Solved

How do I modify Registry entries in a Logon script for users without Admin access?

Posted on 2003-11-20
16
1,191 Views
Last Modified: 2013-12-23
I have about 200+ workstations here that need 2 new ODBC DSN's added to them.  I have tried writing scripts with KIX32 and using the REGINI tool from the Resource Kit, but neither will work in a logon script if the user logging on is not an Administrator on the workstation.

You need to be an Administrator to make changes to the registry it seems, and none of the employees here have Administrator access on their workstations.

Can anyone tell me how I can make changes to the Registry from within a Logon script for users who do not have Administrator access on their workstation?
0
Comment
Question by:tcrudolph
  • 6
  • 4
  • 4
  • +1
16 Comments
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9793056
i think there is an easy to do it by just add the following similar line in your logon script to invoke an interactive asking to users for importing a remote registry file.

start \\server\newdsn.reg

btw, i think dsn settings should be user level settings, so you do not need administrator's rights to do it.

hope it helps,
bbao
0
 
LVL 3

Expert Comment

by:ToolMan
ID: 9795661
Hi,
i ran to the same prob once when i wanted to silent install a progam on 100 PC's,
i was able to solve it with a little VB program, It logs on as admin (on the Pc's) and perfoms some actions and then loggs off ,and the nice thing about it is, that it can only be used for a specific action.
if you want to, i can post the code.

Regards
0
 

Author Comment

by:tcrudolph
ID: 9799319
Thanks for the comments guys!

Unfortunatley BBAO, the users need to add the DSN's as System DSN's and those are stored in the Registry under the HKEY_LOCAL_MACHINE hive, which only Administrators have access to change.  When a non-administrative user is logged on they are unable to add ODBC System DSN's or make changes to that hive.

ToolMan, with the method you describe, it sounds like I would need to know the name of every workstation in my organization and then push the registry changes out to them.  This might be the way I have to go, but unfortunately there is many laptops as well that may not be hooked up to the network at the time that the push is done so they would miss it.  This is ideally why I would like to have it done in the logon script.  Also, does your VB program not pass Administrator credentials across the network in cleartext which would be a security issue?

Still trying to figure out how to do this, thanks for any comments that anyone can give!
0
 
LVL 37

Assisted Solution

by:Bing CISM / CISSP
Bing CISM / CISSP earned 25 total points
ID: 9799500
hi, tcrudolph, why dont you try to use user-level dsn? i dont think has difference than system dsn if you just use it for application, not system service. hope it is a way to pass around your problem.
0
 
LVL 3

Expert Comment

by:mpltech
ID: 9803451
The Windows NT registry has permissions just like NTFS files and folders. Use Regedt32 to set the security on the keys they need to change, giving them the appropriate permissions.


Mike




0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9804880
mpltech, that might be a security hole at first, and then, it is hard to do so one-by-one on each workstation, hehe, the questioner is asking for a solution for reducing such a hard work for its new dsn deployment...
0
 
LVL 3

Accepted Solution

by:
ToolMan earned 25 total points
ID: 9805494
Hi,
about the tool i mentioned, can be used as following:

enter a username and password of an administrator,
enter the command that should be executed as admin like --> "regedit /s s:\MyRegFile.reg"
Complie the code (incase you want more security, you can encrypt the username and password.

Authentication (logon) of the administrative account is done as a normal logon (nothing is send as clear text of the network.
the code you need -->
'BOF
Option Explicit

Private Const CREATE_DEFAULT_ERROR_MODE = &H4000000

Private Const LOGON_WITH_PROFILE = &H1
Private Const LOGON_NETCREDENTIALS_ONLY = &H2

Private Const LOGON32_LOGON_INTERACTIVE = 2
Private Const LOGON32_PROVIDER_DEFAULT = 0
   
Private Type STARTUPINFO
    cb As Long
    lpReserved As Long ' !!! must be Long for Unicode string
    lpDesktop As Long  ' !!! must be Long for Unicode string
    lpTitle As Long    ' !!! must be Long for Unicode string
    dwX As Long
    dwY As Long
    dwXSize As Long
    dwYSize As Long
    dwXCountChars As Long
    dwYCountChars As Long
    dwFillAttribute As Long
    dwFlags As Long
    wShowWindow As Integer
    cbReserved2 As Integer
    lpReserved2 As Long
    hStdInput As Long
    hStdOutput As Long
    hStdError As Long
End Type

Private Type PROCESS_INFORMATION
    hProcess As Long
    hThread As Long
    dwProcessId As Long
    dwThreadId As Long
End Type

'  LogonUser() requires that the caller has the following permission
'  Permission                        Display Name
'  --------------------------------------------------------------------
'  SE_TCB_NAME                      Act as part of the operating system

'  CreateProcessAsUser() requires that the caller has the following permissions
'  Permission                        Display Name
'  ---------------------------------------------------------------
'  SE_ASSIGNPRIMARYTOKEN_NAME       Replace a process level token
'  SE_INCREASE_QUOTA_NAME           Increase quotas
 
Private Declare Function LogonUser Lib "advapi32.dll" Alias _
        "LogonUserA" _
        (ByVal lpszUsername As String, _
        ByVal lpszDomain As String, _
        ByVal lpszPassword As String, _
        ByVal dwLogonType As Long, _
        ByVal dwLogonProvider As Long, _
        phToken As Long) As Long

Private Declare Function CreateProcessAsUser Lib "advapi32.dll" _
        Alias "CreateProcessAsUserA" _
        (ByVal hToken As Long, _
        ByVal lpApplicationName As Long, _
        ByVal lpCommandLine As String, _
        ByVal lpProcessAttributes As Long, _
        ByVal lpThreadAttributes As Long, _
        ByVal bInheritHandles As Long, _
        ByVal dwCreationFlags As Long, _
        ByVal lpEnvironment As Long, _
        ByVal lpCurrentDirectory As String, _
        lpStartupInfo As STARTUPINFO, _
        lpProcessInformation As PROCESS_INFORMATION) As Long

' CreateProcessWithLogonW API is available only on Windows 2000 and later.
Private Declare Function CreateProcessWithLogonW Lib "advapi32.dll" _
        (ByVal lpUsername As String, _
        ByVal lpDomain As String, _
        ByVal lpPassword As String, _
        ByVal dwLogonFlags As Long, _
        ByVal lpApplicationName As Long, _
        ByVal lpCommandLine As String, _
        ByVal dwCreationFlags As Long, _
        ByVal lpEnvironment As Long, _
        ByVal lpCurrentDirectory As String, _
        ByRef lpStartupInfo As STARTUPINFO, _
        ByRef lpProcessInformation As PROCESS_INFORMATION) As Long
     
Private Declare Function CloseHandle Lib "kernel32.dll" _
        (ByVal hObject As Long) As Long
                             
Private Declare Function SetErrorMode Lib "kernel32.dll" _
        (ByVal uMode As Long) As Long
       
Private Type OSVERSIONINFO
    dwOSVersionInfoSize As Long
    dwMajorVersion As Long
    dwMinorVersion As Long
    dwBuildNumber As Long
    dwPlatformId As Long
    szCSDVersion As String * 128
End Type
                             
' Version Checking APIs
Private Declare Function GetVersionExA Lib "kernel32.dll" _
    (lpVersionInformation As OSVERSIONINFO) As Integer

Private Const VER_PLATFORM_WIN32_NT = &H2

'********************************************************************

'                   RunAsUser for Windows 2000 and Later
'********************************************************************
Public Function W2KRunAsUser(ByVal UserName As String, _
        ByVal Password As String, _
        ByVal DomainName As String, _
        ByVal CommandLine As String, _
        ByVal CurrentDirectory As String) As Long

    Dim si As STARTUPINFO
    Dim pi As PROCESS_INFORMATION
   
    Dim wUser As String
    Dim wDomain As String
    Dim wPassword As String
    Dim wCommandLine As String
    Dim wCurrentDir As String
   
    Dim Result As Long
   
    si.cb = Len(si)
       
    wUser = StrConv(UserName + Chr$(0), vbUnicode)
    wDomain = StrConv(DomainName + Chr$(0), vbUnicode)
    wPassword = StrConv(Password + Chr$(0), vbUnicode)
    wCommandLine = StrConv(CommandLine + Chr$(0), vbUnicode)
    wCurrentDir = StrConv(CurrentDirectory + Chr$(0), vbUnicode)
   
    Result = CreateProcessWithLogonW(wUser, wDomain, wPassword, _
          LOGON_WITH_PROFILE, 0&, wCommandLine, _
          CREATE_DEFAULT_ERROR_MODE, 0&, wCurrentDir, si, pi)
    ' CreateProcessWithLogonW() does not
    If Result <> 0 Then
        CloseHandle pi.hThread
        CloseHandle pi.hProcess
        W2KRunAsUser = 0
    Else
        W2KRunAsUser = Err.LastDllError
        MsgBox "CreateProcessWithLogonW() failed with error " & Err.LastDllError, vbExclamation
    End If

End Function

'********************************************************************
'                   RunAsUser for Windows NT 4.0
'********************************************************************
Public Function NT4RunAsUser(ByVal UserName As String, _
                ByVal Password As String, _
                ByVal DomainName As String, _
                ByVal CommandLine As String, _
                ByVal CurrentDirectory As String) As Long
Dim Result As Long
Dim hToken As Long
Dim si As STARTUPINFO
Dim pi As PROCESS_INFORMATION

    Result = LogonUser(UserName, DomainName, Password, LOGON32_LOGON_INTERACTIVE, _
                       LOGON32_PROVIDER_DEFAULT, hToken)
    If Result = 0 Then
        NT4RunAsUser = Err.LastDllError
        ' LogonUser will fail with 1314 error code, if the user account associated
        ' with the calling security context does not have
        ' "Act as part of the operating system" permission
        MsgBox "LogonUser() failed with error " & Err.LastDllError, vbExclamation
        Exit Function
    End If
   
    si.cb = Len(si)
    Result = CreateProcessAsUser(hToken, 0&, CommandLine, 0&, 0&, False, _
                CREATE_DEFAULT_ERROR_MODE, _
                0&, CurrentDirectory, si, pi)
    If Result = 0 Then
        NT4RunAsUser = Err.LastDllError
        ' CreateProcessAsUser will fail with 1314 error code, if the user
        ' account associated with the calling security context does not have
        ' the following two permissions
        ' "Replace a process level token"
        ' "Increase Quotoas"
        MsgBox "CreateProcessAsUser() failed with error " & Err.LastDllError, vbExclamation
        CloseHandle hToken
        Exit Function
    End If
   
    CloseHandle hToken
    CloseHandle pi.hThread
    CloseHandle pi.hProcess
    NT4RunAsUser = 0

End Function

Public Function RunAsUser(ByVal UserName As String, _
                ByVal Password As String, _
                ByVal DomainName As String, _
                ByVal CommandLine As String, _
                ByVal CurrentDirectory As String) As Long

    Dim w2kOrAbove As Boolean
    Dim osinfo As OSVERSIONINFO
    Dim Result As Long
    Dim uErrorMode As Long
   
    ' Determine if system is Windows 2000 or later
    osinfo.dwOSVersionInfoSize = Len(osinfo)
    osinfo.szCSDVersion = Space$(128)
    GetVersionExA osinfo
    w2kOrAbove = _
        (osinfo.dwPlatformId = VER_PLATFORM_WIN32_NT And _
         osinfo.dwMajorVersion >= 5)
    If (w2kOrAbove) Then
        Result = W2KRunAsUser(UserName, Password, DomainName, _
                    CommandLine, CurrentDirectory)
    Else
        Result = NT4RunAsUser(UserName, Password, DomainName, _
                    CommandLine, CurrentDirectory)
    End If
    RunAsUser = Result
End Function


Private Sub Form_Load()
          'the syntax is (username, password, domain, the command that should be executed, the working dir)
      Call RunAsUser("TempAdminUser", "MyPassword", ".", "cmd /c regedit /s s:\myregfile.reg", App.Path)
End Sub

hope it helps
'EOF
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9810607
good job, a DIY solution. but do you think every one has VB?
0
 
LVL 3

Expert Comment

by:ToolMan
ID: 9810978
hmm, never thought about it........... sorry
0
 

Author Comment

by:tcrudolph
ID: 9811252
That's great guys, thanks a lot for your help!

Bbao, I did try using a User Level DSN as well but for some reason when I added the entries to the registry the DSN would not appear.  That is definitely an option I am going to play more with today.  If that would work, then I may be able to deploy to all the workstations without doing any work, other than creating a logon script to add the entries to the "USER" section of the registry.

ToolMan, I do indeed have VB and am fairly fluent in it.  This code is GREAT, thanks a lot!  I have played with it a bit and have managed to compose a program that will allow me to dump a list of all the active workstations in the domain to a file, then loop through each line of the file and "PUSH" the necessary registry changes to each machine.  IF this program is run by an Administrator it will work using the Admin's logon credentials.

Thank you both very much for your help, now to see if there is a way to distribute points equally (this is my first time posting and using Experts Exchange so I'm sorry if I do it wrong).

Travis.
0
 

Author Comment

by:tcrudolph
ID: 9811286
It told me I could accept the answers of two people but then when I accepted and graded one, there was no longer an option to accept/grade a second answer.

Just want to apologize BBAO.. no idea what I did wrong but this is all new to me :(

Travis.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9811355
dont worry, just read here for more info about how to distribute the points:
http://www.experts-exchange.com/help.jsp#hi19

or, just post a free question to CS topic area to ask EE guys do it for you.

thanks,
bbao
0
 

Author Comment

by:tcrudolph
ID: 9812058
OK, I think I got the points right that time.  Thanks again guys!
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 9812082
hehe, thanks... good luck, bbao
0
 
LVL 3

Expert Comment

by:ToolMan
ID: 9813211
am glad that you could be helped,
goodluck & regards
toolman
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Downtime reduced, data recovered by utilizing an Experts Exchange Business Account Challenge The United States Marine Corps employs more than 200,000 active-duty Marines with operations in four continents, all requiring complex networking system…
A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now