Solved

Impersonation problem in vbscript with winnt

Posted on 2004-09-26
7
1,924 Views
Last Modified: 2008-01-16
I am trying to develop a vbscript file that will run and reset the local administrator account password to one of my choosing.
Background:
1. This will be run off a logon script
2. Running on windows xp platforms

Code:
Set WshNetwork = WScript.CreateObject("WScript.Network")
ComputerName=WshNetwork.ComputerName
NewPassword = "password"

Set objAllAcounts = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ComputerName & "\root\cimv2").ExecQuery("Select * from Win32_UserAccount")

For Each objSystemUser in objAllAcounts
if  Right(objSystemUser.SID,3)="500" Then
      'Reset Password
      Set objUser = GetObject("WinNT://" & ComputerName & "/" & objsystemuser.name & ",user")
      objUser.SetPassword(NewPassword)
      Exit For
end if
next


This code works fine when you run it with an account with administative priveldges.  With just user rights the objallaccounts impersonation works fine, but the objuser does not.   I know this is because there is no impersonation on the objuser like it is on the objallacounts.

How can I impersonate the objuser?  I read one of the fourms concerning this issue but it did not address an answer to the WINNT impersonation problem?


0
Comment
Question by:jcarrington
  • 3
  • 3
7 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 12160650
Windows has a program called RunAs, which allows you to run an App as a differnet user- so if you needed to install software that required admin priv's and your just a poweruser or lower, the runas utility allows you to do this, without have to log-off and log back on with a different account. I'm not sure how this would aid in VB, but a logon script could be used to do this- and as long an you have an account on these PC's that is in the admin's group- the reset would be quite easy.

For instance, you have all your computers joined to a domain, and by default when a PC is joined to a domain, the domain admin's group is added to the local administrator's group of the PC's. using an account in the domain admins group could easily reset any password on the local PC.
The main problem with a logon script and runas is that the password must be fed plain-text... unless you envoke a program that will obusificate the pass, and inject it into the cmd line for you. I've done this in the past, using cygwin(perl) and the runas utiltiy. if this sounds like a means to your end, I can give you the example code- but if your dead-set on VB, perhaps someone else could answer your question.
http://www.microsoft.com/windows2000/en/professional/help/default.asp?url=/windows2000/en/professional/help/windows_security_runas.htm
-rich
0
 

Author Comment

by:jcarrington
ID: 12160745
The RUNAS command will not work in this situation.  That works if I was launching an external program from the above code.  I need the elevated permission incorporated inside the same code to be able to execute the setpassword command.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 12160940
Your right, you do need runas to launch another program to do this... but that's simple... a batch file that ueses "net user" commands can do this easily

runas /user:net-admin@yourDomainHere reset.bat
reset.bat (begin)
@echo off
REM no domain specified, local machine account is defaulted
net user administrator 123456
:end

The password must be entered in manually with this example, before reset.bat run's.
-rich
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 

Author Comment

by:jcarrington
ID: 12163531
I tryied the run as but it is limited. The Code section:

if  Right(objSystemUser.SID,3)="500" Then
     'Reset Password
     Set objUser = GetObject("WinNT://" & ComputerName & "/" & objsystemuser.name & ",user")
     objUser.SetPassword(NewPassword)
     Exit For
end if

I am evaluating which account is the administrator account and grabing the name with the objUser line.  The problem is that if you try this with user rights the objUser will dispaly an insufficent rights type error message.

The runas command only works if you already have the acocunt information.  I am trying to gather the information and proceed to reset the password.

0
 

Accepted Solution

by:
jcarrington earned 0 total points
ID: 12179497
I found some code in Visual Basic that worked:

Private Declare Function LogonUser Lib "advapi32.dll" Alias "LogonUserA" (ByVal lpszUsername As String, ByVal lpszDomain As String, ByVal lpszPassword As String, ByVal dwLogonType As Long, ByVal dwLogonProvider As Long, phToken As Long) As Long
Private Declare Function ImpersonateLoggedOnUser Lib "advapi32.dll" (ByVal hToken As Long) As Long
Private Declare Function RevertToSelf Lib "advapi32.dll" () As Long
Private Const LOGON32_PROVIDER_DEFAULT    As Long = 0&
Private Const LOGON32_PROVIDER_WINNT35    As Long = 1&
Private Const LOGON32_LOGON_INTERACTIVE   As Long = 2&
Private Const LOGON32_LOGON_NETWORK       As Long = 3&
Private Const LOGON32_LOGON_BATCH         As Long = 4&
Private Const LOGON32_LOGON_SERVICE       As Long = 5&


Public Function doLogon(ByVal strAdminUser As String, ByVal strAdminPassword As String, ByVal strAdminDomain As String) As Boolean
On Error GoTo DamnErr
     Dim lngTokenHandle As Long
     Dim lngLogonType As Long
     Dim lngLogonProvider As Long
     Dim blnResult As Boolean
     lngLogonType = LOGON32_LOGON_INTERACTIVE
     lngLogonProvider = LOGON32_PROVIDER_DEFAULT
     blnResult = RevertToSelf()
     blnResult = LogonUser(strAdminUser, strAdminDomain, strAdminPassword, _
                                          lngLogonType, lngLogonProvider, _
                                          lngTokenHandle)
     blnResult = ImpersonateLoggedOnUser(lngTokenHandle)
     doLogon = blnResult
     Exit Function
DamnErr:
    Dim sERRORtxt As String
    sERRORtxt = "Error Number: " & Err.Number & vbCrLf & _
                "Description: " & Err.Description & vbCrLf & _
                "Source: " & Err.Source & vbCrLf & _
                "Function: doLogon" & vbCrLf & _
                "Date: " & Now() & vbCrLf & _
                "Input:" & vbCrLf & _
                "  strAdminUser=" & strAdminUser & vbCrLf & _
                "  strAdminPassword=" & strAdminPassword & vbCrLf & _
                "  strAdminDomain=" & strAdminDomain
    App.LogEvent sERRORtxt, vbLogEventTypeError
    Err.Clear
End Function

Public Function doLogoff() As Boolean
On Error GoTo DamnErr
     doLogoff = RevertToSelf()
     Exit Function
DamnErr:
Dim sERRORtxt As String
    sERRORtxt = "Error Number: " & Err.Number & vbCrLf & _
                "Description: " & Err.Description & vbCrLf & _
                "Source: " & Err.Source & vbCrLf & _
                "Function: doLogoff" & vbCrLf & _
                "Date: " & Now()
    App.LogEvent sERRORtxt, vbLogEventTypeError
    Err.Clear
End Function



Call it like:

doLogon "username", "password", "domain-if-needed"
'your code that needs admin rights.
'MAKE SURE TO LOGOFF!
doLogoff


This works if you have a administrative account either in a domain or locally to use.  I would still like to control it on the getobject line so I would not have to rely of any outside account elevation.  

Hope this helps someone needing to use a domain account.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 12179525
Awesome, if you want your points back, visit: http://www.experts-exchange.com/Community_Support/
and post your intentions.
-rich
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
The related questions "How do I recover the passwords for my Q-See DVR" and "How can I reset my Q-See DVR to eliminate a password" are seen several times a week.  Here we discuss the grim reality of the situation.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question