Permissions not Granted with wntRunAsUser
Keywords:
Question:
I have a winbatch application which runs a wntrunasuser to allow the program to switch to a user which is a domain account operator. The wntrunasuser executes successfully but when I try to use the wntmemberdel or wntmemberset function to add a new user to a group in the domain I receive a WIL Extender Error 530: Access Denied. If I map a drive as the user and run user manger I can add and delete members from the group without any problems. Any ideas as to what I am doing wrong ?Here's a subset of my code:
AddExtender("WWWNT34I.DLL") Group = "Eroom" User = "addtoeroom" Pass = "addtoeroom" Domain = "janustires01" PDC = "\\janustidc01" Eroom=wntMemberLst2(PDC,Group,@LOCALGROUP) :Add ans = AskLine("Add User", "What is the domain\user you want to add", "") wntRunAsUser(Domain, User, Pass, 2, 0) rslt = wntMemberSet(PDC, Group, ans, @LOCALGROUP)Here's the info from wwwbatch.ini
[WWWNT34I] LastError=5 (NetLocalGroupAddMembers)Answer:
Two suggestions:
- Does the wntMemberSet work, if the script is actually run by the domain account operator, instead of using wntRunAsUser?
If not, make sure the user you are attempting to 'run as' has the appropriate rights.
- What if you put the wntMemberSet in a separate script, and have the main script execute the wntRunAsUser and then launch (Run) a second script as a new process? Note: you may need to adjust the wntRunAsUser flags to 1, to allow new child processes to inherit security privileges. By starting the new process, the new process inherits a more 'truly' impersonated user.
Article ID: W14271Filename: wntRunAsUser Function - 3.txt