Solved

Impersonation problem in vbscript with winnt

Posted on 2004-09-26
7
1,917 Views
Last Modified: 2008-01-16
I am trying to develop a vbscript file that will run and reset the local administrator account password to one of my choosing.
Background:
1. This will be run off a logon script
2. Running on windows xp platforms

Code:
Set WshNetwork = WScript.CreateObject("WScript.Network")
ComputerName=WshNetwork.ComputerName
NewPassword = "password"

Set objAllAcounts = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ComputerName & "\root\cimv2").ExecQuery("Select * from Win32_UserAccount")

For Each objSystemUser in objAllAcounts
if  Right(objSystemUser.SID,3)="500" Then
      'Reset Password
      Set objUser = GetObject("WinNT://" & ComputerName & "/" & objsystemuser.name & ",user")
      objUser.SetPassword(NewPassword)
      Exit For
end if
next


This code works fine when you run it with an account with administative priveldges.  With just user rights the objallaccounts impersonation works fine, but the objuser does not.   I know this is because there is no impersonation on the objuser like it is on the objallacounts.

How can I impersonate the objuser?  I read one of the fourms concerning this issue but it did not address an answer to the WINNT impersonation problem?


0
Comment
Question by:jcarrington
  • 3
  • 3
7 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 12160650
Windows has a program called RunAs, which allows you to run an App as a differnet user- so if you needed to install software that required admin priv's and your just a poweruser or lower, the runas utility allows you to do this, without have to log-off and log back on with a different account. I'm not sure how this would aid in VB, but a logon script could be used to do this- and as long an you have an account on these PC's that is in the admin's group- the reset would be quite easy.

For instance, you have all your computers joined to a domain, and by default when a PC is joined to a domain, the domain admin's group is added to the local administrator's group of the PC's. using an account in the domain admins group could easily reset any password on the local PC.
The main problem with a logon script and runas is that the password must be fed plain-text... unless you envoke a program that will obusificate the pass, and inject it into the cmd line for you. I've done this in the past, using cygwin(perl) and the runas utiltiy. if this sounds like a means to your end, I can give you the example code- but if your dead-set on VB, perhaps someone else could answer your question.
http://www.microsoft.com/windows2000/en/professional/help/default.asp?url=/windows2000/en/professional/help/windows_security_runas.htm
-rich
0
 

Author Comment

by:jcarrington
ID: 12160745
The RUNAS command will not work in this situation.  That works if I was launching an external program from the above code.  I need the elevated permission incorporated inside the same code to be able to execute the setpassword command.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 12160940
Your right, you do need runas to launch another program to do this... but that's simple... a batch file that ueses "net user" commands can do this easily

runas /user:net-admin@yourDomainHere reset.bat
reset.bat (begin)
@echo off
REM no domain specified, local machine account is defaulted
net user administrator 123456
:end

The password must be entered in manually with this example, before reset.bat run's.
-rich
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:jcarrington
ID: 12163531
I tryied the run as but it is limited. The Code section:

if  Right(objSystemUser.SID,3)="500" Then
     'Reset Password
     Set objUser = GetObject("WinNT://" & ComputerName & "/" & objsystemuser.name & ",user")
     objUser.SetPassword(NewPassword)
     Exit For
end if

I am evaluating which account is the administrator account and grabing the name with the objUser line.  The problem is that if you try this with user rights the objUser will dispaly an insufficent rights type error message.

The runas command only works if you already have the acocunt information.  I am trying to gather the information and proceed to reset the password.

0
 

Accepted Solution

by:
jcarrington earned 0 total points
ID: 12179497
I found some code in Visual Basic that worked:

Private Declare Function LogonUser Lib "advapi32.dll" Alias "LogonUserA" (ByVal lpszUsername As String, ByVal lpszDomain As String, ByVal lpszPassword As String, ByVal dwLogonType As Long, ByVal dwLogonProvider As Long, phToken As Long) As Long
Private Declare Function ImpersonateLoggedOnUser Lib "advapi32.dll" (ByVal hToken As Long) As Long
Private Declare Function RevertToSelf Lib "advapi32.dll" () As Long
Private Const LOGON32_PROVIDER_DEFAULT    As Long = 0&
Private Const LOGON32_PROVIDER_WINNT35    As Long = 1&
Private Const LOGON32_LOGON_INTERACTIVE   As Long = 2&
Private Const LOGON32_LOGON_NETWORK       As Long = 3&
Private Const LOGON32_LOGON_BATCH         As Long = 4&
Private Const LOGON32_LOGON_SERVICE       As Long = 5&


Public Function doLogon(ByVal strAdminUser As String, ByVal strAdminPassword As String, ByVal strAdminDomain As String) As Boolean
On Error GoTo DamnErr
     Dim lngTokenHandle As Long
     Dim lngLogonType As Long
     Dim lngLogonProvider As Long
     Dim blnResult As Boolean
     lngLogonType = LOGON32_LOGON_INTERACTIVE
     lngLogonProvider = LOGON32_PROVIDER_DEFAULT
     blnResult = RevertToSelf()
     blnResult = LogonUser(strAdminUser, strAdminDomain, strAdminPassword, _
                                          lngLogonType, lngLogonProvider, _
                                          lngTokenHandle)
     blnResult = ImpersonateLoggedOnUser(lngTokenHandle)
     doLogon = blnResult
     Exit Function
DamnErr:
    Dim sERRORtxt As String
    sERRORtxt = "Error Number: " & Err.Number & vbCrLf & _
                "Description: " & Err.Description & vbCrLf & _
                "Source: " & Err.Source & vbCrLf & _
                "Function: doLogon" & vbCrLf & _
                "Date: " & Now() & vbCrLf & _
                "Input:" & vbCrLf & _
                "  strAdminUser=" & strAdminUser & vbCrLf & _
                "  strAdminPassword=" & strAdminPassword & vbCrLf & _
                "  strAdminDomain=" & strAdminDomain
    App.LogEvent sERRORtxt, vbLogEventTypeError
    Err.Clear
End Function

Public Function doLogoff() As Boolean
On Error GoTo DamnErr
     doLogoff = RevertToSelf()
     Exit Function
DamnErr:
Dim sERRORtxt As String
    sERRORtxt = "Error Number: " & Err.Number & vbCrLf & _
                "Description: " & Err.Description & vbCrLf & _
                "Source: " & Err.Source & vbCrLf & _
                "Function: doLogoff" & vbCrLf & _
                "Date: " & Now()
    App.LogEvent sERRORtxt, vbLogEventTypeError
    Err.Clear
End Function



Call it like:

doLogon "username", "password", "domain-if-needed"
'your code that needs admin rights.
'MAKE SURE TO LOGOFF!
doLogoff


This works if you have a administrative account either in a domain or locally to use.  I would still like to control it on the getobject line so I would not have to rely of any outside account elevation.  

Hope this helps someone needing to use a domain account.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 12179525
Awesome, if you want your points back, visit: http://www.experts-exchange.com/Community_Support/
and post your intentions.
-rich
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now