Announcement

Collapse
No announcement yet.

Run Logon Script as domin admin

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Run Logon Script as domin admin

    i have a vbscript that moves computer object throw Acive directory so the logon script should run under domain admin privilage.
    i have 2 problems:
    1.with runas i could not save passwords
    2.netlogon share is open for all domain users and i don't want them to read the script because they will see the password of the domain admin.

    please help,

    Aviv Hassidim

    [email protected]

  • #2
    Re: Run Logon Script as domin admin

    i have a vbscript that moves computer object throw Active directory so the logon script should run under domain admin privilage.
    2 problems:
    1. with runas i could not save passwords
    2. netlogon share is open for all domain users and i don't want them to read the script because they will see the password of the domain admin.
    Of course, first you have to ask your self the question "Is it really that important even if I must use alternate credentials during user logon for it", and secondly "how long am I planning to use this script? And during that period how do I keep the domain as save as possible".

    Although I'm answering your question, note that I do not promote to use these kind of scripts!

    Two ways how to use alternate credentials
    1. Bind to the DC using alternate credentials
    2. Use tools (command-lines) that support alternate credentials
    Forget option 1!
    With option 2 it might even not be nessesary that the account has to be a member of the group 'Domain Admins' since moving objects in active directory is a task that can be delegated.
    Therefore;
    Create a new security group in Active Directory: "Engineering Administrators"
    Create a special user account: Engineer01 (user cannot change password, password never expires)
    Make that account member of the new group
    Make the group its primary group and delete all the other memberships.
    In ADUC select the desired ou's
    Rightclick on them -> 'Delegate control'
    Delegation Wizard - select the new group
    Give the group Full controll

    For moving the computer objects you can use: DSMOVE.exe This tool supports alternate credentials.

    The credials of the special user can be stored in the GPO as 'script parameters' instead of in the script it self.

    example script (the move is based on sitename here):
    Code:
    ' ======================================================================
    '| name  :  DSMoveAs.vbs
    '| author:  Remco Simons [nl] 2007
    '|
    '| ( http://forums.petri.com/showthread.php?t=18003 )
    ' ======================================================================
    '
    ' this script accepts Credentials from command-line
    ' Usage with GPO:
    ' Scripts / LogonScript / scriptName       -> scriptname.vbs
    ' Scripts / LogonScript / ScriptParameters -> /u:"domain\user" /p:"password"
    '(this user does not nessecarily have to be a member of the Domain Admins group, you can just delegate control over the OU's to it.   
    '
    ' this script can move computer objects in active directory
    ' you have to copy 'dsmove.exe' to a central share
    
    
    Set objSysInfo = CreateObject("ADSystemInfo")
     strComputerDN  = objSysInfo.ComputerName
     strComputerRDN = split(strComputerDN,",")(0)
     strCurrentOU   = Replace(strComputerDN, strComputerRDN & ",","")
     strCurrentSite = UCase(objSysInfo.SiteName)
    
    'tool
    pathDSMOVE = "\\domain.local\sysvol\domain.local\scripts\Dsmove.exe"
    
    'Alternate Credentials
    Set Named = WScript.Arguments.Named  'Read script parameters
       strUser = Empty
       strSecret = Empty
     If Named.Exists("u") Then
       strUser = Named.Item("u")
     If Named.Exists("p") Then _
       strSecret = Named.Item("p")
     End If
    altCredentials = " -u """ & strUser & """ -p """ & strSecret & """" 
    
    'variables
    strSiteName1 = UCase("New-York")
    strSiteName2 = UCase("washington")
    
    'conditional run
    If (strCurrentSite = strSiteName1) Then
      strNewOU = "CN=computers,DC=domain,dc=Local"
      If Not UCase(strCurrentOU) = Ucase(strNewOU) Then
        call MoveObject(pathDSMOVE, strComputerDN, strNewOU, altCredentials)
      End If
    ElseIf (strCurrentSite = strSiteName2) Then
      strNewOU = "ou=workstations,DC=domain,dc=Local"
      If Not UCase(strCurrentOU) = Ucase(strNewOU) Then
        call MoveObject(pathDSMOVE, strComputerDN, strNewOU, altCredentials)
      End If
    End If
    
    
    Sub MoveObject(pathDsmove, strComputerDN, targetOU, credentials)
     With Wscript.CreateObject("WScript.Shell")
       strCommand = pathDsmove & " """ & strComputerDN & """ " _ 
                    & "-newparent """ & targetOU & """ " _
                    & credentials
       .Run "%comspec% /c @call " & strCommand,0,True
     End With
    End Sub
    Paste this code in you main logon script.
    This script do not use 'Runas', and the script it self does not contain the credentials.
    Other benefits of this method are, it is not nessesary to start a seperate script from within the logonscript, and the special account does not have to be a member of the domain admins.

    Change the password of the special user on regular basis.
    (and then don't forget to change it in the GPO too)


    \Rems


    EDIT -

    Tip: controlling 'delegation of control'.
    In ADUC Click 'View' from the menu
    check 'Advanced features'
    Next, rightclick on the OU -> select 'Properies'
    Now you can see there is a new tab 'Security'
    In the list on that tab there you can find the new group.
    After new settings are made, you can disable 'Advanced features' again.
    Last edited by Rems; 28th August 2007, 08:56. Reason: move only to an 'OTHER' ou

    This posting is provided "AS IS" with no warranties, and confers no rights.

    __________________

    ** Remember to give credit where credit's due **
    and leave Reputation Points for meaningful posts

    Comment


    • #3
      Re: Run Logon Script as domin admin

      In addition to Rems' excellent solution, it is also possible to encrypt scripts which contain credentials so that it cannot be read by unauthorised users, it can only be run - that way you can use "RunAs" within the script including the credentials but only the script writer will be able to open the script for reading or editing.


      Tom
      For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

      Anything you say will be misquoted and used against you

      Comment


      • #4
        Re: Run Logon Script as domin admin

        Thank u all !!

        i saw u're script that moves computers based on sitename and i want to use it in my domain.
        by deafult any new computer belongs to "computers" folder in AD .
        i have to sites
        how can i know to which site the computer belongs to ??
        Attached Files

        Comment


        • #5
          Re: Run Logon Script as domin admin

          A client computer it self determines at start up the site it is in. This is not a property of the computer you can find in the Active Directory.
          Originally posted by [url]http://www.windowsitpro.com/Articles/ArticleID/45471/45471.html[/url]

          How can a client computer determine which site it belongs to?

          A client computer ascertains which site it currently resides in when the computer starts. As part of the initial startup traffic, clients attempt to locate a domain controller (DC) for their domain. (This search occurs early in the startup process; if you use DHCP, it occurs just after the address is leased or renewed.) If the client currently has no DynamicSiteName registry value--which indicates the site in which the client was located when it was last started--the client performs a generic DNS query for any Lightweight Directory Access Protocol (LDAP) service by using the DNS query format
          _ldap._tcp.dc._msdcs.

          If the client previously resided in a site and therefore has a DynamicSiteName registry value, the DNS query tries to find a DC in that site by using the following query format:
          _ldap._tcp.._sites.dc._msdcs.

          When the client finds a DC, the client issues a UDP LDAP request asking for Netlogon-service information from the DC; the DC returns a SearchResponse (4) message, which lists the DC's local site and the client's site name, according to the client's IP address, if the queried DC isn't from the client's current local site. If the DNS query can't match a client's IP address to a defined site, it doesn't return a recommended site, only the DC's current site. The following sample packets show three types of DNS query responses. The first example shows the results of a client querying a DC that's within the client's IP-calculated site:
          00000020 30 84 00 00 00 8B 0.....
          00000030 02 01 02 64 84 00 00 00 82 04 00 30 84 00 00 00
          ...d.......0....
          00000040 7A 30 84 00 00 00 74 04 08 6E 65 74 6C 6F 67 6F
          z0....t..netlogo
          00000050 6E 31 84 00 00 00 64 04 62 17 00 00 00 FD 01 00
          n1....d.b.......
          00000060 00 68 CC 80 31 3C AF B7 4F B7 43 EF 17 8D F4 4F
          .h..1<..O.C....O
          00000070 99 0A 73 61 76 69 6C 6C 74 65 63 68 03 63 6F 6D
          ..savilltech.com
          00000080 00 C0 18 0A 73 61 76 64 61 6C 64 63 30 31 C0 18
          ....savdaldc01..
          00000090 0A 53 41 56 49 4C 4C 54 45 43 48 00 0A 53 41 56
          .SAVILLTECH..SAV
          000000A0 44 41 4C 44 43 30 31 00 00 06 44 61 6C 6C 61 73
          DALDC01...Dallas
          000000B0 00 C0 50 05 00 00 00 FF FF FF FF 30 84 00 00 00
          ..P........0....
          000000C0 10 02 01 02 65 84 00 00 00 07 0A 01 00 04 00 04
          ....e...........
          000000D0 00


          The next example shows the results of a client querying a DC that isn't local to the client's site:
          00000020 30 84 00 00 00 90 0.....
          00000030 02 01 02 64 84 00 00 00 87 04 00 30 84 00 00 00
          ...d.......0....
          00000040 7F 30 84 00 00 00 79 04 08 6E 65 74 6C 6F 67 6F
          0....y..netlogo
          00000050 6E 31 84 00 00 00 69 04 67 17 00 00 00 7D 01 00
          n1....i.g....}..
          00000060 00 68 CC 80 31 3C AF B7 4F B7 43 EF 17 8D F4 4F
          .h..1<..O.C....O
          00000070 99 0A 73 61 76 69 6C 6C 74 65 63 68 03 63 6F 6D
          ..savilltech.com
          00000080 00 C0 18 0A 73 61 76 64 61 6C 64 63 30 31 C0 18
          ....savdaldc01..
          00000090 0A 53 41 56 49 4C 4C 54 45 43 48 00 0A 53 41 56
          .SAVILLTECH..SAV
          000000A0 44 41 4C 44 43 30 31 00 00 06 44 61 6C 6C 61 73
          DALDC01...Dallas
          000000B0 00 05 41 6C 6C 65 6E 00 05 00 00 00 FF FF FF FF
          ..Allen.........
          000000C0 30 84 00 00 00 10 02 01 02 65 84 00 00 00 07 0A
          0........e......
          000000D0 01 00 04 00 04 00 ......


          Notice that the query initially returns a site named Dallas, then returns a second site, Allen. In this case, Dallas is the site of the DC (savdaldc01), but the response is telling the client that it should instead find a DC in the Allen site (which it would find via a DNS query specifying the Allen site).

          The final sample packet shows the response when the DNS query can't match the client's IP address with sites defined in the Active Directory (AD):
          00000020 30 84 00 00 00 8A 0.....
          00000030 02 01 02 64 84 00 00 00 81 04 00 30 84 00 00 00
          ...d.......0....
          00000040 79 30 84 00 00 00 73 04 08 6E 65 74 6C 6F 67 6F
          y0....s..netlogo
          00000050 6E 31 84 00 00 00 63 04 61 17 00 00 00 7D 01 00
          n1....c.a....}..
          00000060 00 68 CC 80 31 3C AF B7 4F B7 43 EF 17 8D F4 4F
          .h..1<..O.C....O
          00000070 99 0A 73 61 76 69 6C 6C 74 65 63 68 03 63 6F 6D
          ..savilltech.com
          00000080 00 C0 18 0A 73 61 76 64 61 6C 64 63 30 31 C0 18
          ....savdaldc01..
          00000090 0A 53 41 56 49 4C 4C 54 45 43 48 00 0A 53 41 56
          .SAVILLTECH..SAV
          000000A0 44 41 4C 44 43 30 31 00 00 06 44 61 6C 6C 61 73
          DALDC01...Dallas
          000000B0 00 00 05 00 00 00 FF FF FF FF 30 84 00 00 00 10
          ..........0.....
          000000C0 02 01 02 65 84 00 00 00 07 0A 01 00 04 00 04 00
          ...e............


          Notice in these examples that if the client's IP address matches the queried DC's site, a "P" (preferred) character appears after the site name, as line 19 in the first example shows; if there's no match, the "P" doesn't appear and because the preferred site name is blank, the response means the DNS query found no matching site. Thus the client doesn't reside within the boundary of any known site and will therefore randomly use any existing DC.

          You can also determine a client's site either by running the command
          Code:
          nltest /dsgetsite
          or by using the following code in a script:
          Code:
          Set oSysInfo = CreateObject("ADSystemInfo")
            MsgBox oSysInfo.SiteName
          To reset the client and discover information about the client's site, run the following command:
          Code:
          nltest /sc_reset:domain-name\local-dc
          It's important that client machines don't have IP addresses outside of defined sites. Certain services, such as the Microsoft Exchange System Attendant, won't start if the site's membership can't be discovered.
          The computer already know the present sitename when the logon script (from the previous reply) is processed.

          If you want to find out the SiteName of a remote computer you can use this script
          Code:
          ' ======================================================================
          '| name  :  Get SiteName from a Remote Computer.vbs
          '| author:  Remco Simons [nl] 2007
          '|
          '| ( http://forums.petri.com/showthread.php?t=18003 )
          ' ======================================================================
          
          On Error Resume Next
          
          
          sComputer = InputBox(VBNewLine & VBNewLine & VBNewLine _
                      & "Enter Computername:","~ Get Site-Name ~",".")
          
          'Global constants and variables
          Const HKEY_LOCAL_MACHINE 	= &H80000002
          
          sKeyA   = "SYSTEM\CurrentControlSet\Services\Netlogon\Parameters"
          sValueA = "DynamicSiteName"
          
          sKeyB   = "SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine"
          sValueB	= "Site-Name"
          
          'Connect with WMI service and StdRegProv class.
          If sComputer = "." OR IsConnectable(sComputer) then
            Set oRegistry	= GetObject("winmgmts:{impersonationLevel=impersonate}//" & _
          	  	sComputer & "/root/default:StdRegProv")
            sMethod	= "GetStringValue"
            Set oMethod	= oRegistry.Methods_(sMethod)
            Set oInParam	= oMethod.inParameters.SpawnInstance_()
          
            Call GetStrinValue(HKEY_LOCAL_MACHINE, sKeyA, sValueA)
            If Err <> 0 Then 
               Err.Clear
               Call GetStrinValue(HKEY_LOCAL_MACHINE, sKeyB, sValueB)
            End If
            If Err <> 0 Then msgbox sComputer, "is resisting the request"
          Else wscript.echo "Computer", sComputer, "does not exist or, is currently not connected"
          End If
          
          Wscript.quit(0)
          
          
          Function IsConnectable(sComputer)
           'This routine works only! for Windows XP and newer)
           'For older versions of windows: http://groups.google.co.uk/group/microsoft.public.scripting.vbscript/msg/fd925a383d88045d
            Set colItems = GetObject("winmgmts:{impersonationLevel=impersonate}").ExecQuery _
            ("SELECT StatusCode FROM Win32_PingStatus where address = '" & sComputer & "'")
            For Each objItem in colItems
              if objItem.StatusCode = 0 Then
              	IsConnectable = True
              Else
              	IsConnectable = False 
              End if
            Next
            IsConnectable = IsConnectable
          End Function
          
          Sub GetStrinValue(hTree, sKey, sValue)
             sMethod	= "GetStringValue"
             On Error Resume Next
             oInParam.hDefKey = hTree
             oInParam.sSubKeyName = sKey
             oInParam.sValueName = sValue
             Set oOutParam = oRegistry.ExecMethod_(sMethod, oInParam)
             If Err = 0 Then
                WScript.Echo "Computer:", sComputer, vbNewLine, _
                             "SiteName:", oOutParam.Properties_("sValue")
             Else
                Err.Clear
             End If
          End Sub
          \Rems

          This posting is provided "AS IS" with no warranties, and confers no rights.

          __________________

          ** Remember to give credit where credit's due **
          and leave Reputation Points for meaningful posts

          Comment


          • #6
            Re: Run Logon Script as domin admin

            Thanks U a lot...

            Comment

            Working...
            X