Managing local groups with com object

[Darkinspiration]

Hello,

I know it's been done to death, but i have to ask an "adding user" to group question.

Situation: we are using novell zenwork to distribute application. Recently we have decided to transform our workstation by adding user to user groups instead of administrator.

unfortunatly that means that a lot of applications objects are now not installing properly. I need a script that add the user to the administrator group and remove them.

expandcollapse popup

#cs ----------------------------------------------------------------------------

 AutoIt Version: 3.2.2.0
 Author:   XXXXXXX

 Script Function:
    Ajoute un usager au groupe de test. 

#ce ----------------------------------------------------------------------------

; Script Start - Add your code below here

dim $objetNet = ObjCreate("WScript.Network") 
dim $objetGroupe = ObjGet("WinNT://" & $objetNet.ComputerName & "/Administrateurs,group")
dim $user = StringSplit(RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Novell\ZENworks","CurrentUserDN"),".")
dim $objetUser = ObjGet("WinNT://" & $objetNet.ComputerName & "/" & StringtrimLeft($user[1],3) & ",user")

if $CmdLine[0] <> 0 then
    Select
        
        Case $CmdLine[1] = "del"
            if $objetGroupe.IsMember($objetUser.AdsPath) then
                $objetGroupe.remove($objetUser.ADsPath)
                sleep(1000)
            EndIf
        
        Case Else
            msgbox(0,"Attention", "Ce programme ajoute le dernier usager loguer novell au groupe administrateur. Syntaxe makemeadmin.exe [del]")
            exit
    
    EndSelect
    
Else
    
    if Not $objetGroupe.IsMember($objetUser.AdsPath) then
        $objetGroupe.Add($objetUser.ADsPath)
        sleep(1000)
    EndIf

EndIf

Now my problem is that with this script, i need to logoff the user to apply the new group.

i think there is a method of the group object to refresh the sam.

But since i cannot find a clear listing of the methods of the group object or the user object or anything relevant to user group and disk permission.... i'm stumped.

So my questions are:

1) Is there a better way to do this ?

2) Can i refresh one user groups membership without logout

3) where can i find a clear list of plain windows XP COM objects and methods.

N.B no we are not using an ADS, It's edirectory all the way.

N.B Consider that i didn't know about com object before yesterday.

[PsaltyDS]

1. Can you use RunAsSet() to use another admin account without shuffling them around in/out of the Administrators group?

2. There is a chance (I haven't tested it) that if your user changes its own membership, the does RunAsSet() using its own credentials, the new Run() process will pick up the new security tokens. Of course this points back to (1.) as an easier solution.

3. Google is your friend. A lot of stuff in a lot of places. More than one way to do everything, etc...

Edited May 17, 2007 by PsaltyDS

[Darkinspiration]

The main problem with using RunAsSet() is that it's only valid for the autoit session. Since my apps are already contained in a zenwork application object i was hoping to use a script that granted Admin right to the curent user so he could execute the installation.

Maybe your right and i can do somme stuff with runas... i will have to test some more.

As for the google comment, i have googled for two days now and i'm not really getting what i'm hoping for.

[PsaltyDS]

Let's get back to the original scenario:

Situation: we are using novell zenwork to distribute application. Recently we have decided to transform our workstation by adding user to user groups instead of administrator. unfortunatly that means that a lot of applications objects are now not installing properly. I need a script that add the user to the administrator group and remove them.

I interpreted that as giving enough Admin perms to get the install done.

Are you implying you want to move the end user in/out of Administrators group to run the app, even after install?

That's crazy from a security standpoint, and painfully awkward for administration.

[Darkinspiration]

Let's get back to the original scenario:

I interpreted that as giving enough Admin perms to get the install done.

Are you implying you want to move the end user in/out of Administrators group to run the app, even after install?

That's crazy from a security standpoint, and painfully awkward for administration.

No, i don't need to do that. In zenwork i can chain my application object. The application installation is a seperate object then the application launcher.

in my mind it goes like this.

User start application launcher -> application laucher call first object of the chain -> application installation start -> current user is given administrator right -> msi or setup.exe launch -> user admin right are revoked -> application launcher launch application as normal.

Note that once the application chain is complete, the application launcher does not need to invoke the installation again. the script will be invoked by the application installer. It will most likely run under admin to grant the group.

Doing thing's differently with nal would force me to rebuild the applications objects and would take to much time.

using runas in this situation would be a bit troublesome, my objects are invoqued using nalwin.exe, a user process, and administrator does not have filesystem right on my edirectory.

Using autoit in this instance is a fix for poor application object design.

Edited May 17, 2007 by Darkinspiration

[PsaltyDS]

No, i don't need to do that. In zenwork i can chain my application object. The application installation is a seperate object then the application launcher.

in my mind it goes like this.

User start application launcher -> application laucher call first object of the chain -> application installation start -> current user is given administrator right -> msi or setup.exe launch -> user admin right are revoked -> application launcher launch application as normal.

Note that once the application chain is complete, the application launcher does not need to invoke the installation again. the script will be invoked by the application installer. It will most likely run under admin to grant the group.

Doing thing's differently with nal would force me to rebuild the applications objects and would take to much time.

I got it. Wouldn't the AutoIt script run only during the app install, and therefore be fine with RunAsSet()? When the AutoIt script is done, the install is done, so your earlier concern about credentials only lasting for the AutoIt session don't seem to hurt anything.

[Darkinspiration]

I got it. Wouldn't the AutoIt script run only during the app install, and therefore be fine with RunAsSet()? When the AutoIt script is done, the install is done, so your earlier concern about credentials only lasting for the AutoIt session don't seem to hurt anything.

Nope, You forget that my user as the credential to connect to the remote volume not the local administrator.

RunAs is not very useful in this situation except to grant admin right to my user.

Edited May 17, 2007 by Darkinspiration

[Darkinspiration]

Well according to the msdn documentation on the WinNT provider i managed to find (It's amazing what you can find once you know what to look for.... ) there is the .SetInfo property on the group and user object that set the change in the directory.

ref:http://msdn2.microsoft.com/en-us/library/aa772211.aspxhttp://msdn2.microsoft.com/en-us/library/aa772211.aspx

so by adding $objetGroupe.SetInfo and $objetUser.SetInfo i commit the change. My script is faster but my problem of not having the change reflected to the user until after login is still here.

Anyone know how i can force the User environnement to refresh.

something i tried..

using gpupdate /force.

using envUpdate

using runas with the user cred ?

[Selmak]

Anyone know how i can force the User environnement to refresh?

No. Coded a similar utility for Microsoft-network computers, but only way I know of activating the change is to log the user off.

If it's any help here's the source. Compile with 3.1.1.0 or later.

CODE

; ****** su for Windows by Selmak, Feb 07. *******

;

; Usage: (as compiled .exe)

; su - Change status.

; su root {password} - Become superuser.

; su user - Become limited user.

Opt("TrayIconHide",1)

Opt("RunErrorsFatal",0)

$cmdAction = "clicked"

if $cmdLine[0]>0 then $cmdaction = $cmdLine[1]

if $cmdLine[0]>1 then

$SuperPwd=$cmdLine[2]

else

$SuperPwd=""

endif

; Get settings from .ini, or use defaults.

$iniFileName=stringleft(@ScriptFullPath,stringinstr(@ScriptFullPath,".",0,-1)) & "ini"

$LocalAdminGroup=iniread($iniFileName,"General","LocalAdminGroup","Administrators")

$SuperUser=iniread($iniFileName,"General","SuperUser","Administrator")

$user=iniread($iniFileName,"General","LocalUser",@username)

$grouptype=iniread($iniFileName,"General","GroupType","localgroup" )

$AdminDomain=iniread($iniFileName,"General","AdminDomain",@LogonDomain )

if IsAdmin() then

$Autologon=RegRead ( 'HKEY_LOCAL_MACHINE\' & 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'AutoAdminLogon' )

if $Autologon>0 then

RegWrite ( 'HKEY_LOCAL_MACHINE\' & 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'ForceAutoLogon', 'REG_SZ', "1")

endif

endif

select ; Choose action based on parameters.

case $cmdAction="/?"

showstatus()

case $cmdAction="clicked"

If isAdmin() then

demote(1)

else

promote(1)

endif

case $cmdaction="root"

promote(2)

case $cmdaction="user"

demote(2)

case $cmdaction="/svc"

$msg= msgbox(4,"User Promotion Utility"," You are running as a Temporary Administrator of your own computer. If you will need to restart the computer once or more as part of the work you are doing, you may wish to retain this status through reboots. If not, then it is preferable to remove the promotion-flag from this account, so that the user will revert to Limited rights following the next reboot. " & @cr & @cr & "Make Admin status persistent?",120)

if $msg<>6 then

demote(0)

endif

watchdog()

case else

msgbox(0,@ScriptName & " - Error","Command not understood",10)

exit

endselect

exit

;end main prog

func ShowStatus()

if isAdmin() then

msgbox(0,"User Rights","You have Admin rights to your own computer.",5)

else

msgbox(0,"User Rights","You are a Limited User.",5)

endif

endfunc

func watchdog()

$shutdowntrigger=0

do

$prevtime=@hour

sleep(120000)

if (@hour=0) and ($prevtime>0) then $shutdowntrigger=1

if $shutdowntrigger=1 then

demote(0)

msgbox(0,"Temporary Admin Rights","The time limit for temporary user-promotion has been exceeded. In a few minutes the system will log you off. Please ensure that your work has been saved.",6)

sleep(120000)

Shutdown(4)

exit

endif

until 0

endfunc

func promote($relog)

if $SuperPwd="" then

$SuperPwd= inputbox("Password Required","In order to promote your own user-account to superuser priveleges, please enter the password for the local Administrator account.","","*")

endif

if $SuperPwd="" then exit

RunAsSet($SuperUser,$AdminDomain,$SuperPwd,0)

; poss add success-check here.

$runstr="Net " & $grouptype & " /add " & $LocalAdminGroup & " " & $user

$return=Run($runstr)

if @error>0 then

msgbox(0,"Error","Unable to promote your account. Possibly the Admin password you gave is incorrect, or the Adminsitrator username is incorrectly set in the config-file.",20)

exit

endif

RegWrite ( 'HKEY_CURRENT_USER\' & 'Software\Microsoft\Windows\CurrentVersion\Run', 'UserPromote', 'REG_SZ', @ScriptFullPath & " /svc" )

$UserPromotedAt = @yday & @hour & @min

RegWrite ( 'HKEY_CURRENT_USER\' & 'Software\MyLogon', 'UserPromotedAt', 'REG_SZ', $UserPromotedAt )

; msgbox(0,"Returned",@error,5)

if $relog>0 then

$msg=6

if $relog=1 then $msg=msgbox(4,"Account Promoted"," In order to activate your superuser priveleges, you will need to re-logon. Do you wish to do this now? (if Yes then please save your work, as all desktop apps will close.)" )

if $msg=6 then

shutdown(0)

exit

endif

endif

endfunc; promote

func demote($relog)

$msg=6

if $relog=1 then $msg=msgbox(4,"Demote Account","Do you wish to change your account's status back to non-Administrator ?" )

if $msg<>6 then

exit

endif

if $user > " " then

$runstr="Net " & $grouptype & " /delete " & $LocalAdminGroup & " " & $user

$return=Run($runstr)

RegDelete ( 'HKEY_CURRENT_USER\' & 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run', 'UserPromote')

$UserDemotedAt = @yday & @hour & @min

RegWrite ( 'HKEY_CURRENT_USER\' & 'Software\MyLogon', 'UserDemotedAt', 'REG_SZ', $UserDemotedAt )

; msgbox(0,"Returned",@error,5)

endif

if $relog > 0 then

$msg=6

if $relog=1 then $msg=msgbox(4,"Account Demoted"," In order to return to Limited User priveleges, you will need to re-logon. Do you wish to do this now? (if Yes then please save your work, as all desktop apps will close.)" )

if $msg=6 then

shutdown(0)

exit

endif

endif

endfunc ; demote

Oh, and just thought a word of warning to general users would be appropriate- Don't test this on a computer for which you don't know the Administrator account's password, or you will permanently demote yourself to a limited user! Also, don't run on XP Home, as is not intended to support limited users. Edited May 18, 2007 by Selmak

[Fredrik]

If you are using ZENWorks Novell Application Launcher why don´t you (1) transfer the installer-files to the clients local harddrive and (2) run the installer as secure or unsecure system user? This is all standard features, and you can find it in Novells ConsoleOne.

[Tim H.]

Resurrecting this thread two years later: I have the same issue. System authority doesn't do it. The ugly application I'm trying to install requires that the user be an actual member of the Local Administrator group. The user's profile is updated during the installation process so I can't use an alternate account to perform the installation.

I can add the user to the local administrators group easily enough, but unless the user logs out and in again, administrator rights are not realized. Has anyone found a way around this?

[mbkowns]

Run('net localgroup administrators /add ' & @username, "", @SW_HIDE)

I would add the user manually then have them login under their account. Then have the script as part of the last stages remove them from the group. Being an admin at the time they will have the right to do this.

Run('net localgroup administrators /delete ' & @username, "", @SW_HIDE)

or

when your install the app use shift run as

psexec remotely with batches

Edited April 21, 2009 by mbkowns