Rexx
asked on
Batch script to execute as admin
I have the following script that executes a program as follows:
@echo off
start /d "c:\Program Files\Hyena" stexport.exe /CONFIG=C:\EP\Export_Servi ces\HYENA_ EXPORT_SER VICES.INI
The batch and the installed program it starts both operate on the c drive of the same windows server with network admin rights. I want to create a shortcut on a workstation desktop of a standard user who can execute the script; however, the program must ultimately execute with the authority of a domain admin account (not a standard user who initially executes it).
In other words, if a standard user executes this batch script (as it is written now) it will only execute with the permissions of the user who initiates it and I need additional script to add to it that will execute the program as a domain admin.
@echo off
start /d "c:\Program Files\Hyena" stexport.exe /CONFIG=C:\EP\Export_Servi
The batch and the installed program it starts both operate on the c drive of the same windows server with network admin rights. I want to create a shortcut on a workstation desktop of a standard user who can execute the script; however, the program must ultimately execute with the authority of a domain admin account (not a standard user who initially executes it).
In other words, if a standard user executes this batch script (as it is written now) it will only execute with the permissions of the user who initiates it and I need additional script to add to it that will execute the program as a domain admin.
ASKER
This is how I envision this to work:
Step 5 of the following web article states as follows:
https://community.spiceworks.com/how_to/86844-create-a-shortcut-that-lets-a-standard-user-run-an-application-as-administrator:
The first time you double-click your shortcut, you’ll be prompted to enter the Administrator account’s password, which you created earlier. This password will be saved – the next time you double-click the shortcut, the application will launch as Administrator without asking you for a password.
Step 5 of the following web article states as follows:
https://community.spiceworks.com/how_to/86844-create-a-shortcut-that-lets-a-standard-user-run-an-application-as-administrator:
The first time you double-click your shortcut, you’ll be prompted to enter the Administrator account’s password, which you created earlier. This password will be saved – the next time you double-click the shortcut, the application will launch as Administrator without asking you for a password.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I realize services can be easily exported in powershell, but the program I am using is able to do other types of exports that powershell does not deliver as well.
@Rexx: /savecred is dangerous and needs to be avoided. It entitles the user to do anything he likes as domain admin, not only that script.
ASKER
McKnife,
Couple questions and I agree I am looking for a secured solution.
If this is setup as a task as you suggest, the task will only need to be run when the standard user executes the shortcut to initiate the task. The ini file operates a dat file (inlcuded) that tells the program the location of the txt file with computer names. This location is on a shared network drive that the Standard user can edit with a list of computer names for the program to run the export from.
Couple questions and I agree I am looking for a secured solution.
If this is setup as a task as you suggest, the task will only need to be run when the standard user executes the shortcut to initiate the task. The ini file operates a dat file (inlcuded) that tells the program the location of the txt file with computer names. This location is on a shared network drive that the Standard user can edit with a list of computer names for the program to run the export from.
I don't see any questions :-)
But I have one for you: how will the user need to interact with whatever output hyena creates?
See you tomorrow, bedtime here.
But I have one for you: how will the user need to interact with whatever output hyena creates?
See you tomorrow, bedtime here.
ASKER
The program ini has the location of the export and the dat file the ini points to has the location of the input file. Both are on a shared drive between the user and the program. This batch as it is written obtains the input file (of computer names) and the file name and directory to export it to. I believe the only open question I have then is can a standard user shortcut execute a task that executes the batch with a secured login to a domain admin? If this is simply true then I believe you have solved my problem.
> ...can a standard user shortcut execute a task that executes the batch with a secured login to a domain admin?
If you're talking about /savecred... It saves the creds on the local station in the Credential Manager (Windows Vault).
But, as McKnife said, it's potentially dangerous. When Hyena runs, the user will have domain admin strength. Also, it's easy enough to change the command to run something else instead of Hyena. If you're fine with that...
If you're talking about /savecred... It saves the creds on the local station in the Credential Manager (Windows Vault).
But, as McKnife said, it's potentially dangerous. When Hyena runs, the user will have domain admin strength. Also, it's easy enough to change the command to run something else instead of Hyena. If you're fine with that...
ASKER
NVIT
I agree with McKnife solution to have the command executed at the server as a task. Then create a shortcut to the task for it to be run by a standard user as needed.
This solution works as long as the task can run the script with a secured domain admin (or server admin) permission, otherwise Hyena Exporter Pro will get access denied error due to just standard user permission.
The question is: Can task scheduler be used as a secure means to run a program with domain admin permission?
I agree with McKnife solution to have the command executed at the server as a task. Then create a shortcut to the task for it to be run by a standard user as needed.
This solution works as long as the task can run the script with a secured domain admin (or server admin) permission, otherwise Hyena Exporter Pro will get access denied error due to just standard user permission.
The question is: Can task scheduler be used as a secure means to run a program with domain admin permission?
> I agree with McKnife solution to have the command executed at the server as a task.
> Then create a shortcut to the task for it to be run by a standard user as needed.
Creating a separate shortcut is not needed.
Make a .bat/.cmd file containing McKnife's code.
The task on the server would be setup once by the admin, and scheduled to run the .bat every n minutes/hours, per your needs. When run, if it finds the user created .txt file, it runs the rest of the .bat.
> Then create a shortcut to the task for it to be run by a standard user as needed.
Creating a separate shortcut is not needed.
Make a .bat/.cmd file containing McKnife's code.
The task on the server would be setup once by the admin, and scheduled to run the .bat every n minutes/hours, per your needs. When run, if it finds the user created .txt file, it runs the rest of the .bat.
ASKER
As opposed to scheduling an event to run I prefer setting a shortcut for the Standard User to trigger task scheduler as described in the following web link:
https://superuser.com/questions/57694/setting-a-shortcut-to-trigger-task-scheduler
https://superuser.com/questions/57694/setting-a-shortcut-to-trigger-task-scheduler
You did not yet understand the plan.
The user does not need to initiate the task - the task runs on its own at an interval that you define.
However the user may create a file at a certain location and only when that file is present, the task will execute the hyena script line, else, if the file is not present, it will simply do nothing.
So give the user something to click on, another batch file that is used to create that file whenever the user wants the hyena script to be executed:
I hope it's clear now.
Still, I need to repeat my question about the hyena output - how will it be used, that output? I assume it's a report of some kind and that very user does not only want to create it, but also to read it afterwards, right? Then you need to save the output file to a location that the user has access to.
The user does not need to initiate the task - the task runs on its own at an interval that you define.
However the user may create a file at a certain location and only when that file is present, the task will execute the hyena script line, else, if the file is not present, it will simply do nothing.
So give the user something to click on, another batch file that is used to create that file whenever the user wants the hyena script to be executed:
echo start>\\someserver\someshare\A_File_created_by_that_user.txt
I hope it's clear now.
Still, I need to repeat my question about the hyena output - how will it be used, that output? I assume it's a report of some kind and that very user does not only want to create it, but also to read it afterwards, right? Then you need to save the output file to a location that the user has access to.
ASKER
I answered your input and output question and understood your concept. Appreciate your help.
You are welcome.
Sorry, I didn't quite understand the bit about your response to the "output question". Nevermind :-)
Sorry, I didn't quite understand the bit about your response to the "output question". Nevermind :-)
runas /user:domainname\username program
Run a batch file as a DA
runas /user:MyDomain\kevin C:\data\mybatchfile.bat
I would just put that in a shortcut and see if it works, but doing it this way the user would have to know the password. You could supply the password in the command line, but someone can always edit the shortcut and get the password!
Regards