attached code-segment is used
1. calling without "privileged " works well with current local-SYSTEM-account
2. after setting "privileged "-flag I cannot access the local filesystem any longer, although the user for impersonation is DOMAIN-ADMIN-Account and can login on the server correctly.
Whenever I try to run the program directly logged in to the server it runs correctly. But I have the need to get this task run automatically with local-SYSTEM-account.
I tried to use standard-impersonation with LogonUser from advapi32.dll (now removed) as well as giving user-, password- and domain-information to process.startin fo and both together. Neither works in "privileged " mode, both very well in "standard" mode without impersonation.
The intention is to run modifyable vbs-Scripts from the more complex "main"-program and therefore handle future modification requests and enhancements easily. A kind of "framework" using "C:\windows\sys tem32\cscript.e xe".
On the server I already changed the "local security settings/Replace a process level token Properties" to allow local System the replacement.
And furthermore I changed the ".Net-Configuration / Runtime-security policy / Permission Set" to allow all code executed. Nothing worked up to now.
Server where the program should run is a domain-member-server Windows 2003 R2 Enterprise edition with SP2 installed.
The "privileged " user is a "Domain Administrator" (therefore has enough rights on the memberserver).
Where is the problem??? What have I to do to get this task run?
---- First part: run "callProced ure without "privileged "-flag runs best:
Function callProcedure (C:\WINDOWS\sys tem32\adm4USD, pwdresetc.vbs, "username"="any user" "password reset"="Y" )
NT AUTHORITY\SYSTE M
proc.Startinfo. Arguments=C:\WI NDOWS\system32\ adm4USD\pwdrese tc.vbs "username"="any user" "password reset"="Y"
start
Procedure pwdresetc.vbs started at 02.07.2010 22:24:42 and exited with 0 at 02.07.2010 22:24:43
callProcedure returns:
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
++++ and output from script
--- second part: run "callProced ure WITH "privileged "-flag:
Function callProcedure (C:\WINDOWS\sys tem32\adm4USD, pwdresetr.vbs, "username"="any user" "password reset"="Y" )
NT AUTHORITY\SYSTE M
proc.Startinfo. Arguments=C:\WI NDOWS\system32\ adm4USD\pwdrese tr.vbs "username"="any user" "password reset"="Y"
impersonation start
admin-account-name domainname
start
Error: Access is denied
callProcedure returns:
1. calling without "privileged " works well with current local-SYSTEM-account
2. after setting "privileged "-flag I cannot access the local filesystem any longer, although the user for impersonation is DOMAIN-ADMIN-Account and can login on the server correctly.
Whenever I try to run the program directly logged in to the server it runs correctly. But I have the need to get this task run automatically with local-SYSTEM-account.
I tried to use standard-impersonation with LogonUser from advapi32.dll (now removed) as well as giving user-, password- and domain-information to process.startin fo and both together. Neither works in "privileged " mode, both very well in "standard" mode without impersonation.
The intention is to run modifyable vbs-Scripts from the more complex "main"-program and therefore handle future modification requests and enhancements easily. A kind of "framework" using "C:\windows\sys tem32\cscript.e xe".
On the server I already changed the "local security settings/Replace a process level token Properties" to allow local System the replacement.
And furthermore I changed the ".Net-Configuration / Runtime-security policy / Permission Set" to allow all code executed. Nothing worked up to now.
Server where the program should run is a domain-member-server Windows 2003 R2 Enterprise edition with SP2 installed.
The "privileged " user is a "Domain Administrator" (therefore has enough rights on the memberserver).
Where is the problem??? What have I to do to get this task run?
Code:
Private Function callProcedure(ByRef path As String, ByRef procedure As String, ByRef params As String, Optional ByRef privileged As Boolean = False) As String
dolog(9, "Function callProcedure (" & path & ", " & procedure & ", " & params & ")")
callProcedure = ""
Dim proc As Process = New Process()
proc.StartInfo.UseShellExecute = False
proc.StartInfo.RedirectStandardOutput = True
proc.StartInfo.Arguments = params
proc.StartInfo.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden
proc.StartInfo.CreateNoWindow = True
proc.StartInfo.WindowStyle = ProcessWindowStyle.Hidden
proc.StartInfo.FileName = path & "\" & procedure
' set current directory to c:\windows\system32 in order to run scripts correctly - didn't work
dolog(9, My.User.Name)
If LCase(Microsoft.VisualBasic.Right(proc.StartInfo.FileName, 3)) = "vbs" Then
proc.StartInfo.Arguments = proc.StartInfo.FileName & " " & params
proc.StartInfo.FileName = "c:\windows\system32\cscript.exe"
End If
dolog(9, "proc.Startinfo.Arguments=" & proc.StartInfo.Arguments)
If privileged Then
dolog(9, "impersonation start")
proc.StartInfo.UserName = tADUser.Text
proc.StartInfo.Domain = domainname
proc.StartInfo.Password = New System.Security.SecureString
For Each c In (tADPassword.Text)
proc.StartInfo.Password.AppendChar(c)
Next
proc.StartInfo.FileName = "c:\windows\system32\whoami.exe" ' only to test access to local filesystem
dolog(9, proc.StartInfo.UserName & " " & proc.StartInfo.Domain)
End If
Try
dolog(9, "start ")
proc.Start()
proc.WaitForExit(600000)
Dim sOut As StreamReader = proc.StandardOutput
callProcedure = sOut.ReadToEnd
If Not proc.HasExited Then
dolog(1, "Procedure " & procedure & " did not exit within 10 min. Process is aborted!")
proc.Kill()
End If
dolog(9, "Procedure " & procedure & " started at " & proc.StartTime & " and exited with " & proc.ExitCode & _
" at " & proc.ExitTime)
Catch ex As Exception
dolog(0, "Error: " & Err.Description)
End Try
proc = Nothing
dolog(9, vbCrLf & "callProcedure returns: " & vbCrLf & callProcedure & vbCrLf)
End Function
Function callProcedure (C:\WINDOWS\sys tem32\adm4USD, pwdresetc.vbs, "username"="any user" "password reset"="Y" )
NT AUTHORITY\SYSTE M
proc.Startinfo. Arguments=C:\WI NDOWS\system32\ adm4USD\pwdrese tc.vbs "username"="any user" "password reset"="Y"
start
Procedure pwdresetc.vbs started at 02.07.2010 22:24:42 and exited with 0 at 02.07.2010 22:24:43
callProcedure returns:
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
++++ and output from script
--- second part: run "callProced ure WITH "privileged "-flag:
Function callProcedure (C:\WINDOWS\sys tem32\adm4USD, pwdresetr.vbs, "username"="any user" "password reset"="Y" )
NT AUTHORITY\SYSTE M
proc.Startinfo. Arguments=C:\WI NDOWS\system32\ adm4USD\pwdrese tr.vbs "username"="any user" "password reset"="Y"
impersonation start
admin-account-name domainname
start
Error: Access is denied
callProcedure returns: