Access server resources using machine permissions, not user permissions

[Malkavian99]

I've hit a wall here and don't know how to get over it.

I need to access a server using WMI to retrieve Win32_Printer information to load printers based on location.  I have admin rights on the server and have no problem accessing the WMI service. My regular users cannot access WMI on the server due to not having permission.  I'm wondering if you can use the machine account to gain permission?

Is it possible to use the machine account, which is in Active Directory, to access the WMI service on the server?  I checked the security settings for the machine account and it has the same groups that I have all-be-it 2 containers below me in Active Directory.

Any help would be appreciated.  Below is the code that I am using for WMI access. I have tried the impersonationLevel and authentication entries and nothing seems to work.

-----------

Local $objWMIService, $wbemFlagReturnImmediately = 0x10, $wbemFlagForwardOnly = 0x20

$colItems = ""
$objWMIService = ObjGet("winmgmts:" & $strComputer & "rootCIMV2")
if IsObj($objWMIService) Then
     $colItems = $objWMIService.ExecQuery("SELECT * FROM Win32_Printer"), "WQL", $wbemFlagReturnImmediately + $wbemFlagForwardOnly)
Else
   MsgBox(0,"", "WMI Service did not connect. Not an object " & @error)
   Exit ;stop the program since WMI doesn't have access
EndIf

----------

Thanks

Michael

[orbs]

create a domain admin account (it has admin rights to the pc and to the server), and call the script under that user context (e.g. by scheduled task).

[Malkavian99]

Sorry for the delayed response.  Sadly, I do not have access to create a domain admin account, I'm in the middle, so to speak. I can create users below me, but not above me.

I do know the PC has rights to the server with the proper credentials, but not sure how to tell the script to use the PC credentials rather than the user credentials.

Thanks

Michael.

[orbs]

unless you enlighten me, i believe you are mistaken here. computer objects do not have access privileges to objects like network shares, because they never initiate communication to such resources - it's always the user account that is initiating the communication. this may be the computer local SYSTEM account, but this is still considered a user account.

(frankly, i can't imagine the logic that made MS put "users" and "computers" objects in the same AD group, as they have nothing in common).

can you provide a link to MSDN or such, that supports your claim?

if you have a user account (e.g. yours) that has admin rights on the server - be it a domain admin or not - then make this account also be admin over pc's, and problem solved.

if you can't do that, then how about running the script as local SYSTEM account on the client pc, but runas /netonly using the server admin account?

b.t.w what do you do with the retrieved information? it may be that you do not need admin rights on the pc, so your case becomes much easier.

please explain better your final intention - there may be a completely different and easier way to do what you need.

[Malkavian99]

Since the computers are defined in AD with specific rights I was hoping that maybe the computer itself could ask the server for the information using it's rights rather than the user's rights.  I am most likely misunderstanding the reason for those rights.

What we need to do is contact the server's Win32_Printer resource and request information about printers on the server then we filter those servers based on location. I have enough rights to access the resource, but a regular user does not have access to the resource. I currently have 25 printers just where I am and we have them seperated into 7 different locations to limit access within that location.  We don't need a user pulling a printer from the other end of the floor and trying to print to it so we limit what printers they get. Think of it as limiting your printers based on floor.

The RunAs /netonly might do the trick, I will have to look a bit more into it.

Hope this explains better.  Thanks.

[willichan]

This may not be the most elegant solution, but...

You could periodically run an updater utility (script) under your credentials that would poll the server's printer resources, then write the data out to a file that can be stored in a location available to all domain users.  Then when the user logs in, they (the script you are writing now) would not have to access the server's resources, but the snapshot of just the resource information you deem necessary for them to have, and nothing more.  I would assume your printer resources are not changing so often that this would not work.  Worst case would be that you would not have the updated information after a printer resource change until the next time you run the updater.

It would be very dangerous if a user without access were able to bypass the rights limitations set by the domain admins by telling a script to say "hi, I am a domain member PC.  Let me have access."

Now for another solution to consider.  Unless your users are moving from location to location on a frequent basis (hourly, daily, weekly)  you might consider doing it similarly to the way we do at my office.

We have a domain group for each physical work area.  If a department or user relocates, we change the users' group membership to the new location accordingly.  The login script then maps their default printer based on group membership to the printer designated for that work area, and a secondary printer to one physically nearby, but not necessarily the closest (in cases where one printer already heavily used), so they have a backup if their primary has problems.

We do not necessarily stop users from accessing other printers.  Sometimes they like to print reports that they need for a meeting to a printer near the conference room where the meeting is being held, so that it will be done printing by the time they walk over there.  Considering they often need to go from one building to another, and often make last minute changes before meetings, they don't like to have to wait for the print job before they start walking.  They like having it ready and waiting for them when they get there.

Any way, there are two possible solutions for you.  I hope one of them is helpful to you.

Edited September 14, 2013 by willichan

[orbs]

if i read you correctly, you want to install/remove printers based on pc location, at logon or on schedule.

if this is so, then several methods for this can be implemented.

first you must ask: how does the pc know where it is located?

pending this answer you formalize a solution. let us know, we can direct you further.

[BrewManNH]

How is AD set up regarding the location of the computers? If you have the computers in an OU that is specific to which printer you need to load on the computer, then you can create a Group Policy log in script for that OU, if you have access to GPMC that is.

[Malkavian99]

Well I had a long reply here but accidently deleted it and don't want to retype the entire thing again.  I was answering a couple of the questions that was asked.  I'm going to try and post the code again, but each time I try to post the code window is blank even thought I put something in it.
 
Going to try again.  I found a solution.
 

Can't seem to add code to the message so I'm going to upload a text file with it.  I think our browser is to old.

 
The process requests all objects then filters them down to print queues only. The result is referred back to the calling function that puts the results into an array with name and location. The array is then sorted and filtered by location based on a workstation environment variable.
 
Thanks for all the advice and help.
Michael

Code.txt

Edited October 3, 2013 by Malkavian99