We help IT Professionals succeed at work.

Being prompted for logon credentials when launching batch files

I have batch files that we need to occasionally run on users' PCs to install programs, fix issues, etc.  The users are only Power Users, so some lines of some of the batch files don't work because of insufficient privileges.  Running EXEs are fine, because I can go Run As.  MSIs are also OK because we deployed a registry fix to add a Run As option to their context menus.  But with Batch we are yet to find a solution.

Logging out and then logging in as admin is not an option.

What would be ideal is if we could place a file (probably a VBS script) in the same directory as the batch, and that it would prompt for username password, then somehow pass those credentials onto the batch file.

If not, is there a way to put some command inside the batch file (and supply credentials in the script) to run parts of the script as admin?  This would then need to be hidden from the user, by encryption or by converting to an EXE or something like that.

I have seen this link below but I don't know how to make it relevant to batch files:

http://www.experts-exchange.com/Programming/Languages/Scripting/Shell/Batch/Q_25066734.html

Thanks for your help.
Comment
Watch Question

Chinmay PatelChief Technology Ninja
Distinguished Expert 2019

Commented:
Hi meirionwyllt,
It is infact an exact solution. Tell me what doubt you have or are you facing any issue with the implementation?
Regards,
Chinmay


You could always make another batch file in the same directory with the following in it.

runas /noprofile /user:domain\username cmd

This will open a priveledged command prompt where you can then drop the bat file to run it.
The following batch file will prompt for a user name then prompt for a password and then launch a new Command Window using the appropriate credentials and stay open.  Any batch files run from that new CMD window should be using the prompted credentials.
Sorry, code didn't attach the first time...

@Echo Off
Set /P ADMINUSERNAME=Enter an Admin User Name:
RunAs /noprofile /user:%ADMINUSERNAME% "CMD /K CD"

Open in new window

Annnnndddd.... I'm off my game today.  I forgot that you can't use RUNAS with currently mapped network drives.

The script will work as long as you only need to use UNC paths to the installs or you don't mind manually mapping any Network drives (NET USE) after launching the command.
meirionwylltSenior Desktop Engineer

Author

Commented:
Hi there - thanks for the replies.

Chinmay - the problem with the solution in the link is that I would have to put our admin password inside the vbs script.  All it would take then is for someone to right-click the file, then Edit - then they would know the admin password for 2500 PCs - not an ideal situation.  Instead, I want to be prompted to input the password on the screen (or some kind of popup screen) every time the vbs is run.

I have a batch file situated at

  \\server\share$\folder\setup.bat

I don't want my local admin password to be displayed on screen while I type - so I gather that the best way of tackling my problem is having this batch file launched by a VBS file (rather than another batch file - sorry CitizenRon).

I need help on creating such a file.  Our local admin user name has been changed via group policy from "administrator" to "gc1906".  Therefore I want to have this in the VBS code as the user name, so in full it would be "<pcname>\gc1906".  I want the vbs to only prompt me then for the password of the gc1906 account.

Can anyone assist with this VB script?  Thanks.
"I don't want my local admin password to be displayed on screen  while I  type - so I gather that the best way of tackling my problem is  having  this batch file launched by a VBS file (rather than another  batch file -  sorry CitizenRon)."

Not a problem, but that  small batch file I wrote will NOT display your password on the screen.   The SET /P line will ask you for a User Name which WILL show up on the  screen, but the RUNAS command, if a password is not included, will  prompt you for the password to the supplied user but when you type it in  it will NOT show up, it won't even move the cursor.

If you're  always going to use the same User Name, then it makes it easier and  becomes a one line batch file or even done through the Start Run window:

If  you still want a VBScript for this, there's really no "easy" way to  do a masked password that I know of.  There's some tricks with HTML code and a method that requires you to run the script with CScript.exe.

@RunAs /noprofile /user:%COMPUTERNAME%\gc1906 "CMD /K C:\BatchFile.bat"

Open in new window

meirionwylltSenior Desktop Engineer

Author

Commented:
CitizenRon, thanks for that.

I begun testing with this, and I can now see that this is just what I need.  However, I cannot get it accept the password for the local admin account - it says "Logon failure: unknown user or bad password".  But I know that the password is OK since I use it several times a day and it never changes.

I then editied the line to include my domain account instead of local admin, and it worked.  But I don't want to use my domain account permanently because then I will be the only one able to use it.  I also don't want to create a domain account specifically for running batch files.

Can you suggest maybe why my local admin password isn't being accepted?  There are no fancy characters in it - only lower-case letters, and one number.

I then created another local user with admin rights - for testing - and used that in the command line instead, and that gave the same error.

Thanks
"Our local admin user name has been changed via group policy from  "administrator" to "gc1906"."

I haven't done this myself in a while, but if I remember right, the only thing you can change about the Local Administrator user is the user name.  I think the password remains the same and there's no Group Policy to change the actual password.  We ran a remote script to forcibly change the Local Admin password on all Domain Computers when we did this.

There's an easier, more manageable way to do this now though.  Group Policy Preferences.  A few drawbacks to this that may or may not apply anymore.  
1.  You have to have at least one Windows 2008 Server acting as a Domain Controller
2.  It only works on Windows XP SP2 and higher
3.  You have to install the "Client Side Extensions" on Windows XP and Vista machines (but it is a part of Windows Update so it's not hard, especially if you're running WSUS)
4.  You have to manage GPP from a Vista, Windows 7 or Windows Server 2008 computer, and you may have to install the management tool also.
Here's a link to a good  Microsoft TechNet Article that covers both methods.
meirionwylltSenior Desktop Engineer

Author

Commented:
Hi, thanks for the info.  Although very interesting, I don't see how the above is relevant to my case, since I am happy with the local admin user name and password as they are, and don't want them changed.

My problem was getting the 'runas' command to accept logon credentials for local accounts.  At the minute I can only get it to accept domain credentials.

Is the 'runas' command possibly having trouble with variables, namely the %COMPUTERNAME% variable?  It seems to resolve it correctly though.
Ah, that's what I get for skimming too quickly.  Thought that maybe it was caused by your local admin password being something other than what you thought it was.

I don't really know what would cause that.  That RUNAS command works just fine for my local admin user if I change "gc1906" to my machine's local admin name.

I played around a bit with my Admin Command Line batch file (attached below) and I can't find anything different.  I did notice that you don't need the %COMPUTERNAME% variable in there if you're using a Local Computer username.  Without specifying a Domain User with the Domain Name, then RUNAS defaults to using the User Name as a local computer user.

@Echo Off
Echo *** Use LOCALUSER, DOMAIN\USER or User@Domain format ***
Echo.
Set /P ADMINUSERNAME=Enter an Admin User Name: 
RunAs /noprofile /user:%ADMINUSERNAME% "CMD /K
If %ERRORLEVEL% GTR 0 Pause

Open in new window

meirionwylltSenior Desktop Engineer

Author

Commented:
Although I still can't get it to work for any local account, it works for domain accounts (when I put the name of the domain after the /user: but before the %ADMINUSERNAME%), so that's good enough for me.