Solved

Impersonation problem in vbscript with winnt

Posted on 2004-09-26
7
1,919 Views
Last Modified: 2008-01-16
I am trying to develop a vbscript file that will run and reset the local administrator account password to one of my choosing.
Background:
1. This will be run off a logon script
2. Running on windows xp platforms

Code:
Set WshNetwork = WScript.CreateObject("WScript.Network")
ComputerName=WshNetwork.ComputerName
NewPassword = "password"

Set objAllAcounts = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ComputerName & "\root\cimv2").ExecQuery("Select * from Win32_UserAccount")

For Each objSystemUser in objAllAcounts
if  Right(objSystemUser.SID,3)="500" Then
      'Reset Password
      Set objUser = GetObject("WinNT://" & ComputerName & "/" & objsystemuser.name & ",user")
      objUser.SetPassword(NewPassword)
      Exit For
end if
next


This code works fine when you run it with an account with administative priveldges.  With just user rights the objallaccounts impersonation works fine, but the objuser does not.   I know this is because there is no impersonation on the objuser like it is on the objallacounts.

How can I impersonate the objuser?  I read one of the fourms concerning this issue but it did not address an answer to the WINNT impersonation problem?


0
Comment
Question by:jcarrington
  • 3
  • 3
7 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 12160650
Windows has a program called RunAs, which allows you to run an App as a differnet user- so if you needed to install software that required admin priv's and your just a poweruser or lower, the runas utility allows you to do this, without have to log-off and log back on with a different account. I'm not sure how this would aid in VB, but a logon script could be used to do this- and as long an you have an account on these PC's that is in the admin's group- the reset would be quite easy.

For instance, you have all your computers joined to a domain, and by default when a PC is joined to a domain, the domain admin's group is added to the local administrator's group of the PC's. using an account in the domain admins group could easily reset any password on the local PC.
The main problem with a logon script and runas is that the password must be fed plain-text... unless you envoke a program that will obusificate the pass, and inject it into the cmd line for you. I've done this in the past, using cygwin(perl) and the runas utiltiy. if this sounds like a means to your end, I can give you the example code- but if your dead-set on VB, perhaps someone else could answer your question.
http://www.microsoft.com/windows2000/en/professional/help/default.asp?url=/windows2000/en/professional/help/windows_security_runas.htm
-rich
0
 

Author Comment

by:jcarrington
ID: 12160745
The RUNAS command will not work in this situation.  That works if I was launching an external program from the above code.  I need the elevated permission incorporated inside the same code to be able to execute the setpassword command.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 12160940
Your right, you do need runas to launch another program to do this... but that's simple... a batch file that ueses "net user" commands can do this easily

runas /user:net-admin@yourDomainHere reset.bat
reset.bat (begin)
@echo off
REM no domain specified, local machine account is defaulted
net user administrator 123456
:end

The password must be entered in manually with this example, before reset.bat run's.
-rich
0
New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

 

Author Comment

by:jcarrington
ID: 12163531
I tryied the run as but it is limited. The Code section:

if  Right(objSystemUser.SID,3)="500" Then
     'Reset Password
     Set objUser = GetObject("WinNT://" & ComputerName & "/" & objsystemuser.name & ",user")
     objUser.SetPassword(NewPassword)
     Exit For
end if

I am evaluating which account is the administrator account and grabing the name with the objUser line.  The problem is that if you try this with user rights the objUser will dispaly an insufficent rights type error message.

The runas command only works if you already have the acocunt information.  I am trying to gather the information and proceed to reset the password.

0
 

Accepted Solution

by:
jcarrington earned 0 total points
ID: 12179497
I found some code in Visual Basic that worked:

Private Declare Function LogonUser Lib "advapi32.dll" Alias "LogonUserA" (ByVal lpszUsername As String, ByVal lpszDomain As String, ByVal lpszPassword As String, ByVal dwLogonType As Long, ByVal dwLogonProvider As Long, phToken As Long) As Long
Private Declare Function ImpersonateLoggedOnUser Lib "advapi32.dll" (ByVal hToken As Long) As Long
Private Declare Function RevertToSelf Lib "advapi32.dll" () As Long
Private Const LOGON32_PROVIDER_DEFAULT    As Long = 0&
Private Const LOGON32_PROVIDER_WINNT35    As Long = 1&
Private Const LOGON32_LOGON_INTERACTIVE   As Long = 2&
Private Const LOGON32_LOGON_NETWORK       As Long = 3&
Private Const LOGON32_LOGON_BATCH         As Long = 4&
Private Const LOGON32_LOGON_SERVICE       As Long = 5&


Public Function doLogon(ByVal strAdminUser As String, ByVal strAdminPassword As String, ByVal strAdminDomain As String) As Boolean
On Error GoTo DamnErr
     Dim lngTokenHandle As Long
     Dim lngLogonType As Long
     Dim lngLogonProvider As Long
     Dim blnResult As Boolean
     lngLogonType = LOGON32_LOGON_INTERACTIVE
     lngLogonProvider = LOGON32_PROVIDER_DEFAULT
     blnResult = RevertToSelf()
     blnResult = LogonUser(strAdminUser, strAdminDomain, strAdminPassword, _
                                          lngLogonType, lngLogonProvider, _
                                          lngTokenHandle)
     blnResult = ImpersonateLoggedOnUser(lngTokenHandle)
     doLogon = blnResult
     Exit Function
DamnErr:
    Dim sERRORtxt As String
    sERRORtxt = "Error Number: " & Err.Number & vbCrLf & _
                "Description: " & Err.Description & vbCrLf & _
                "Source: " & Err.Source & vbCrLf & _
                "Function: doLogon" & vbCrLf & _
                "Date: " & Now() & vbCrLf & _
                "Input:" & vbCrLf & _
                "  strAdminUser=" & strAdminUser & vbCrLf & _
                "  strAdminPassword=" & strAdminPassword & vbCrLf & _
                "  strAdminDomain=" & strAdminDomain
    App.LogEvent sERRORtxt, vbLogEventTypeError
    Err.Clear
End Function

Public Function doLogoff() As Boolean
On Error GoTo DamnErr
     doLogoff = RevertToSelf()
     Exit Function
DamnErr:
Dim sERRORtxt As String
    sERRORtxt = "Error Number: " & Err.Number & vbCrLf & _
                "Description: " & Err.Description & vbCrLf & _
                "Source: " & Err.Source & vbCrLf & _
                "Function: doLogoff" & vbCrLf & _
                "Date: " & Now()
    App.LogEvent sERRORtxt, vbLogEventTypeError
    Err.Clear
End Function



Call it like:

doLogon "username", "password", "domain-if-needed"
'your code that needs admin rights.
'MAKE SURE TO LOGOFF!
doLogoff


This works if you have a administrative account either in a domain or locally to use.  I would still like to control it on the getobject line so I would not have to rely of any outside account elevation.  

Hope this helps someone needing to use a domain account.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 12179525
Awesome, if you want your points back, visit: http://www.experts-exchange.com/Community_Support/
and post your intentions.
-rich
0

Featured Post

Save on storage to protect fatherhood memories

You're the dad who has everything. This Father's Day, make sure your family memories are protected. My Passport Ultra has automatic backup and password protection to keep your cherished photos and videos safe. With up to 3TB, you have plenty of room to hold the adventures ahead.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You may have a outside contractor who comes in once a week or seasonal to do some work in your office but you only want to give him access to the programs and files he needs and keep privet all other documents and programs, can you do this on a loca…
In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
A short film showing how OnPage and Connectwise integration works.

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now