Solved

Impersonation problem in vbscript with winnt

Posted on 2004-09-26
7
1,927 Views
Last Modified: 2008-01-16
I am trying to develop a vbscript file that will run and reset the local administrator account password to one of my choosing.
Background:
1. This will be run off a logon script
2. Running on windows xp platforms

Code:
Set WshNetwork = WScript.CreateObject("WScript.Network")
ComputerName=WshNetwork.ComputerName
NewPassword = "password"

Set objAllAcounts = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ComputerName & "\root\cimv2").ExecQuery("Select * from Win32_UserAccount")

For Each objSystemUser in objAllAcounts
if  Right(objSystemUser.SID,3)="500" Then
      'Reset Password
      Set objUser = GetObject("WinNT://" & ComputerName & "/" & objsystemuser.name & ",user")
      objUser.SetPassword(NewPassword)
      Exit For
end if
next


This code works fine when you run it with an account with administative priveldges.  With just user rights the objallaccounts impersonation works fine, but the objuser does not.   I know this is because there is no impersonation on the objuser like it is on the objallacounts.

How can I impersonate the objuser?  I read one of the fourms concerning this issue but it did not address an answer to the WINNT impersonation problem?


0
Comment
Question by:jcarrington
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 12160650
Windows has a program called RunAs, which allows you to run an App as a differnet user- so if you needed to install software that required admin priv's and your just a poweruser or lower, the runas utility allows you to do this, without have to log-off and log back on with a different account. I'm not sure how this would aid in VB, but a logon script could be used to do this- and as long an you have an account on these PC's that is in the admin's group- the reset would be quite easy.

For instance, you have all your computers joined to a domain, and by default when a PC is joined to a domain, the domain admin's group is added to the local administrator's group of the PC's. using an account in the domain admins group could easily reset any password on the local PC.
The main problem with a logon script and runas is that the password must be fed plain-text... unless you envoke a program that will obusificate the pass, and inject it into the cmd line for you. I've done this in the past, using cygwin(perl) and the runas utiltiy. if this sounds like a means to your end, I can give you the example code- but if your dead-set on VB, perhaps someone else could answer your question.
http://www.microsoft.com/windows2000/en/professional/help/default.asp?url=/windows2000/en/professional/help/windows_security_runas.htm
-rich
0
 

Author Comment

by:jcarrington
ID: 12160745
The RUNAS command will not work in this situation.  That works if I was launching an external program from the above code.  I need the elevated permission incorporated inside the same code to be able to execute the setpassword command.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 12160940
Your right, you do need runas to launch another program to do this... but that's simple... a batch file that ueses "net user" commands can do this easily

runas /user:net-admin@yourDomainHere reset.bat
reset.bat (begin)
@echo off
REM no domain specified, local machine account is defaulted
net user administrator 123456
:end

The password must be entered in manually with this example, before reset.bat run's.
-rich
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 

Author Comment

by:jcarrington
ID: 12163531
I tryied the run as but it is limited. The Code section:

if  Right(objSystemUser.SID,3)="500" Then
     'Reset Password
     Set objUser = GetObject("WinNT://" & ComputerName & "/" & objsystemuser.name & ",user")
     objUser.SetPassword(NewPassword)
     Exit For
end if

I am evaluating which account is the administrator account and grabing the name with the objUser line.  The problem is that if you try this with user rights the objUser will dispaly an insufficent rights type error message.

The runas command only works if you already have the acocunt information.  I am trying to gather the information and proceed to reset the password.

0
 

Accepted Solution

by:
jcarrington earned 0 total points
ID: 12179497
I found some code in Visual Basic that worked:

Private Declare Function LogonUser Lib "advapi32.dll" Alias "LogonUserA" (ByVal lpszUsername As String, ByVal lpszDomain As String, ByVal lpszPassword As String, ByVal dwLogonType As Long, ByVal dwLogonProvider As Long, phToken As Long) As Long
Private Declare Function ImpersonateLoggedOnUser Lib "advapi32.dll" (ByVal hToken As Long) As Long
Private Declare Function RevertToSelf Lib "advapi32.dll" () As Long
Private Const LOGON32_PROVIDER_DEFAULT    As Long = 0&
Private Const LOGON32_PROVIDER_WINNT35    As Long = 1&
Private Const LOGON32_LOGON_INTERACTIVE   As Long = 2&
Private Const LOGON32_LOGON_NETWORK       As Long = 3&
Private Const LOGON32_LOGON_BATCH         As Long = 4&
Private Const LOGON32_LOGON_SERVICE       As Long = 5&


Public Function doLogon(ByVal strAdminUser As String, ByVal strAdminPassword As String, ByVal strAdminDomain As String) As Boolean
On Error GoTo DamnErr
     Dim lngTokenHandle As Long
     Dim lngLogonType As Long
     Dim lngLogonProvider As Long
     Dim blnResult As Boolean
     lngLogonType = LOGON32_LOGON_INTERACTIVE
     lngLogonProvider = LOGON32_PROVIDER_DEFAULT
     blnResult = RevertToSelf()
     blnResult = LogonUser(strAdminUser, strAdminDomain, strAdminPassword, _
                                          lngLogonType, lngLogonProvider, _
                                          lngTokenHandle)
     blnResult = ImpersonateLoggedOnUser(lngTokenHandle)
     doLogon = blnResult
     Exit Function
DamnErr:
    Dim sERRORtxt As String
    sERRORtxt = "Error Number: " & Err.Number & vbCrLf & _
                "Description: " & Err.Description & vbCrLf & _
                "Source: " & Err.Source & vbCrLf & _
                "Function: doLogon" & vbCrLf & _
                "Date: " & Now() & vbCrLf & _
                "Input:" & vbCrLf & _
                "  strAdminUser=" & strAdminUser & vbCrLf & _
                "  strAdminPassword=" & strAdminPassword & vbCrLf & _
                "  strAdminDomain=" & strAdminDomain
    App.LogEvent sERRORtxt, vbLogEventTypeError
    Err.Clear
End Function

Public Function doLogoff() As Boolean
On Error GoTo DamnErr
     doLogoff = RevertToSelf()
     Exit Function
DamnErr:
Dim sERRORtxt As String
    sERRORtxt = "Error Number: " & Err.Number & vbCrLf & _
                "Description: " & Err.Description & vbCrLf & _
                "Source: " & Err.Source & vbCrLf & _
                "Function: doLogoff" & vbCrLf & _
                "Date: " & Now()
    App.LogEvent sERRORtxt, vbLogEventTypeError
    Err.Clear
End Function



Call it like:

doLogon "username", "password", "domain-if-needed"
'your code that needs admin rights.
'MAKE SURE TO LOGOFF!
doLogoff


This works if you have a administrative account either in a domain or locally to use.  I would still like to control it on the getobject line so I would not have to rely of any outside account elevation.  

Hope this helps someone needing to use a domain account.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 12179525
Awesome, if you want your points back, visit: http://www.experts-exchange.com/Community_Support/
and post your intentions.
-rich
0

Featured Post

Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ow do I browse the internet secretly? 6 96
bitlocker admin and monitoring 2 43
Ransomware case 23 107
Better malware protection 9 50
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Many of you may be aware of the recent Google Docs scam emails that have been floating around coming from various people that you know. Here's a guide on identifying How To Identify the Scam Email You will see an email from someone you’ve had co…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question