut, and then you could put the shortcut in the STARTUP folder so it would run and check for the updates each time the user's logged in. It's just about 50% down the page, you'll see it.

If you can get the updates from the vendor on to a network shared drive, the script would be easy. Even a netlogon script (look in usrmgr), instead of the Startup folder idea.  A good site: http://www.safersite.com/Support/HowTo/How_To_Work_with_Login_Scripts.asp

Here is an example we use for anti-virus stuff.

rem echo +----------------------------------------------+
rem echo +-------------- Mapping Drives ----------------+
rem echo +----------------------------------------------+
rem net use m: \\your_server\update\shared_floder
rem Insert to look for Admin Group Member
rem ifmember "domain admins"
rem if not errorlevel 1 goto userstuff
rem echo You're an admin!
rem echo Skipping rest of script!
rem goto end
rem :userstuff
rem ------------------------------------------
echo Checking for Antivirus update...
if exist "c:\documents and settings\4193xdat.txt" goto done
"\\IT-Server\Other Patches$\4193xdat.exe" /silent /f
echo Version 4.0.4193 update complete. >> "c:\documents and settings\4193xdat.txt"
echo %username% on %date% at %time% >> \\IT-server\public\updated.txt

Just copy that into a txt file, and rename the txt file to .bat. Read links on batch files and their commands.. mine is just an example,and I commented (rem'd)out some of the example, batch's are pretty simple...

Expert Comment

ID: 8046210
Those answers don't seem to get to the point. I recently found a script to do what you want. When using the Runas function Microsoft doesn't let you insert the password in a script. Here is a Vbscript that uses the Sendkeys function to automatically enter the password. It is sweet and simple. I also re-wrote this as a function. Let me know if you want that.


Accepted Solution

smadaras earned 600 total points
ID: 8046227
Another way to upgrade software is to create an MSI and push it out via AD with elevated rights or Machine assign it. That would save your users from having to click on an update shortcut. Also this is preferable because you should test all these updates instead of letting a vendors deploy a patch the could possibly break the user's desktops.

Author Comment

ID: 8061233
I can see the benefits of both techniques... the Xcacls tool would accomplish the job in a batch file that I could run on login... one question about that: I was playing with it, but was unable to grant permissions to a group. There was a reference to adding a group in this article:


..but it is in reference the the Cacls tool, not XCalcs. Is there a way to add a group with this tool? Maybe I'm just missing it, but adding quotes around it doesn't seem to work. None of the examples show using a group, either.

I can also see the benefits of using runas. However, since this shortcut is already out there in all of the Startup folders, wouldn't I have to touch every one to add the runas command? If not, then I'd be back to square one; how to build a script to replace all of the shortcuts to one that uses Runas. I also don't like the fact that it prompts for a password.

Smadaras, can you give me more details on what you did with the VBRunas? Also, I have tried creating an MSI file and pushing it out as a GP, but for some reason it's failing, and I think it's because the application it is trying to update is not a managed application...

Thanx, guys (gals?) for your help. I'll get this licked soon...

Expert Comment

ID: 8061787
Calcs tool is for groups, that was my slip.  Many apologies.

Expert Comment

ID: 8061920
You use the VBRunas script to launch the 'update'. You can remove the current startup shortcut and add the new shortcut within the login script. It is just a simple delete and a copy.

The VBRunas script prevents anyone from seeing or typing in the password because Microsoft didn't want to add that functionality. You will never see the prompt, it is too fast. Also remember to encode the script after you put the password in it.

The best approach is MSI. And you definitely want to create the MSI with the original application including all the current updates. Then you can package future updates and push them out after they are fully tested.


Author Comment

ID: 8106034
Well, I've been messing around with a script that uses the cacls tool, trying to add full permissions to the Power Users group to a certain directory. Unfortunatly, it keeps giving me an "ACCESS_DENIED: <path>" I have the /C switch in the command.

Here is the command I am passing in the login script:

cacls c:\progra~1\instal~1 /E /C /G "Power Users":F

What I'm wondering is, who's security context is this running in? I mean, if the user doesn't have permissions to the directory, then why would they have permissions to add full permissions during a login sript...?

I haven't had a chance to look at the other solution candidates yet, but if this doesn't work, then I will try to start messing with the others tomorrow.

Sorry for the delay in giving your points, folks...

Expert Comment

ID: 8106361
Should be running in system context if it's logon script.

Expert Comment

ID: 8108568
You should use a 'Startup' script if you want to run with system credentials.

I guess I don't understand why you are spending so much time trying to change the folder permissions. Are you sure the 3rd party updates only add new files? There are no registry updates?

Author Comment

ID: 8111734
Actually, I'm going on what their Tech support told me. They researched the problem and told me that they tracked it to the users not having the correct permissions to a folder underneath the Installshield Installation Information directory. I figured giving them permissions to the whole directory would solve the problem, and that directory isn't going to pose a security risk. I did try manually giving the Users group full permissions to the directory on one machine, having a regular user log in, and the update worked.

Author Comment

ID: 8475315
I'm giving the points to smadaras because we ended up creating an MSI and deploying it with a GPO at the machine level. Now when the vendor supplies an update we will have to create a *new* msi and then... well, you know.

Thanx for all your help!

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
The Summer 2017 Scholarship Winners have been announced!
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses
Course of the Month8 days, 17 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question