Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Want to pass on domain admin privileage to a VB program from another VB program

Posted on 2003-11-14
21
Medium Priority
?
418 Views
Last Modified: 2010-05-01
I have a VB application deployed on a Windows 2000 Domain Server. This application is launched each a client logs on to the domain. Client machines are either 2000 or NT. I do not have any problem with 2000 clients.

I have a VB program, deployed on server, lets say A.EXE, which will call another VB program B.EXE. B.EXE has to perform administrative functions on the client machine. A.EXE is launched when a normal user logs
in. So I need a way to pass on administrative privileage to B.EXE. I can not use LogonUser() function since I can not grant 'Act as part of the
operating system' privileage to the user.

can anyone help???
0
Comment
Question by:sprasad15
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 4
  • +3
21 Comments
 
LVL 3

Expert Comment

by:NBrownoh
ID: 9753251
why doesnt a.exe take all the load and just allow a.exe to have the privalages that you want b.exe to have?
0
 
LVL 3

Expert Comment

by:NBrownoh
ID: 9753256
never mind, trouble understanding it at first.

i take it A.exe resides on the server and B.exe resides on the client correct?

what exactly do you need B.exe to do for the client?
0
 

Author Comment

by:sprasad15
ID: 9753358
Hi

Thanks for the response. My requirement is as follows

1) The application is relating to enforcing IT security within our Win network

2) Application is going to be deployed on Windows 2000 Domain Server

3) Each domain user's profile contains a batch file to execute this application on login

4) A.exe is the first vb program which is called by the batch file. If A.exe can assume admin privileage, it is fine with me

5)On launching A.exe, A.exe will check for the installation of all application files in the client machine. If not found, it copies all files to client machine (including B.exe. But A.exe executed from server only and not copied to client machine)

6) A.exe calls B.EXE (b.exe is now in the client)

7) B.exe will check for the installation of latest service packs, security updates etc. in the client machine, and installs them if not found. This process needs admin privileage in the client machine.

8) Since the login user is a normal user and has no admin privileage on both local machine as well as server, A.exe will not have admin privileage.  So I need a way to passon admin privileage to b.exe
 
Thanks
Siva
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 3

Expert Comment

by:NBrownoh
ID: 9753372
from what i can find right now before i hit the sack is this

http://www.tek-tips.com/gviewthread.cfm/lev2/4/lev3/32/pid/711/qid/460090

that changes security attributes to a specified path to allow writing, if this isnt the and you dont have windows privelages then thats a whole nother really long story.  Ill look more in the morning if someone else hasnt allready answered your question
0
 

Author Comment

by:sprasad15
ID: 9753397
Hi

Since B.EXE will be calling certain installables for security updates, service packs etc., this process will require admin privileage on the client machine, I think not just file permissions

Thanks
Siva
0
 

Expert Comment

by:siva_manikoth
ID: 9753515
HI

I think SSPI is an option for me, but I am yet to come across any VB code samples using SSPI to impersonate a user

Thanks
Siva
0
 
LVL 2

Expert Comment

by:molar
ID: 9753573
A.exe would need local admin privileges in order to install anything on the local machines. I don't think you can do that when a.exe exists only on the server.

Here are a couple of alternatives that would seem to give you the outcome your looking for.

1 - Get in a commercial package that does pretty much exactly what you're asking for here. (SMS for example). You will need to install an agent app locally on each machine and give it admin priveleges, though the docuementation pretty much talks you through how to do it. The downside is that it's costly.

2 - Write your own agent applcation (like your b.exe) which runs as a service on each workstation and checks a file (central or copied locally) of required updates. You can use "srvany.exe" from MSDN to make your app into a service. The file could be CSV with a format like Code, Description, Path as below

IE6SP2, Internet Explorer 6 update, \\server\share\ie6update.exe

When the update is installed, the application creates a file (in the above case called IE6SP2.tag) which is stored in a local (shared) directory on each PC. Before installing the update, the program checks whether it has the tag (and so already has the update) before installing again.

By making the folder shared, it allows you as an admin, to go in and delete tags, to force re-installs of updates should you ever need to.

The service is started as part of the login script using net start.

I have used this approach myself, and sucessfully managed 7000 machines on around 20 sites this way.






0
 

Expert Comment

by:siva_manikoth
ID: 9753747
Hi

Thanks for the comments.

I think the solution you suggested will call for manual installation of the service on each NT client. I have 1000+ NT client machines. Is there anyway, this (installing the service on client machines) can be done by the domain when a normal (non-admin) user logs in??

Thanks
Siva
0
 
LVL 2

Accepted Solution

by:
molar earned 100 total points
ID: 9753787
There is no way round this. The agent is providing you with a back door to get round the problem that non admin users can't install their own software. Before you have this installed, there is no way for a non admin user to do it.
This of course is the standard MS security working exactly as it's supposed to.

It will be a significant effort getting round 1000 machines, but of course it would be the last time you needed to do it as once the agent is there any other updates (including updates to the agent itself) could be done automatically.

An alternative to a big rollout is to only install the service on fresh builds, or when support staff visit the machines for another reason. Old machines that are giving you no trouble just get treated on the "if it ain't broke, don't fix it" principle, as sooner or later they'll get replaced anyway.

If you needed to do global rollouts then presumably you have to go round machines manually at the moment anyway if you don't have this kind of system in place.
0
 
LVL 26

Assisted Solution

by:EDDYKT
EDDYKT earned 100 total points
ID: 9756072
You can use dcomcnfg to set B.exe to run as admin user on client machine

One thing is B.exe must be activex exe
0
 

Expert Comment

by:siva_manikoth
ID: 9757682
Hi EDDYKT

Can you elaborate more on this solution?

Thanks
Siva
0
 
LVL 26

Expert Comment

by:EDDYKT
ID: 9757790
A.exe starts on server and B.exe initiated by A.exe from server using createobject

If B.exe is activex exe then you can use dcomcnfg.exe to run b.exe on client with admin user
0
 
LVL 2

Expert Comment

by:molar
ID: 9759462
Maybe I'm missing something here, but haven't you still got to set up the dcom permissons for b.exe on each workstation individually?

Is that better than making b.exe into a serivice and giving it system privileges?



0
 

Expert Comment

by:siva_manikoth
ID: 9761558
HI

I am trying to work around this issue using an ActiveX EXE as sugegsted by EDDYKT.

In my A.EXE i have added this code

Dim LaunchObj
Set LaunchObj = CreateObject("LaunchX.LaunchCls") 'I use LaunchObj for B.EXE
Call LaunchObj.callingLogin

'This code is from ActiveX EXE - Project LaunchX, Class LaunchCls. I have replaced B with this
Public Sub callingLogin()
    MsgBox ("Calling Login")
End Sub

I get an error meaage running this in the Win 2000 server
Run-time error '429'
ActiveX component can't create object

I can get this code work on my local (development) machine

Also I wanted to know, if B.EXE has admin rights, rest of the programs called by B.EXE will also carry admin rights???

Thanks
Siva

0
 

Expert Comment

by:siva_manikoth
ID: 9762282
Hi

I have tried out the ActiveX EXE option, but it is not feasible because of two reasons

1) ActiveX EXE needs to be registered on each client machine, which reqiures admin privileage, because registry needs to be updated
2) Even if ActiveX EXE is registered once using an admin account, when the application has to do a job it is meant to do, like installing a service pack, it stops there saying that user does not have admin privileage

Pls comment

Thanks
Siva
0
 
LVL 26

Expert Comment

by:EDDYKT
ID: 9763097
>>Also I wanted to know, if B.EXE has admin rights, rest of the programs called by B.EXE will also carry admin rights???


Yes it will only on Windows 2000 or higher not on NT.

sprasad15 and siva_manikoth are both same person?
Do you know you cannot have two account for the same person?
0
 
LVL 26

Expert Comment

by:EDDYKT
ID: 9763106
>>Even if ActiveX EXE is registered once using an admin account,

You use admin account to register doesn't do anything on using

dcomcnfg.exe to set B.exe to run as admin account.
Am i missing something here?
0
 
LVL 49

Expert Comment

by:DanRollins
ID: 10548382
Moderator, my recommended disposition is:

    Accept EDDYKT's comment(s) as an answer.

Dan Rollins -- EE database cleanup volunteer
0
 
LVL 2

Expert Comment

by:molar
ID: 10548559
EDDYKTs solution is really just a rehash of the answer I had previously given.  His (Her?) answer certainly doesn't come up with a solution for the issue that the questioner had with my answer (ie that my solution would call for manual installation of the service on each NT client).

I also think that my answer is rather more clearly expressed.

Points to me please.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most everyone who has done any programming in VB6 knows that you can do something in code like Debug.Print MyVar and that when the program runs from the IDE, the value of MyVar will be displayed in the Immediate Window. Less well known is Debug.Asse…
This article describes some techniques which will make your VBA or Visual Basic Classic code easier to understand and maintain, whether by you, your replacement, or another Experts-Exchange expert.
Show developers how to use a criteria form to limit the data that appears on an Access report. It is a common requirement that users can specify the criteria for a report at runtime. The easiest way to accomplish this is using a criteria form that a…
This lesson covers basic error handling code in Microsoft Excel using VBA. This is the first lesson in a 3-part series that uses code to loop through an Excel spreadsheet in VBA and then fix errors, taking advantage of error handling code. This l…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question