Solved

How to run VBScript as an administrator?

Posted on 2007-04-10
15
69,132 Views
Last Modified: 2012-10-02
I'm a VBScript noob and could really use the collective's help.  I have a VBScript that I downloaded from this website that runs at user logon through Windows group policy.  Basically the script forces the user's computer to reregister itself with my Windows Software Update Server (WSUS).  Users do not have administrator rights on the local workstation.  What do I need to add to the script in order to have it run without admin rights?  Or is there something that can be added that will run the script as an administrator?  Here is the code:

Set oShell = CreateObject("WScript.Shell")

sRegKey = "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate"

' suppress error in case values does not exist
On Error Resume Next

' check for marker
sIDDeleted = oShell.RegRead( sRegKey & "\IDDeleted")

' to be sure values is only deleted once, test on marker
If sIDDeleted <> "yes" Then
' delete values
oShell.RegDelete sRegKey & "\AccountDomainSid"
oShell.RegDelete sRegKey & "\PingID"
oShell.RegDelete sRegKey & "\SusClientId"

' Stop and start the Automatic updates service
oShell.Run "%SystemRoot%\system32\net.exe stop wuauserv", 0, True
oShell.Run "%SystemRoot%\system32\net.exe start wuauserv", 0, True

' Run wuauclt.exe with resetauthorization
sCmd = "%SystemRoot%\system32\wuauclt.exe /resetauthorization /detectnow"
oShell.Run sCmd, 0, True

' create marker
oShell.RegWrite sRegKey & "\IDDeleted", "yes"
End If

Thanks for any and all help.  It is greatly appreciated!
0
Comment
Question by:Mike86CJ7
  • 4
  • 4
  • 4
  • +2
15 Comments
 
LVL 58

Expert Comment

by:amit_g
ID: 18885582
Run it from command prompt using RunAs

RunAs /user:YourDomain\Administrator CScript YourVbsFiel.vbs

It would ask for password and then execute the vbs as Administrator.
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 18886714
Using the RunAs command will prompt for a password.  I have implemented this by using PSExec from Microsoft, and passing the Administrator password to PSExec.  The major problem with this is I have had to use two script files. The first one that is run by the login script copies a second script file to the local PC (usually C:\Temp) and then the first script file invokes PSExec to run the second script file using wshShell.Run "\\server\share\psexec -u:" & strUser & " -p:"  & strPassword & " wscript.exe C:\Temp\2ndFile.vbs"

Now, the major problem with doing this, is you could have someone edit your script file and get your admin password.  That would be bad.  You should use the Microsoft Script Encoder to at least scramble the visible code in your script files.

Hope this helps.

Rob.
0
 

Author Comment

by:Mike86CJ7
ID: 18889193
I appreciate the input, and I may be forced to use 2 script files as you mentioned Rob.  I guess there's no way to include in the original script code a way to run the rest of the script as the admin?

In a perfect world, I would like to run this completely as VBscript as my users do not use a traditional login script batch file.  Running it from a command prompt, while do-able is not good for practicality purposes as i have over 300 workstations in house.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 65

Expert Comment

by:RobSampson
ID: 18894255
You can still use VB script to initiate the process, and use a File System Object to copy the second script file without a command prompt
objFSO.CopyFile "\\server\share\2ndFile.vbs" "C:\Temp"
Then by using wshShell.Run as above, you can hide any user dialog by having a zero in the command.
wshShell.Run strCommand, 0, True
The zero means the command runs hidden, and the True waits for the Run command to finish before executing the next command.
This approach would hide any visible command prompt, which would be initiated by VBScript anyway.

Regards,

Rob.
0
 
LVL 65

Accepted Solution

by:
RobSampson earned 500 total points
ID: 18902927
Mike
With the help of another post, I have developed a self-calling VBS file, accepting a parameter that tells it if it is has been called using administrator credentials.
I have also figured out that by using PSExec to run either wscript.exe or cmd /c BEFORE the path to a script file, you can pass them both a UNC path, meaining you don't have to copy any files to the local PC.

My script uses this UNC approach to get the target PC to use wscript.exe and call the VBS file on a network share (the same that you run), but pass it a parameter.

So when you first run it, it has no arguments passed to it, so it asks you enter the name of a remote PC to run commands on.
Then the script runs PSExec against that computer, supplying Admin credentials.  The command that PSExec then runs (with Admin rights) is wscript to call the script again, this time passing an argument (parameter) of "AsAdmin" so the script knows it has admin rights.
Now the vbs script is running as Admin from the target pc, therefore, you can issue commands as if you were at the target pc.
'============================================
Option Explicit

Dim strArgs, strAdminUser, strAdminPass
Dim objFSO, wshNetwork, strComputer, objShell, strCommand

Set objFSO = WScript.CreateObject("Scripting.FileSystemObject")
Set wshNetwork = WScript.CreateObject("WScript.Network")
Set objShell = WScript.CreateObject("WScript.Shell")

strAdminUser = "YourDomainAdminAccount"
strAdminPass = "YourDomainPassword"

If WScript.Arguments.Count < 1 Then
      Call Normal_User_Commands
ElseIf WScript.Arguments(0) = "AsAdmin" Then
      Call Admin_User_Commands
Else
      MsgBox "Unknown Argument received"
End If

Sub Normal_User_Commands
      'MsgBox "Running as initiating user"
      strComputer = InputBox("Enter computer name to map a printer to:", "Enter Computer", "172.16.2.40")
      strCommand = "cmd /c \\server\share\temp\test\psexec.exe \\" & strComputer & " -i -u " & strAdminUser & " -p " & strAdminPass & " wscript.exe \\server\share\temp\test\My_Self_Calling_VBS.vbs ""AsAdmin"""
      objShell.Run strCommand, 0, True
End Sub

Sub Admin_User_Commands
      'Now running as Administrator on the target macchine
      'MsgBox "Running as Admin"
      strCommand = "notepad.exe"
      objShell.Run strCommand, 0, True
End Sub
'==================================
0
 

Author Comment

by:Mike86CJ7
ID: 18905159
Rob, I believe you created the miracle I have been looking for.  I was thrown this problem without any regard for the fact that I know next to nothing about VBScript.  But I believe this will do the trick.  Kudos to you and thank you for sticking with this problem!  Your help is greatly appreciated.  Bravo!
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 18909053
Thanks Mike, I was pretty happy with it when I got it working.  I'm a bit annoyed that I didn't think of it before, but a couple of heads are better than one!  You made me re-think it to better suit requirements, and I am now going to use it in all of my future scripts!

Rob.
0
 

Expert Comment

by:SchalkVermeulen
ID: 20848333
Easier option:

You only need to run the vbscript as a Startup script in a group policy
Startup scripts get executed under the LocalSystem account which has admin rights by default.
0
 

Expert Comment

by:Nickon17
ID: 26076084
I agree with SchalkVermeulen, but sometimes you need to run commands that are unique to that user (printer installation only for that user/group) that need to be elevated.
0
 

Expert Comment

by:SchalkVermeulen
ID: 26077710
Yes, for user scripts (when user do not have admin rights) you need to do a few fancy things. The above scripting will work.

To do printer installations you might be looking into using "rundll32 printui.dll,PrintUIEntry"  This allows you to install printers via a startup script, as mentioned earlier, and making them visible/usable by any user using that a workstation. The user does not need to be an admin.

Perhaps off topic but related... Another tool is "Encrypted Runas"  Nice tool to run apps with alevated privilages and encrypt/hide password

0
 

Expert Comment

by:Nickon17
ID: 26077781
I will look into that tool, that sounds awesome, because I was not a big fan of putting any passwords in a plain text file.

I do get the idea of running it at startup, but I would like printers to only map if the user needs them.  I have 20 sites that I manage, each with 3 printers, so that would be a HUGE amount of printers if all of them were installed!
0
 

Expert Comment

by:SchalkVermeulen
ID: 26077935
Agree, If you have all the printers on a LAN it will not be a huge prob but as soon as they are placed accross WAN links you will experience a LOT of chatter relatting to printer polling,discoveries,etc. This is especially true if the printers get published in Active Directory.
We have bout 350 sites with at least 3 printers in each site. No DC at any site thus all chatter accross WAN links :-(

An idea: install all the printers of a site on all the machines BUT disable printer publishing to AD. Also remember to set printer prunning in AD. There is a tool in the Windows Resource Kit that the user can then use to set his default printer.
0
 

Expert Comment

by:Nickon17
ID: 26078040
It wasn't so much chatter, as the user being overwhelmed by having 60+ printers to choose from when they log in.
All of the printers are local so they wouldn't be going across our MPLS for printing (now THAT would be painful!).
0
 

Expert Comment

by:SchalkVermeulen
ID: 26078071
Fortunately all our sites look exactly the same so we could add all the printers as a once off and did not need to run a script at every logon.
If you have something like SMS/SCCM you can attempt the same.
0
 

Expert Comment

by:Nickon17
ID: 26078083
I just realized how I can do this.

Create a script, and assign it to a GPO in their OU (I have each site have their own OU).  Then I can run it upon bootup.

Sweet!
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Does the idea of dealing with bits scare or confuse you? Does it seem like a waste of time in an age where we all have terabytes of storage? If so, you're missing out on one of the core tools in every professional programmer's toolbox. Learn how to …
Although it can be difficult to imagine, someday your child will have a career of his or her own. He or she will likely start a family, buy a home and start having their own children. So, while being a kid is still extremely important, it’s also …
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question