[Samba] how to get logon.bat run with Administrator rights in domain logons?

Clint Sharp clint at typhoon.org
Sun Apr 4 20:37:13 GMT 2004

On Fri, 2004-04-02 at 21:40, Andrew Gaffney wrote:
> Urs Rau wrote:
> > On win XP Pro workstations it would be so convenient if the domain logon 
> > script which is stored on the samba pdc could be made to run with 
> > Administrative (or System) privileges.
> > 
> > I know that I can interactively run another security context by choosing 
> > "run as user" but how could I achieve this non-interactively and domain 
> > wide whilst a "limited account" is loggin in?
> I asked this same question on this list a while back. There is no way to interactively run 
> a script as a higher user, otherwise virus writers could take advantage of this (as 
> opposed to them currently taking advantage of stupid users and MS's stupid policy of 
> making users Administrators by default). The logon.bat runs as the currently logged on user.
> -- 
> Andrew Gaffney
> Network Administrator
> Skyline Aeronautics, LLC.
> 636-357-1548

We use a utility called Sanur (http://www.commandline.co.uk/sanur/) to
script the Microsoft RunAs facility.  Other than custom writing a
service to implement a client side polled scripting or policy
implementation  (which is another project I'm working on), this is the
best I've found.  Microsoft LogonUser() does not allow users to
impersonate the context of other users any longer unless they're running
as an Administrator or SYSTEM user and as a service, which rules out
making a custom executable with a hardcoded password, or something that
queries via the network an authorized NTLM hash of the password, etc. 
At that point, it's easier to just simply write something that will trap
for logins and pull down a set of actions to take (which would be easier
to configure for the desktop admins I've got working in my group than
DOS batch scripts).  Anyways, there's my rant on the current state of
Windows Security.  There's nothing like sudo which is easily scriptable
I'm afraid, but this Sanur utility is about the next best thing if
you're willing to live with an exposed Administrator password for the
duration the login script exists (about 10 seconds or so in my
installation, as I use root preexec and root postexec in the netlogon
share to create and destroy the script).


More information about the samba mailing list