Announcement

Collapse
No announcement yet.

Find out (read) logged in user in a cmd started as a different user

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Find out (read) logged in user in a cmd started as a different user

    Hi!

    I'm working on a script that gives users temporary membership in the Administrators group. I want to give the logged in user administrators group membership to run things as administrator, but not to log in with admin priviledges.

    The problem is that to be able to add a user to the administrators group, i need to start cmd.exe as admin or system, but this causes the %username% environment variable to change to the user that was used to start cmd.exe and not the logged in user. So i need a way to read the logged in users username from somewhere to be able to use it in the net localgroup command.

    Any ideas anyone? Let me know if i need to clarify the description .

    Thanks
    Dennis
    Last edited by dennism; 28th December 2010, 14:30. Reason: clarified description a little bit

  • #2
    Re: Find out (read) logged in user in a cmd started as a different user

    Users cannot add themselves to the admin group. Only admins can add users to the admin group. Just create a local admin account on the machine that is separate from their user account. If they need to do something as an admin, Windows 7 will prompt them for credentials. Then they just enter the password for the local admin account. It should be that simple.

    Comment


    • #3
      Re: Find out (read) logged in user in a cmd started as a different user

      Sorry, I'm not sure what you are trying to achieve, in that I cannot see what it is you want the logged in user to be able to do as admin or system, but here is a suggestion which may help you:

      You may consider something along these lines: Run a script as the logged in user, (before the Administrator script runs). This script says something like:
      Code:
      echo net localgroup Administrators "%username%" /add > C:\wherever\addmetoadmin.cmd
      (or whatever it is you want your net command to say). Because the above was run as the logged in user, the name will be his.

      Last, run that as admin or system (just as you currently are doing). The username embedded in the addmetoadmin.cmd file will be the logged in user.

      Or you can run this as the logged in user to put their name into a file:

      Code:
      echo "%username%" > C:\wherever\loggedinusername.txt
      Note that to be useful, I have placed those files in a fixed flder (C:\wherever) so that the Admin or system can find them (otherwise they'd go into the logged in user's home folder).
      Best wishes,
      PaulH.
      MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

      Comment


      • #4
        Re: Find out (read) logged in user in a cmd started as a different user

        Hi Paul!

        Thanks for your answer. This solution does exactly what i was not able to achieve =).

        Just create a local admin account on the machine that is separate from their user account. If they need to do something as an admin, Windows 7 will prompt them for credentials. Then they just enter the password for the local admin account. It should be that simple.
        This was something that i thought about and tried also, but it is not as good as this option because it requires another password to give out to the user. Administratively it is easier (and more secure in a way) to just start the script and let the user know that they have the rights now, without having to provide them with another password.

        Originally posted by PaulH View Post
        Sorry, I'm not sure what you are trying to achieve, in that I cannot see what it is you want the logged in user to be able to do as admin or system, but here is a suggestion which may help you:

        You may consider something along these lines: Run a script as the logged in user, (before the Administrator script runs). This script says something like:
        echo net localgroup Administrators "%username%" /add > C:\wherever\addmetoadmin.cmd
        (or whatever it is you want your net command to say). Because the above was run as the logged in user, the name will be his.

        Last, run that as admin or system (just as you currently are doing). The username embedded in the addmetoadmin.cmd file will be the logged in user.
        This should ofcourse work perfectly (i did also try it locally). Sadly though I now have another problem that prevents me from proceeding with this. Novell Zenworks 10, which i'm using to run this script on the client pc's, reads computername$ from %username% which is incorrect behaviour and i'll have to send them a ticket about that.
        So i'll have to wait for that to be fixed before being able to return to this.

        Appreciate your help!
        - Dennis

        Comment


        • #5
          Re: Find out (read) logged in user in a cmd started as a different user

          I'm curious what the benefits of this are over the separate admin account. Just for my own personal knowledge. I've always used a separate admin account for developers, etc that require it for configuring and testing purposes. But thats just because its how it was always done. Is there something I am missing that makes the script a better solution?

          Comment


          • #6
            Re: Find out (read) logged in user in a cmd started as a different user

            i am not sure what good the script would do the user.
            as far as i am aware, changes to group membership require the user to log off and log on again before they become effective.

            therefore, this is the easiest solution.
            Just create a local admin account on the machine that is separate from their user account. If they need to do something as an admin, Windows 7 will prompt them for credentials. Then they just enter the password for the local admin account. It should be that simple.
            it does, however, enable the users to just install whatever they want on the machines whenever they want to. from an administrator's point of view this is not desired

            Comment


            • #7
              Re: Find out (read) logged in user in a cmd started as a different user

              Hey!

              The purpose of the script is to enable Helpdesk to quickly provide a user temporary admin rights for a specific computer (e.g. in a sudden critical production issue) without having to control that the priviledges are removed after the issue has been solved.
              The script works like this:
              - add user to admins group
              - wait for a specified amount of time
              - remove user from admins group

              The benefits of giving the rights to the logged in user are:
              - no need for an additional password
              - no need to relogin*
              * = yes, i've also always thought this is how it is but i just found out it isn't exactly =). when the user is in the administrators group, they can run programs as administrator. this is much better (sunseeker11, specifically from an administrators point of view since they won't get administrator priviledges in their logon session, but only if they run a process using their user name and password.
              - if the user logs off or powers the pc down causing the script to fail, the administrator membership is removed during login (by Zenworks Dynamic Local User policy). With a secondary local user, Zenworks DLUP would not reset the rights, because it controls the rights of the user that logs in (ofcourse it requires that the user logs in with his/her own username, but it is very unlikely that they wouldn't).

              Anyways, as i've worked on this "minimal-management-temporary-admin-rights"-thingy , i've come to the conclusion that it is more reliable to do it like this.

              I actually found a workaround for the problem i mentioned earlier and now the script is working as planned, yey!

              -Dennis

              Comment

              Working...
              X