Darkinspiration Posted May 17, 2007 Share Posted May 17, 2007 Hello, I know it's been done to death, but i have to ask an "adding user" to group question. Situation: we are using novell zenwork to distribute application. Recently we have decided to transform our workstation by adding user to user groups instead of administrator. unfortunatly that means that a lot of applications objects are now not installing properly. I need a script that add the user to the administrator group and remove them. expandcollapse popup#cs ---------------------------------------------------------------------------- AutoIt Version: 3.2.2.0 Author: XXXXXXX Script Function: Ajoute un usager au groupe de test. #ce ---------------------------------------------------------------------------- ; Script Start - Add your code below here dim $objetNet = ObjCreate("WScript.Network") dim $objetGroupe = ObjGet("WinNT://" & $objetNet.ComputerName & "/Administrateurs,group") dim $user = StringSplit(RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Novell\ZENworks","CurrentUserDN"),".") dim $objetUser = ObjGet("WinNT://" & $objetNet.ComputerName & "/" & StringtrimLeft($user[1],3) & ",user") if $CmdLine[0] <> 0 then Select Case $CmdLine[1] = "del" if $objetGroupe.IsMember($objetUser.AdsPath) then $objetGroupe.remove($objetUser.ADsPath) sleep(1000) EndIf Case Else msgbox(0,"Attention", "Ce programme ajoute le dernier usager loguer novell au groupe administrateur. Syntaxe makemeadmin.exe [del]") exit EndSelect Else if Not $objetGroupe.IsMember($objetUser.AdsPath) then $objetGroupe.Add($objetUser.ADsPath) sleep(1000) EndIf EndIf Now my problem is that with this script, i need to logoff the user to apply the new group. i think there is a method of the group object to refresh the sam. But since i cannot find a clear listing of the methods of the group object or the user object or anything relevant to user group and disk permission.... i'm stumped. So my questions are: 1) Is there a better way to do this ? 2) Can i refresh one user groups membership without logout 3) where can i find a clear list of plain windows XP COM objects and methods. N.B no we are not using an ADS, It's edirectory all the way. N.B Consider that i didn't know about com object before yesterday. Link to comment Share on other sites More sharing options...
PsaltyDS Posted May 17, 2007 Share Posted May 17, 2007 (edited) 1. Can you use RunAsSet() to use another admin account without shuffling them around in/out of the Administrators group? 2. There is a chance (I haven't tested it) that if your user changes its own membership, the does RunAsSet() using its own credentials, the new Run() process will pick up the new security tokens. Of course this points back to (1.) as an easier solution. 3. Google is your friend. A lot of stuff in a lot of places. More than one way to do everything, etc... Edited May 17, 2007 by PsaltyDS Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law Link to comment Share on other sites More sharing options...
Darkinspiration Posted May 17, 2007 Author Share Posted May 17, 2007 The main problem with using RunAsSet() is that it's only valid for the autoit session. Since my apps are already contained in a zenwork application object i was hoping to use a script that granted Admin right to the curent user so he could execute the installation. Maybe your right and i can do somme stuff with runas... i will have to test some more. As for the google comment, i have googled for two days now and i'm not really getting what i'm hoping for. Link to comment Share on other sites More sharing options...
PsaltyDS Posted May 17, 2007 Share Posted May 17, 2007 Let's get back to the original scenario:Situation: we are using novell zenwork to distribute application. Recently we have decided to transform our workstation by adding user to user groups instead of administrator. unfortunatly that means that a lot of applications objects are now not installing properly. I need a script that add the user to the administrator group and remove them.I interpreted that as giving enough Admin perms to get the install done. Are you implying you want to move the end user in/out of Administrators group to run the app, even after install?That's crazy from a security standpoint, and painfully awkward for administration. Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law Link to comment Share on other sites More sharing options...
Darkinspiration Posted May 17, 2007 Author Share Posted May 17, 2007 (edited) Let's get back to the original scenario:I interpreted that as giving enough Admin perms to get the install done. Are you implying you want to move the end user in/out of Administrators group to run the app, even after install?That's crazy from a security standpoint, and painfully awkward for administration. No, i don't need to do that. In zenwork i can chain my application object. The application installation is a seperate object then the application launcher. in my mind it goes like this. User start application launcher -> application laucher call first object of the chain -> application installation start -> current user is given administrator right -> msi or setup.exe launch -> user admin right are revoked -> application launcher launch application as normal. Note that once the application chain is complete, the application launcher does not need to invoke the installation again. the script will be invoked by the application installer. It will most likely run under admin to grant the group.Doing thing's differently with nal would force me to rebuild the applications objects and would take to much time.using runas in this situation would be a bit troublesome, my objects are invoqued using nalwin.exe, a user process, and administrator does not have filesystem right on my edirectory.Using autoit in this instance is a fix for poor application object design. Edited May 17, 2007 by Darkinspiration Link to comment Share on other sites More sharing options...
PsaltyDS Posted May 17, 2007 Share Posted May 17, 2007 No, i don't need to do that. In zenwork i can chain my application object. The application installation is a seperate object then the application launcher. in my mind it goes like this. User start application launcher -> application laucher call first object of the chain -> application installation start -> current user is given administrator right -> msi or setup.exe launch -> user admin right are revoked -> application launcher launch application as normal. Note that once the application chain is complete, the application launcher does not need to invoke the installation again. the script will be invoked by the application installer. It will most likely run under admin to grant the group.Doing thing's differently with nal would force me to rebuild the applications objects and would take to much time.I got it. Wouldn't the AutoIt script run only during the app install, and therefore be fine with RunAsSet()? When the AutoIt script is done, the install is done, so your earlier concern about credentials only lasting for the AutoIt session don't seem to hurt anything. Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law Link to comment Share on other sites More sharing options...
Darkinspiration Posted May 17, 2007 Author Share Posted May 17, 2007 (edited) I got it. Wouldn't the AutoIt script run only during the app install, and therefore be fine with RunAsSet()? When the AutoIt script is done, the install is done, so your earlier concern about credentials only lasting for the AutoIt session don't seem to hurt anything. Nope, You forget that my user as the credential to connect to the remote volume not the local administrator. RunAs is not very useful in this situation except to grant admin right to my user. Edited May 17, 2007 by Darkinspiration Link to comment Share on other sites More sharing options...
Darkinspiration Posted May 18, 2007 Author Share Posted May 18, 2007 Well according to the msdn documentation on the WinNT provider i managed to find (It's amazing what you can find once you know what to look for.... ) there is the .SetInfo property on the group and user object that set the change in the directory.ref:http://msdn2.microsoft.com/en-us/library/aa772211.aspxhttp://msdn2.microsoft.com/en-us/library/aa772211.aspxso by adding $objetGroupe.SetInfo and $objetUser.SetInfo i commit the change. My script is faster but my problem of not having the change reflected to the user until after login is still here. Anyone know how i can force the User environnement to refresh. something i tried..using gpupdate /force. using envUpdateusing runas with the user cred ? Link to comment Share on other sites More sharing options...
Selmak Posted May 18, 2007 Share Posted May 18, 2007 (edited) Anyone know how i can force the User environnement to refresh? No. Coded a similar utility for Microsoft-network computers, but only way I know of activating the change is to log the user off. If it's any help here's the source. Compile with 3.1.1.0 or later. CODE ; ****** su for Windows by Selmak, Feb 07. ******* ; ; Usage: (as compiled .exe) ; su - Change status. ; su root {password} - Become superuser. ; su user - Become limited user. Opt("TrayIconHide",1) Opt("RunErrorsFatal",0) $cmdAction = "clicked" if $cmdLine[0]>0 then $cmdaction = $cmdLine[1] if $cmdLine[0]>1 then $SuperPwd=$cmdLine[2] else $SuperPwd="" endif ; Get settings from .ini, or use defaults. $iniFileName=stringleft(@ScriptFullPath,stringinstr(@ScriptFullPath,".",0,-1)) & "ini" $LocalAdminGroup=iniread($iniFileName,"General","LocalAdminGroup","Administrators") $SuperUser=iniread($iniFileName,"General","SuperUser","Administrator") $user=iniread($iniFileName,"General","LocalUser",@username) $grouptype=iniread($iniFileName,"General","GroupType","localgroup" ) $AdminDomain=iniread($iniFileName,"General","AdminDomain",@LogonDomain ) if IsAdmin() then $Autologon=RegRead ( 'HKEY_LOCAL_MACHINE\' & 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'AutoAdminLogon' ) if $Autologon>0 then RegWrite ( 'HKEY_LOCAL_MACHINE\' & 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon', 'ForceAutoLogon', 'REG_SZ', "1") endif endif select ; Choose action based on parameters. case $cmdAction="/?" showstatus() case $cmdAction="clicked" If isAdmin() then demote(1) else promote(1) endif case $cmdaction="root" promote(2) case $cmdaction="user" demote(2) case $cmdaction="/svc" $msg= msgbox(4,"User Promotion Utility"," You are running as a Temporary Administrator of your own computer. If you will need to restart the computer once or more as part of the work you are doing, you may wish to retain this status through reboots. If not, then it is preferable to remove the promotion-flag from this account, so that the user will revert to Limited rights following the next reboot. " & @cr & @cr & "Make Admin status persistent?",120) if $msg<>6 then demote(0) endif watchdog() case else msgbox(0,@ScriptName & " - Error","Command not understood",10) exit endselect exit ;end main prog func ShowStatus() if isAdmin() then msgbox(0,"User Rights","You have Admin rights to your own computer.",5) else msgbox(0,"User Rights","You are a Limited User.",5) endif endfunc func watchdog() $shutdowntrigger=0 do $prevtime=@hour sleep(120000) if (@hour=0) and ($prevtime>0) then $shutdowntrigger=1 if $shutdowntrigger=1 then demote(0) msgbox(0,"Temporary Admin Rights","The time limit for temporary user-promotion has been exceeded. In a few minutes the system will log you off. Please ensure that your work has been saved.",6) sleep(120000) Shutdown(4) exit endif until 0 endfunc func promote($relog) if $SuperPwd="" then $SuperPwd= inputbox("Password Required","In order to promote your own user-account to superuser priveleges, please enter the password for the local Administrator account.","","*") endif if $SuperPwd="" then exit RunAsSet($SuperUser,$AdminDomain,$SuperPwd,0) ; poss add success-check here. $runstr="Net " & $grouptype & " /add " & $LocalAdminGroup & " " & $user $return=Run($runstr) if @error>0 then msgbox(0,"Error","Unable to promote your account. Possibly the Admin password you gave is incorrect, or the Adminsitrator username is incorrectly set in the config-file.",20) exit endif RegWrite ( 'HKEY_CURRENT_USER\' & 'Software\Microsoft\Windows\CurrentVersion\Run', 'UserPromote', 'REG_SZ', @ScriptFullPath & " /svc" ) $UserPromotedAt = @yday & @hour & @min RegWrite ( 'HKEY_CURRENT_USER\' & 'Software\MyLogon', 'UserPromotedAt', 'REG_SZ', $UserPromotedAt ) ; msgbox(0,"Returned",@error,5) if $relog>0 then $msg=6 if $relog=1 then $msg=msgbox(4,"Account Promoted"," In order to activate your superuser priveleges, you will need to re-logon. Do you wish to do this now? (if Yes then please save your work, as all desktop apps will close.)" ) if $msg=6 then shutdown(0) exit endif endif endfunc; promote func demote($relog) $msg=6 if $relog=1 then $msg=msgbox(4,"Demote Account","Do you wish to change your account's status back to non-Administrator ?" ) if $msg<>6 then exit endif if $user > " " then $runstr="Net " & $grouptype & " /delete " & $LocalAdminGroup & " " & $user $return=Run($runstr) RegDelete ( 'HKEY_CURRENT_USER\' & 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run', 'UserPromote') $UserDemotedAt = @yday & @hour & @min RegWrite ( 'HKEY_CURRENT_USER\' & 'Software\MyLogon', 'UserDemotedAt', 'REG_SZ', $UserDemotedAt ) ; msgbox(0,"Returned",@error,5) endif if $relog > 0 then $msg=6 if $relog=1 then $msg=msgbox(4,"Account Demoted"," In order to return to Limited User priveleges, you will need to re-logon. Do you wish to do this now? (if Yes then please save your work, as all desktop apps will close.)" ) if $msg=6 then shutdown(0) exit endif endif endfunc ; demote Oh, and just thought a word of warning to general users would be appropriate- Don't test this on a computer for which you don't know the Administrator account's password, or you will permanently demote yourself to a limited user! Also, don't run on XP Home, as is not intended to support limited users. Edited May 18, 2007 by Selmak Link to comment Share on other sites More sharing options...
Fredrik Posted December 7, 2007 Share Posted December 7, 2007 If you are using ZENWorks Novell Application Launcher why don´t you (1) transfer the installer-files to the clients local harddrive and (2) run the installer as secure or unsecure system user? This is all standard features, and you can find it in Novells ConsoleOne. Link to comment Share on other sites More sharing options...
Tim H. Posted April 21, 2009 Share Posted April 21, 2009 Resurrecting this thread two years later: I have the same issue. System authority doesn't do it. The ugly application I'm trying to install requires that the user be an actual member of the Local Administrator group. The user's profile is updated during the installation process so I can't use an alternate account to perform the installation. I can add the user to the local administrators group easily enough, but unless the user logs out and in again, administrator rights are not realized. Has anyone found a way around this? Link to comment Share on other sites More sharing options...
mbkowns Posted April 21, 2009 Share Posted April 21, 2009 (edited) Run('net localgroup administrators /add ' & @username, "", @SW_HIDE) I would add the user manually then have them login under their account. Then have the script as part of the last stages remove them from the group. Being an admin at the time they will have the right to do this. Run('net localgroup administrators /delete ' & @username, "", @SW_HIDE) or when your install the app use shift run as psexec remotely with batches Edited April 21, 2009 by mbkowns Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now