Script to elevate permissions on W2K?

Hi. We have a vendor that provides updates to it's product that run automatically on login to a machine via a shortcut to the update.exe that we (the IT staff) maintain on the network. We have recently migrated to W2K at the desktop. For security and control reasons, users are not local admins, but they are in the power users group. Since the migration, the updates to the product have not worked because the users do not have permissions to one of the Installsheild directories. I would like to run a script that would elevate the users permissions to the directory. I have never been a scripter and I have no idea how to accomplish this. Can anyone help me out?

Thank you
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

From the Win2k Resource kit there is a tool called Xcacls.exe.  You could implement it with the appropriate commands in a simple batch file that executes at logon and another to drop the permissions back at logoff.  This tool is a command line utility so you need to stick to the 8.3 convention for commands.  Here are a couple of examles I implemented:

xcacls.exe C:\PROGRA~1\CISCOS~1\IPTVVI~1\*.SDF /E /G Administrators:F
xcacls.exe C:\PROGRA~1\CISCOS~1\IPTVVI~1\*.SDF /E /G System:F
xcacls.exe C:\PROGRA~1\CISCOS~1\IPTVVI~1\*.SDF /E /G USERS:C

Here is a KB article on how to use it:;en-us;318754

One other tip, to obtain a directory listing in 8.3 if you don't know the convention use the dir command with the /x switch.
Have you used the "run as" option in a shortcut to the update?

Temporarily create and activate a network admin user with appropriate "install software" permissions. Place the admin user in the shortcut. Run the shortcut over the network.

After the update is completed, disable the new admin user account until needed again.

Another option is to modify the domain security profile to allow the installation of system software but this is a matter for trust in your users.

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

oops I missed the point, you don't need M$ updates, you need your vendors- sorry. perhaps the last link i supplied can help, but you can also make a shortcut to a scrpit that can use the runas function, read the to see how to make the shortcut, and then you could put the shortcut in the STARTUP folder so it would run and check for the updates each time the user's logged in. It's just about 50% down the page, you'll see it.

If you can get the updates from the vendor on to a network shared drive, the script would be easy. Even a netlogon script (look in usrmgr), instead of the Startup folder idea.  A good site:

Here is an example we use for anti-virus stuff.

rem echo +----------------------------------------------+
rem echo +-------------- Mapping Drives ----------------+
rem echo +----------------------------------------------+
rem net use m: \\your_server\update\shared_floder
rem Insert to look for Admin Group Member
rem ifmember "domain admins"
rem if not errorlevel 1 goto userstuff
rem echo You're an admin!
rem echo Skipping rest of script!
rem goto end
rem :userstuff
rem ------------------------------------------
echo Checking for Antivirus update...
if exist "c:\documents and settings\4193xdat.txt" goto done
"\\IT-Server\Other Patches$\4193xdat.exe" /silent /f
echo Version 4.0.4193 update complete. >> "c:\documents and settings\4193xdat.txt"
echo %username% on %date% at %time% >> \\IT-server\public\updated.txt

Just copy that into a txt file, and rename the txt file to .bat. Read links on batch files and their commands.. mine is just an example,and I commented (rem'd)out some of the example, batch's are pretty simple...
Those answers don't seem to get to the point. I recently found a script to do what you want. When using the Runas function Microsoft doesn't let you insert the password in a script. Here is a Vbscript that uses the Sendkeys function to automatically enter the password. It is sweet and simple. I also re-wrote this as a function. Let me know if you want that.
Another way to upgrade software is to create an MSI and push it out via AD with elevated rights or Machine assign it. That would save your users from having to click on an update shortcut. Also this is preferable because you should test all these updates instead of letting a vendors deploy a patch the could possibly break the user's desktops.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ToddroAuthor Commented:
I can see the benefits of both techniques... the Xcacls tool would accomplish the job in a batch file that I could run on login... one question about that: I was playing with it, but was unable to grant permissions to a group. There was a reference to adding a group in this article:;EN-US;135268

..but it is in reference the the Cacls tool, not XCalcs. Is there a way to add a group with this tool? Maybe I'm just missing it, but adding quotes around it doesn't seem to work. None of the examples show using a group, either.

I can also see the benefits of using runas. However, since this shortcut is already out there in all of the Startup folders, wouldn't I have to touch every one to add the runas command? If not, then I'd be back to square one; how to build a script to replace all of the shortcuts to one that uses Runas. I also don't like the fact that it prompts for a password.

Smadaras, can you give me more details on what you did with the VBRunas? Also, I have tried creating an MSI file and pushing it out as a GP, but for some reason it's failing, and I think it's because the application it is trying to update is not a managed application...

Thanx, guys (gals?) for your help. I'll get this licked soon...
Calcs tool is for groups, that was my slip.  Many apologies.
You use the VBRunas script to launch the 'update'. You can remove the current startup shortcut and add the new shortcut within the login script. It is just a simple delete and a copy.

The VBRunas script prevents anyone from seeing or typing in the password because Microsoft didn't want to add that functionality. You will never see the prompt, it is too fast. Also remember to encode the script after you put the password in it.

The best approach is MSI. And you definitely want to create the MSI with the original application including all the current updates. Then you can package future updates and push them out after they are fully tested.

ToddroAuthor Commented:
Well, I've been messing around with a script that uses the cacls tool, trying to add full permissions to the Power Users group to a certain directory. Unfortunatly, it keeps giving me an "ACCESS_DENIED: <path>" I have the /C switch in the command.

Here is the command I am passing in the login script:

cacls c:\progra~1\instal~1 /E /C /G "Power Users":F

What I'm wondering is, who's security context is this running in? I mean, if the user doesn't have permissions to the directory, then why would they have permissions to add full permissions during a login sript...?

I haven't had a chance to look at the other solution candidates yet, but if this doesn't work, then I will try to start messing with the others tomorrow.

Sorry for the delay in giving your points, folks...
Should be running in system context if it's logon script.
You should use a 'Startup' script if you want to run with system credentials.

I guess I don't understand why you are spending so much time trying to change the folder permissions. Are you sure the 3rd party updates only add new files? There are no registry updates?
ToddroAuthor Commented:
Actually, I'm going on what their Tech support told me. They researched the problem and told me that they tracked it to the users not having the correct permissions to a folder underneath the Installshield Installation Information directory. I figured giving them permissions to the whole directory would solve the problem, and that directory isn't going to pose a security risk. I did try manually giving the Users group full permissions to the directory on one machine, having a regular user log in, and the update worked.
ToddroAuthor Commented:
I'm giving the points to smadaras because we ended up creating an MSI and deploying it with a GPO at the machine level. Now when the vendor supplies an update we will have to create a *new* msi and then... well, you know.

Thanx for all your help!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.