[SOLVED] Enabling / Disabling network interfaces by non-privileged user

[BrendonKoz]

Hi! I've got some computers that for whatever reason, are having issues restoring their network connectivity - either from sleep, or from reboot. We haven't been able to identify what is causing it. Disabling and re-enabling the network interface solves the problem, so my plan was to write a "quick" AutoIt script to handle that. Unfortunately these users do not have administrative access to their machines, so I was attempting to use RunAs. Unfortunately, for whatever reason, this does not seem to be working (and since I'm stuck - I haven't been able to figure out why in order to circumvent it).

I'm using the Network.au3 UDF to get the names of all of the interfaces to pass to a Powershell command (netsh is noted as potentially being deprecated by Microsoft in the near future). The Network UDF works excellently for enabling and disabling the interfaces so long as I can require admin, but in this instance, I can't.

I've even tried temporarily activating the local administrator account (successfully) in case a different administrative local account wouldn't have worked as expected.
NOTE: If you run the below code and you haven't yet activated your administrator account, you'll be applying a password of '*****' to it; it will be deactivated at the end of the script again though.

When I run it with #RequireAdmin and switch to a standard Run() command, it works as expected. RunAs() just seems to error out and I'm unsure why.

Any thoughts? Win10 Pro, domain joined. (Local account is required since when the network disconnects, the domain is unreachable.)

expandcollapse popup

#NoTrayIcon
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_UseX64=Y
#AutoIt3Wrapper_Outfile=C:\Users\bkozlowski\Desktop\revive_network.exe
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****

;#RequireAdmin
#include <Array.au3>
#include <AutoItConstants.au3>
#include <MsgBoxConstants.au3>
#include <WinAPIError.au3>
#include "D:\backups\Scripts\AutoIT\UDFs\Network.au3"

$adapterList = _GetNetworkAdapterList();
;_ArrayDisplay($adapterList);

If $adapterList = 0 Then
    MsgBox(16, 'Error', 'No viable network adapters found to reset. Please contact IT.', 10);
    Exit;
EndIf

$username = 'admin-user';
$domain = @ComputerName;
$password = 'password';

; Enable the local Administrator account
RunAsWait($username, $domain, $password, $RUN_LOGON_NOPROFILE, @ComSpec & ' /c' & 'net user administrator ***** && net user administrator /active:yes', @SystemDir, @SW_HIDE);

For $i = 0 To (UBound($adapterList)-1)
    $adapter = $adapterList[$i][1];
    $info = _GetNetworkAdapterInfos($adapter);
    ;_DisableNetAdapter($info[0][8]);
    RunAsWait('Administrator', @ComputerName, '*****', $RUN_LOGON_NOPROFILE, 'PowerShell -Command "& {Disable-NetAdapter -Name ' & $adapter & ' -Confirm:$False}"', @SystemDir, @SW_HIDE);
    Sleep(3 * 1000);

    ;_EnableNetAdapter($info[0][8]);
    RunAsWait('Administrator', @ComputerName, '*****', $RUN_LOGON_NOPROFILE, 'PowerShell -Command "& {Enable-NetAdapter -Name ' & $adapter & ' -Confirm:$False}"', @SystemDir, @SW_HIDE);
    Sleep(3 * 1000);
Next

; Disable the local Administrator account
RunAsWait($username, $domain, $password, $RUN_LOGON_NOPROFILE, @ComSpec & ' /c' & 'net user administrator /active:no', @SystemDir, @SW_HIDE);

MsgBox(0, 'Network Adapters Reset', 'You should now be reconnected to the network. If not, please contact IT.', 10);

 

Edited August 17, 2023 by BrendonKoz

[rsn]

My guess is that the runas is working, but the process being run isn't elevated. When I was doing something similar, I used elevate.exe (here) to get the process I used runas on to actually have the admin token attached to it.

 

Edit: I think there's more to it than just the above so I'll have to dig up the old script. 

Edit2: There is more: In order for elevate.exe to work, you'll have to click through a UAC dialog (or disable UAC). I had forgotten that I had to abandon my original script and deploy it through SCCM which uses the local system user. However since you're dealing with the NIC, that's probably not be feasible since the PCs in question can't talk to the network. 

Edited August 16, 2023 by rsn

[rudi]

If the users don't have administrative access, then they will not be able to serve the UAC elevation dialog either.

 

An approach could be to write a script, that's installed as a service on these machines (i.e. UAC elevated rights), monitoring a file like "C:\temp\Reset-NIC.ini" to present content, that will trigger this script to do the actions required.

 

The users will need to have write access to that INI file, then you can create a tool, writing to that INI file, and the "service-installed-UAC-script" can loop reading the ini content, then doing the actions the users have no priviliges to do so.

[BrendonKoz]

Dang, that's a bummer. I was hoping RunAs using administrative credentials could bypass restrictions, but I completely forgot that even as an administrative user, UAC still pops up. I very much appreciate the validation of my concerns though (the current solution isn't feasible).

I'll try to work around this issue in a simpler manner and use Task Scheduler since it's possible to create a shortcut that instantiates a task on-demand, and then use the saved credentials there to run this. I am pretty sure Task Scheduler bypasses UAC, but if not, I have other avenues thanks to your ideas.

Thank you both!

[ioa747]

22 hours ago, BrendonKoz said:

some computers that for whatever reason, are having issues restoring their network connectivity

Check if this is your case

[BrendonKoz]

I think that was one of the first things we had checked (and less likely since wired ethernet, not wireless), but it can't hurt to check again. Thanks for yet another good suggestion. 😉

Edited August 18, 2023 by BrendonKoz