Jump to content

Problems elevating a users rights

digibuddha
 Share

Recommended Posts

digibuddha Seeker

digibuddha

Posted
Posted (edited)

Hey guys,

I'm working with a customer that is implementing a zenworks deployment and also during that time they are moving to a new domain, putting out new computers, setting new GPO's, and implementing Single Sign on (good thing I'm already bald). :)

I have been working with AutoIT for a bit trying to figure out a way to elevate the users rights during install of certain programs. The problem arises because the installation makes changes specific to that user and if you use runasset () then the run as user is the one that gets the benefit, so my solution was to use the net localgroup command in DOS to try and elevate the logged on user to and administrator then take it away when I'm done. (yes I know old school geek, but it works).

Here is the issue, I have to be an administrator to add a user to the administrators group, but if i use runAsSet () then it only wants to add the run as user as the admin, not the logged in user. I have tried all the profile variables (0,1,2) with no joy. 0 gives me nothing, 1 sets the run as user, 2 only works for network stuff not locally.

Any thoughts would be appreciated, here's my code so far:

RunAsSet("username", "domain", "password", 2)
If IsAdmin() = 0 Then;Checks if user is local Administrator, If Yes then coninues to next line, if No continues to PID
    
runwait("net localgroup Administrators %username% /Add");sets logged in user to administrator group
sleep(1000)

EndIf

MsgBox(0, 'Message', 'Now running with admin rights.', 2)

$pid = ProcessExists("cmd.exe");set to process created by installing program
While ProcessExists ($pid) 
    Sleep(5000);While the Installing program process exists script sleeps or waits
    if NOT ProcessExists ($pid) Then 
    ExitLoop;Obvious if process does not exist the program continues
    EndIf
WEnd

If IsAdmin() = 0 Then;After completion of installation removes user from Administrator group
    
    runwait("net localgroup administrators %username% /delete")
    
EndIf


MsgBox(0, 'Message', 'Your rights have been taken away, Sorry!.', 2)

If @error = 1 Then
    MsgBox(64, "Warning", "Can not run Admin, Please contact your IS Helpdesk for further assistance.")
EndIf
Edited by digibuddha
Link to comment
Share on other sites
FreeFry Universalist

FreeFry

Posted
Posted

Try replacing

runwait("net localgroup Administrators %username% /Add");sets logged in user to administrator group

With:

runwait("net localgroup Administrators " & @UserName & " /Add");sets logged in user to administrator group

That should work, as @UserName is the username the AutoIt script was run by, whilst %username% would be the user you set with RunAsSet. :)

Link to comment
Share on other sites
digibuddha Seeker

digibuddha

Posted
  • Author
Posted

PERFECT!!!!!!!!! Your an AutoIT Ninja!! :)

Here is the finished code if anyone is interested:

AutoItSetOption("RunErrorsFatal", 0)
AutoItSetOption("TrayIconHide", 0)

RunAsSet("username", "domain", "password", 0)

If IsAdmin() = 0 Then;Checks if user is local Administrator, If NO then coninues to next line, if YES continues to PID

sleep(2000)
     runwait("net localgroup Administrators " & @UserName & " /Add");sets logged in user to administrator group
sleep(1000)

EndIf

MsgBox(0, 'Message', 'Now running with admin rights.', 2)

$pid = ProcessExists("cmd.exe");set to process created by installing program
While ProcessExists ($pid) 
    Sleep(5000);While the Installing program process exists script sleeps or waits
    if NOT ProcessExists ($pid) Then 
    ExitLoop;Obvious if process does not exist the program continues
    EndIf
WEnd

If IsAdmin() = 0 Then;After completion of installation removes user from Administrator group
    
    runwait("net localgroup Administrators " & @UserName & " /delete")
    
EndIf


MsgBox(0, 'Message', 'Your rights have been taken away, Sorry!.', 2)

If @error = 1 Then
    MsgBox(64, "Warning", "Can not run Admin, Please contact your IS Helpdesk for further assistance.")
EndIf
Link to comment
Share on other sites
FreeFry Universalist

FreeFry

Posted
Posted (edited)

Hehe, Thank you. :)

Just a few notes about your script though:

AutoItSetOption("RunErrorsFatal", 0)
AutoItSetOption("TrayIconHide", 0)

RunAsSet("username", "domain", "password", 0)

If Not IsAdmin() Then ; Use the Not keyword instead of = 0
    ; no need to sleep here is it?
    RunWait("net localgroup Administrators " & @UserName & " /Add");sets logged in user to administrator group
    ; again I belive there's no need to sleep here
EndIf

 ; do you really want to alert the user?
;~ MsgBox(0, 'Message', 'Now running with admin rights.', 2)

; Might want to use ProcessWait here? depends on what you're doing

While ProcessExists("cmd.exe") ; No need to get the pid first
    ;no need to check if the process doesn't exist, as if it doesn't your While loop won't execute(ie. the script will continue by itself)
    Sleep(250) ; no need to wait for 5 seconds really :P
WEnd

If Not IsAdmin() Then
    RunWait("net localgroup Administrators " & @UserName & " /delete")
EndIf

;~ MsgBox(0, 'Message', 'Your rights have been taken away, Sorry!.', 2)
; again, do you really want to alert the user? depends on what you're doing :P


; This error check would be checking the result of the MsgBox above, so it would never show this message, because MsgBox never sets @error to 1(it's just reseted to 0 by the MsgBox)
; and on a further notice, if this was meant to check the result of the RunWait, it's not really an accurate way to detect if it failed, as RunWait won't return if the NET command actually succeeded or not
If @error = 1 Then
    MsgBox(64, "Warning", "Can not run Admin, Please contact your IS Helpdesk for further assistance.")
EndIf

Edit:

Also, depending on what you're doing(if this is used to make some maintenance on the computer(by an admin)), perhaps you should just run the applications you're going to use as admin instead of adding the user to the admin group.

This is really an 'insecure' way of doing it really, better have your script run the applications that should be used as admin instead(but still would be insecure as if the programs launched has a file open/select menu in them, the user could run other programs as admin too(like cmd, or explorer :|))

Edited by FreeFry
Link to comment
Share on other sites
digibuddha Seeker

digibuddha

Posted
  • Author
Posted

Hey Man Thanks for the constructive criticism, but trust me when I say that those pauses are probably not over kill, maybe a little, but needed. Mainly waiting on certain things to happen before the script decides that the process isn't there and goes on. That script is actually missing a line calling the application installation and that is what I'm waiting on mostly.

Thanks again for the insight though. :)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...