Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Impersonation problem in vbscript with winnt

Posted on 2004-09-26
7
Medium Priority
?
1,937 Views
Last Modified: 2008-01-16
I am trying to develop a vbscript file that will run and reset the local administrator account password to one of my choosing.
Background:
1. This will be run off a logon script
2. Running on windows xp platforms

Code:
Set WshNetwork = WScript.CreateObject("WScript.Network")
ComputerName=WshNetwork.ComputerName
NewPassword = "password"

Set objAllAcounts = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ComputerName & "\root\cimv2").ExecQuery("Select * from Win32_UserAccount")

For Each objSystemUser in objAllAcounts
if  Right(objSystemUser.SID,3)="500" Then
      'Reset Password
      Set objUser = GetObject("WinNT://" & ComputerName & "/" & objsystemuser.name & ",user")
      objUser.SetPassword(NewPassword)
      Exit For
end if
next


This code works fine when you run it with an account with administative priveldges.  With just user rights the objallaccounts impersonation works fine, but the objuser does not.   I know this is because there is no impersonation on the objuser like it is on the objallacounts.

How can I impersonate the objuser?  I read one of the fourms concerning this issue but it did not address an answer to the WINNT impersonation problem?


0
Comment
Question by:jcarrington
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 12160650
Windows has a program called RunAs, which allows you to run an App as a differnet user- so if you needed to install software that required admin priv's and your just a poweruser or lower, the runas utility allows you to do this, without have to log-off and log back on with a different account. I'm not sure how this would aid in VB, but a logon script could be used to do this- and as long an you have an account on these PC's that is in the admin's group- the reset would be quite easy.

For instance, you have all your computers joined to a domain, and by default when a PC is joined to a domain, the domain admin's group is added to the local administrator's group of the PC's. using an account in the domain admins group could easily reset any password on the local PC.
The main problem with a logon script and runas is that the password must be fed plain-text... unless you envoke a program that will obusificate the pass, and inject it into the cmd line for you. I've done this in the past, using cygwin(perl) and the runas utiltiy. if this sounds like a means to your end, I can give you the example code- but if your dead-set on VB, perhaps someone else could answer your question.
http://www.microsoft.com/windows2000/en/professional/help/default.asp?url=/windows2000/en/professional/help/windows_security_runas.htm
-rich
0
 

Author Comment

by:jcarrington
ID: 12160745
The RUNAS command will not work in this situation.  That works if I was launching an external program from the above code.  I need the elevated permission incorporated inside the same code to be able to execute the setpassword command.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 12160940
Your right, you do need runas to launch another program to do this... but that's simple... a batch file that ueses "net user" commands can do this easily

runas /user:net-admin@yourDomainHere reset.bat
reset.bat (begin)
@echo off
REM no domain specified, local machine account is defaulted
net user administrator 123456
:end

The password must be entered in manually with this example, before reset.bat run's.
-rich
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:jcarrington
ID: 12163531
I tryied the run as but it is limited. The Code section:

if  Right(objSystemUser.SID,3)="500" Then
     'Reset Password
     Set objUser = GetObject("WinNT://" & ComputerName & "/" & objsystemuser.name & ",user")
     objUser.SetPassword(NewPassword)
     Exit For
end if

I am evaluating which account is the administrator account and grabing the name with the objUser line.  The problem is that if you try this with user rights the objUser will dispaly an insufficent rights type error message.

The runas command only works if you already have the acocunt information.  I am trying to gather the information and proceed to reset the password.

0
 

Accepted Solution

by:
jcarrington earned 0 total points
ID: 12179497
I found some code in Visual Basic that worked:

Private Declare Function LogonUser Lib "advapi32.dll" Alias "LogonUserA" (ByVal lpszUsername As String, ByVal lpszDomain As String, ByVal lpszPassword As String, ByVal dwLogonType As Long, ByVal dwLogonProvider As Long, phToken As Long) As Long
Private Declare Function ImpersonateLoggedOnUser Lib "advapi32.dll" (ByVal hToken As Long) As Long
Private Declare Function RevertToSelf Lib "advapi32.dll" () As Long
Private Const LOGON32_PROVIDER_DEFAULT    As Long = 0&
Private Const LOGON32_PROVIDER_WINNT35    As Long = 1&
Private Const LOGON32_LOGON_INTERACTIVE   As Long = 2&
Private Const LOGON32_LOGON_NETWORK       As Long = 3&
Private Const LOGON32_LOGON_BATCH         As Long = 4&
Private Const LOGON32_LOGON_SERVICE       As Long = 5&


Public Function doLogon(ByVal strAdminUser As String, ByVal strAdminPassword As String, ByVal strAdminDomain As String) As Boolean
On Error GoTo DamnErr
     Dim lngTokenHandle As Long
     Dim lngLogonType As Long
     Dim lngLogonProvider As Long
     Dim blnResult As Boolean
     lngLogonType = LOGON32_LOGON_INTERACTIVE
     lngLogonProvider = LOGON32_PROVIDER_DEFAULT
     blnResult = RevertToSelf()
     blnResult = LogonUser(strAdminUser, strAdminDomain, strAdminPassword, _
                                          lngLogonType, lngLogonProvider, _
                                          lngTokenHandle)
     blnResult = ImpersonateLoggedOnUser(lngTokenHandle)
     doLogon = blnResult
     Exit Function
DamnErr:
    Dim sERRORtxt As String
    sERRORtxt = "Error Number: " & Err.Number & vbCrLf & _
                "Description: " & Err.Description & vbCrLf & _
                "Source: " & Err.Source & vbCrLf & _
                "Function: doLogon" & vbCrLf & _
                "Date: " & Now() & vbCrLf & _
                "Input:" & vbCrLf & _
                "  strAdminUser=" & strAdminUser & vbCrLf & _
                "  strAdminPassword=" & strAdminPassword & vbCrLf & _
                "  strAdminDomain=" & strAdminDomain
    App.LogEvent sERRORtxt, vbLogEventTypeError
    Err.Clear
End Function

Public Function doLogoff() As Boolean
On Error GoTo DamnErr
     doLogoff = RevertToSelf()
     Exit Function
DamnErr:
Dim sERRORtxt As String
    sERRORtxt = "Error Number: " & Err.Number & vbCrLf & _
                "Description: " & Err.Description & vbCrLf & _
                "Source: " & Err.Source & vbCrLf & _
                "Function: doLogoff" & vbCrLf & _
                "Date: " & Now()
    App.LogEvent sERRORtxt, vbLogEventTypeError
    Err.Clear
End Function



Call it like:

doLogon "username", "password", "domain-if-needed"
'your code that needs admin rights.
'MAKE SURE TO LOGOFF!
doLogoff


This works if you have a administrative account either in a domain or locally to use.  I would still like to control it on the getobject line so I would not have to rely of any outside account elevation.  

Hope this helps someone needing to use a domain account.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 12179525
Awesome, if you want your points back, visit: http://www.experts-exchange.com/Community_Support/
and post your intentions.
-rich
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

661 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question