Solved

Pass through authentication does not work

Posted on 2007-04-03
10
328 Views
Last Modified: 2010-04-16
Hi guys!

We have many NT domains and AD in our environment.

I have a list of computers in a text file (c:\Computers.txt (list of computers))

I need to connect to each machine with a specific local account for that machine.

On all these machines, a local account called eg. testusr has been set up, with the same password on all of them eg. password.

What I need to do is:
Change the following key on these computers in the file
HKU\.Default\Control Panel\Desktop\AutoEndTasks
Id like to change the value of AutoEndTasks from 0 to 1.

I have tried the following:

1) Created a local account on MY machine (where I wish to execute the script) with the same credentials as those on the target machines
eg. local account username = testusr, password = password

2) Tried to execute a script that connects to each target machine with passthrough authentication, but this fails. The problem is that I get prompted for <target computer name>\local user account.

What I need help with is:

How do I write a script that:

1) Reads a text file of computer names
2) When the script reads each computer name and tries to connect to that machine, it connects as
<computername>\testusr
eg. not as simply testusr (without the computer name>
3) If I log on to my machine as testusr, and then simply try to execute for example the following:

for /f %%a in (C:\Comptuers.txt) do reg add "\\%%a\hku\.default\Control Panel\Desktop" /v AutoEndTasks /d 1 /f

I get prompted for username and password.
If I put in <computername>\testusr, this will work, otherwise passthrough fails.

Ideally, I need to do the following:

a) Have a safety net, that is:
(i) When I try and connect to each machine, it tries alternate credentials in case the first try fails, or for example the account has been locked out, so something like this...
(ii) When trying to connect to each machine, try..
read the computers.txt file to get the computer name ---> then try connecting as <computername>\testusr
If this fails, then try connecting with a domain account (I can use the same credentials here)
If this fails, then log an error in a text file saying cannot connect, then move on to the next computer in the list.

Any help greatly appreciated.

Thank you.

S


0
Comment
Question by:Simon336697
  • 5
  • 5
10 Comments
 
LVL 67

Expert Comment

by:sirbounty
ID: 18846595
Does this work for connecting?

for /f %%a in (C:\Comptuers.txt) do (
net use \\%%a\ipc$ /user:%%a\testusr
reg add "\\%%a\hku\.default\Control Panel\Desktop" /v AutoEndTasks /d 1 /f
)

0
 
LVL 1

Author Comment

by:Simon336697
ID: 18846629
You are incredible SB - so quick to respond to anyone who asks a question (thk u :))

I will let you know.

SB....is there any way to try alternate credentials in case the account for any reason is locked out?
0
 
LVL 1

Author Comment

by:Simon336697
ID: 18846670
SB!

Prior to running this script also, I would probably want to check, or upon first attempting to making a connection to each machine, to make sure I havent already got a connection to each one, and if so, to delete that connection and recreate one.
0
 
LVL 1

Author Comment

by:Simon336697
ID: 18846689
SB!

Would changing this script to a vbscript be the better way when trying to do this?
For example, if I wanted to try multiple accounts in case the first one failed, would it be better to create a sub for each try eg.different account

Sub()
connect with <computeraccount>\testusr
if fails go to next sub

Sub()
connect with <domain>\domainaccount
if fails go to next sub

Sub()
connect with sdsfsdfs
if fails go to next sub

Sub()
log an error in a text file

0
 
LVL 67

Expert Comment

by:sirbounty
ID: 18846704
No, I don't really see the benefit to move to a vbs with this, given your scope.
It's just going to take me a bit to test this...I'll post something shortly.
0
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

 
LVL 67

Expert Comment

by:sirbounty
ID: 18846718
Something like this 'may' work (admittedly I don't have the same scenario, so I might be off, or this may need further tweaking)


for /f %%a in (C:\Comptuers.txt) do call :process %%a
goto :eof

:process
set pc=%1
net use \\%pc%\ipc$ /user:%pc%\testusr
If %errorlevel%==0 goto connected
net use \\%pc%\ipc$ /user:domain\domUsr
If %errorlevel%==0 goto connected
echo An error occurred connecting to %pc% >> C:\error-report.log
goto :eof

:connected
reg add "\\%pc%\hku\.default\Control Panel\Desktop" /v AutoEndTasks /d 1 /f
0
 
LVL 1

Author Comment

by:Simon336697
ID: 18846755
Thanks SB...

The above looks like it will work.
Would you hard code the password for testusr in here?
0
 
LVL 67

Accepted Solution

by:
sirbounty earned 500 total points
ID: 18846767
You 'could' - but then pass-through authentication certainly won't be working.. ;^)
If the password is the same on both, it should pick it right up..
Otherise, simply change this line:

net use \\%pc%\ipc$ /user:%pc%\testusr password
0
 
LVL 1

Author Comment

by:Simon336697
ID: 18883225
Works great mate!

S
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 18883248
Happy to help you again! :^)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You may have already been in the need to update a whole folder stucture using a script. Robocopy does it well and even provides a list of non-updated files in a log (if asked to). Generally those files that were locked by a user or a process by the …
Active Directory replication delay is the cause to many problems.  Here is a super easy script to force Active Directory replication to all sites with by using an elevated PowerShell command prompt, and a tool to verify your changes.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now