[Samba] Netlogon Service Privileged Account

Walter Mautner retlaw.rentuam at gmail.com
Sun Apr 26 19:16:26 GMT 2009

Am Sunday 26 April 2009 20:35:12 schrieb Todd E Thomas:
> Hey all,
> Let me first start by saying everything is working as expected so far!
> This is about my login script being shared from the netlogon directory.
> My XP client sees and executes the 99% of the script. The last little
> bit is permissions-related.
> The problem is that the script executes using 'test user' account
> entered at logon time. This was verified by putting in a 60 second wait
> time somewhere in the script; then you can to to the task manager and
> see the username running the logon script.
> This does not emulate the windows process.
> My question: How would I go about assigning a privileged user, like the
> netlogon service account, to my logon.vbs script so that it is able to
> make those registry key modifications for any domain user logging into
> Samba 3.0.3 ?

A commonly used (but questionable, security-wise) approach would be using cpau 
to elevate privileges of the script. It just makes it "run as" the selected 
(admin) user with encrypted password, so that's not visible to users who try 
to later connect to the netlogon share "out of interest".

More information about the samba mailing list