[Samba] run a script with "administrator" credentials?

Tony Earnshaw tonye at billy.demon.nl
Sat May 21 07:12:41 GMT 2005

fre, 20.05.2005 kl. 19.05 skrev Tomasz Chmielewski:

> I saw Active Directory a bit today and was impressed with the ease one 
> can manage many Windows workstations with that.
> Especially I liked the software installation (too bad it can install MSI 
> packages only) and the ability to run custom scripts on the workstations 
> (when the boot up etc.).
> Is it possible to run a custom script for a given machine when it boots 
> up (that is already joined to the domain), with administrator 
> credentials (for example, to install software)?

I don't know about running scripts as a *machine* at logon/boot time,
but I've discovered that Windows 2000 and later have an executable
called runas, which can run .msi installation programs (using msiexec)
with elevated privileges at *user* logon.

However, this method introduces so many security risks (password in
scripts on the netlogon share, etc) that it probably isn't worth the
hassle. I've gone off it, anyway (even though there are doubtful
workarounds such as commercial/paid encryptedrunas).

I don't have any details to hand right now, but google for msiexec and
runas and look in the Microsoft knowledge base.

There have been those on this list who've written that they're no
Windows experts. Well, I've hated Windows and pushed its tecchie details
from me for years, but as soon as one begins with Samba, one bloody well
has to become a Windows expert, like it or not. I could rant on, but
nuff said.

> For now it seems to me that it's only possible to run a "machine script 
> - %m" or a "user script - %u" with the credentials of a user.

No, you can run at elevated privileges. But for me it ain't worth the
extra hassle with my machine and user park (respectively 80 and 1150+ at
a single site).


Nothing sucksseeds like a pigeon without a beak ...

mail: tonye at billy.demon.nl
They'll love us, won't they? They feed us, don't they? ...

More information about the samba mailing list