Server Solver

The Invisible Administrator

Running an application or a batch file on a user's desktop with a different credential

• By Zubair Alexander
• 09/19/2005

Zubair: We need to run an application on user's desktop that requires administrative privileges. We also need to execute certain batch files on workstations that require administrative privileges. I'd like to use the RunAs utility but, unfortunately, it doesn't support passwords in a script. Our users are using Windows XP Professional and our company policy dictates that they should not be given administrative rights on their workstations.

Can you recommend any solution that will accomplish what we want? If I could use RunAs, that would be great. But, I am also open to other suggestions.
— Steve

 

 

Tech Help—Just An E-Mail Away Got a Windows, Exchange or virtualization question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to the MCPmag.com editors at mailto:[email protected]; the best questions get answered in this column and garner the questioner with a nifty MCPmag.com baseball-style cap. When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message, but submit the requested information for verification purposes.)

Steve: You've mentioned RunAs utility, which can be handy in a lot of situations. For example, if end users don't have administrative privileges on their client computers, you can use RunAs to run an application or a script in the background. However, RunAs doesn't allow you to enter a password in a script. So, if you deploy a script using Group Policy that uses RunAs command, depending on the script the user may get prompted for a password.

Here's a solution that I've come up to solve your particular situation. (And, at the end of this column, I do ask for readers to offer other techniques or a better method to accomplish the results with RunAs; a book will go to the best one.) This example uses a batch file that includes RunAs, and enters the local Administrator password on the client workstation, then executes the script that updates the time. The example only shows you the capabilities of the script and the type of things that you can do with this technique. Obviously, you can achieve the result of updating time in many other ways. I use this example only to demonstrate the point, since I don't know exactly which batch files you want to run. I've broken down the solution into three steps:

1. Create a batch file, for example SetTime.bat, which includes the following commands:

@echo off
cls
REM Map a drive to the computer if it's not in your
REM own domain. To map to a computer called London with
REM an Administrator password of "password", use the
REM following command.
net use z: \\london\c$ /user:administrator password
REM Now update the time on your local computer by
REM providing the domain name for Nwtraders domain
REM where the DC London exists.
net time /DOMAIN:nwtraders /set /y
REM Disconnect the drive that was mapped.
net use z: /d

You only need to map drives if the time server is not in the same domain. Also, you can use any other program or command, instead of updating time. The mapping of drive and "net time" is only used here for demonstration purposes.

2. Download the Sanur utility from TechGalaxy Downloads and install it locally on the client computer. Sanur is a freeware tool that allows you to "pipe" a password in the RunAs utility. Make sure that both the Sanur program and the batch file are on the path, or run it from the appropriate folder where the files are located.

3. Create a batch file (e.g. Go.bat) that includes the RunAs command. Make sure the echo is off or else the user will be able to see the Administrator's password:

@echo off
cls
RunAs /user:Computer1\Administrator SetTime.bat | sanur password

Here's what is happening. When you run the Go.bat file, it executes the RunAs command using the local administrator's credentials. Go.bat then executes the SetTime.bat file, which updates the time from a domain controller in a different domain (or even a different forest). It first maps a drive to establish a trust and then updates the time. Then it deletes the mapped drive so only the time is updated and no mapped drives are left for the user.

Let's Hear It—Do you have any other techniques you can share to accomplish what Steve wants, with or without freeware tools? Please send me an e-mail at [email protected]. The best solutions will appear in a future column and one submitter will be sent a book, Protect Your Windows Network From Perimeter to Data, by Johansson and Riley (Addison-Wesley).