Database Search
If you can't find the information using the categories below, post a question over in our WinBatch Tech Support Forum.
TechHome
wNT
 |
- 1219 Error with AddDrive
- Account Expires after wntUserAddDat
- Add Domain Group to Local Administrator Remotely
- Add Everyone to Administrators Group
- Add Global Groups in Domain
- Adding Domain to Workstation
- Adding Users and Setting Flags
- Adds User Account to Local Administrator Group
- Allow Inheritable Permissions from Parent
- Builtin Group SID convert to Name
- Bypass NT Ctrl Alt Del to Logon
- Changing Computer Name and Machine Account
- Changing Domain Passwords Sample Code
- Check For Disabled Computer Account
- Check if You Have Local Admin Rights
- Checking an Accounts Password
- Checking for Old Users
- Convert SID to User ID
- Converting SID to Domain - Account Name
- Create Directories and Set NT Access Permissions
- Dealling With Inheritiable Permissions
- Decode Logon Hours
- Determine if Computer is in a Workgroup or Domain
- Determine if PC is Member of Domain
- Determine Inheritance
- Determining if Current User is Authenticated
- Disable Allow Inheritable Permissions
- Domain Trusts Explained
- Error 673 WntPrivAdd
- Error 684 using wntAccess functions
- Find Domain for a Computer
- Foreign Language support of the Win32 Network Extender
- Get a Users Primary Group
- Get Domain User Info
- Get Machine Administrator Userid
- Get SID from Username
- Get the Currently Logged on User in NT
- Get the SID of a Workstation
- Get User Name and wntUserProps
- How to determine if a file is in use on LAN
- How to disable Allow inheritable permissions
- How to Get the Local Adminstrator Account
- How WntServerList Determines a Server
- Inherit NTFS Persmissions
- Interpreting Access Rights
- Is Domain User a Local Admin
- Is User Logged into Domain or Local Account
- Is wntChgPswd Encrypted
- Issue with AccessMod on Remote Machine
- Keeping Track of Last User Login
- List only Windows 2000 Systems
- List Open Connections
- List Terminal Servers
- Listing Directory Shares with Permissions
- Losing Mapped Drive Connections in XP
- Matching SID to ProfileList folder
- NT Auditing
- NT Extender and NT4 No Service Packs
- NT Network Extender and UPN Account Names
- Obtain Share Permissions
- Obtain user sid
- Port Required for WntUserGetDat
- Problems caused by ADMT
- Pull Trusted Domain List
- Reboot user with no shutdown privileges
- Remotely Reboot and wntShutDown
- Remove Everyone Access from D
- Rename User in an AD Domain
- Reset Passwords in Active Directory
- Reset Permissions when Inheritable is Enabled
- Rights to use wntFileUsers
- Runwithlogon and Bad Username
- RunWithLogon Parameter Size
- RunWithLogon versus RunAsUser
- Searching NT Users and Find by Last Name
- Server Description Field
- Setting File Permissions with wntAccessAdd
- Setting NT Policies
- Setting Service Permissions
- Shutdown All NT Servers
- SID values - AD - round tripping and ADMT
- Synchronize password from NT Domain to Novell
- The NT extender functions in Active Directories
- Trouble determining admin rights
- Trusting Domain List
- Unlock Account with wntUserSetDat
- User Login and Log out Information
- User Profile Last Logon
- Win 2000 AutoAdminLogon
- wntAccess... and Specifying Remote Drives
- WntAccessAdd and Change Modify Registry
- wntAccessAdd and Inherited Rights
- WntAccessAdd and Inheritence
- wntAccessAdd and Invalid User - Group
- wntAccessAdd and NTFS
- WntAccessAdd error 546 Invalid file directory name
- wntAccessAdd Inheritable Permissions
- wntAccessAdd Problem on NT 4
- wntAccessAdd Share Problem on Windows 7
- wntAccessAdd versus w95AccessAdd Tips
- wntAccessDel Error 599 Invalid Level
- wntAccessGet and Username Parameter
- WntAccessList DFS share
- wntAccessList Problem
- wntAccessMod Registry Issue
- wntAcctList Returns Incorrect Flag Values
- wntAcctPolSet Error
- wntAddDrive and Unicode
- WntAddDrive launches an Explorer window
- wntAddPrinter after WntRunAsUser
- wntauditadd and inheritance
- wntAuditAdd and MS Patch
- WntCancelCon Error 511 Device in Use
- wntChgPswd 562 Invalid User Name
- wntChgPswd and Error 586
- wntChgPswd and Error 589 Error Changing Password
- wntChgPswd and Error 677
- wntChgPswd behavior different between W2K and NT4
- wntCurrUsers Behavior
- wntDomainSync Error 695
- wntEventLog Problem
- wntGetCon Error 509 Network component is Not Started or Invalid
- wntMemberDel- error 571
- wntMemberGrps returns 0 on DC running AD
- wntMemberGrps wntMemberSet - 562 invalid user name
- wntMemberList Behavior
- wntMemberList Error 522
- wntMemberList Problems
- wntOwnerGet - wntOwnerSet Tips
- wntOwnerSet Error 547
- wntRemoteTime and 530 Access Denied Error
- wntRemoteTime and Daylight Savings Time
- wntRunAsUser -- Security Side Effects
- wntRunAsUser 713 Unable to Set Window Station Access
- wntRunAsUser and Act as Part of OS Clarification
- wntRunAsUser and Called Scripts
- wntRunAsUser and Debugging Problem
- wntRunAsUser and No Permission on Local Machine
- wntRunAsUser Discussion in French
- wntRunAsUser Error 637
- wntRunAsUser Error 638
- wntRunAsUser Function - 1
- wntRunAsUser Function - 2
- wntRunAsUser Function - 3
- wntRunAsUser Function Used Twice in Script
- wntRunAsUser RunWithLogon Security Context
- wntRunAsUser to AutoAdminLogon after Reboot
- wntRunAsUser Windowstation and Desktop Permissions on WinXP
- wntServerList and wntServiceAt
- wntServerType
- wntShutDown Error 694
- wntUser... and Update User Accounts
- wntUserAdd Adding a Domain User
- wntUserAdd Bug
- WntUserAddDat and Max_storage
- wntUserGetDat 524 Unable to Access Specified Server
- wntUserGetDat and Logon_hours Flag
- wntUserSetDat and Logon Hours
- wNTUserXXXDat Function and Flags
- wxxUserGetDat and Last Logon Date
Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.
wntRunAsUser Function
Keywords: wntRunAsUser
Question:
I can't seem to get this new function to work properly. I am trying to create a situation where a normal user can make local user database changes which would require administrative privileges. I use wntrunasuser to launch musrmgr as administrator, but I am still limited to the rights of the local user, rather than administrator. According to the docs, the rights of the new user will be maintained while the interpreter is active. Example:
runner = wntRunAsUser("", "administrator", "password", 2, 0)
RunWait("musrmgr.exe", "")
Act as operating system is setup correctly, etc., and the scripts runs without complaint, but the logged in
user does not inherit administrator rights. I've tried all of the login options, with the same results.
This command needed the currently-logged-in user to have the following right which is
"Act as part of the operating system" "Increase quotas" "Replace a process level token"I set these right in User Manager, it work fine.
But when I set it in User Manager for Domains, winbatch 99a can't detect the right that I have set and thus it popup an error message box stated (WIL Extender Error: 637: Privilege "Act as part of the operating system' not held).
Any idea?
Answer:
You indicated that you set the User Manager settings, but as a recap for others, let's go over the following:- In order to use this function, the currently-logged-on user must have the
"Act as part of the operating system" user right assigned. This can be
set from the "Policies" menu in the NT User Manager on the Server (make sure that the "Show
Advanced User Rights" checkbox is checked in order to view the "Act as part of the
operating system" to be displayed in the drop-down listbox).
- The user running the script, not the user being "RunAs" needs the permissions.
- After the permissions are given to the user, they must log off before they take effect.
Windows 2000: The setting is located in Control Panel, Administrative Tools, Local Security Policy. Under Local Policies, User Rights Assignments.
- The currently-logged-on user, e.g. administrator, is the one who needs to have the "Act as Part of OS"
permission set (rather than the user specified in the wntRunAsUser function).
- In Reskit Suppl. 3 there is an utility called NTRIGHTS.exe which
you can use on the Server to change user rights on remote workstations. Handy when you need to
change user rights for the users who are going to execute wntRunAsUser.
Make sure that that right is granted to both Domain Admins and Administrator (listed in the bottom window of that screen).
Then, after you make the change, make sure to log out and log in at the workstation again for the change to take effect.
The coding is just as simple as like this.
AddExtender("WWWNT34I.DLL") USER="DUMMY" PASS="PASSWORD" wntRunAsUser("", USER, PASS, 3, 0) exitThen on the local machine, add Domain Admin group into the Local Administators Group. And add Domain Users Group into the Local Users Group. - Winbatch simply runs the Windows function and it tells US it does not like the security settings, then we
report the information back to you. WinBatch does not check the security settings itself.
- If the LOCAL PC User Rights don't include the GLOBAL
account, the function will NOT work. If you DO use the NTRIGHTS.EXE from the NT 4
Server Resource Kit (Supplement 2), you will be able to change the rights remotely
for any pc on your network.
- The rights only need to be set for currently logged in user.
- User must log into domain for this to work; A log into the local machine will not work.
In the logon
dialog the "Domain" selected must be the domain where the user account is defined.
On a large network it may take some time for rights assigned on the Domain controller to propagate through the network.
If the user is logging on with a local account on the machine, then *that* account must have the rights set.
The user needs to be logged into the domain (not a local login accessing domain computers)!!
Here's a sample script with settings that work:
AddExtender("WWWNT34I.DLL")
curuser=wntGetUser(@DEFAULT)
Message("Current user:",curuser)
;run as new user
domain="TECHTEST" ; TECHTEST is a DOMAIN name not a server
user="billg"
pswd="123bill"
ret = wntRunAsUser( domain, user, pswd, 2, 0)
newuser=wntGetUser(@DEFAULT)
Message("Running as new user:",newuser)
exit
Question:
Did I get that right, wntRunAsUser will give the logged in user all "RunAs" privileges while the process is running?Answer:
No. It gives the script the privileges and, if you set some flags correctly, the programs launched by the script. It does not give the privileges to the user account.Another wntRunAsUser Question
Question:
Hi,I have two problems with the function wntRunAsUser.
- After using the function with login-type interactive and flag 1 (the 3 NT rights: run as part of the
operatiing system ... are set) FileExist is @false although the file is in the path. Now I open the file
*before* using wntRunAsUser but that doesn't really fit my needs. Is there another solution?
- After wntRunAsUser("", user, pass, 2, 1) the command Run("rundll.exe", "shell32.dll,SHHelpShortcuts_RunDLL PrintersFolder") only opens folder c:\. Do I have to make the changes directly in the registry?
Answer:
-
???? What user are you trying to run as.
What file are you having FileExist problems with. perhaps the new user does not have Security access to
the file?
- This gets confusing. What user did you want to change the printer folders for? All users? The runasuser user, or the original user. Are you trying to logion as a normal user and set up the users account? I'm not sure that part works. The runasuser only gets the security privelidges, not the environment.
Question (cont'd):
- As administrator I have all rights and the program runs without wntRunAsUser fine. When I add the
wntRunAsUser function (user = myself = administrator) the program doesn't find the file any longer (public
has all rights).
- The currently logged in user (=normal user) should be able to change his own printer settings with the
program. The runasuser here has all administrator privileges, too.
-
>I'm not sure that part >works. The runasuser only gets the >security privelidges, not the >environment.
I assumed that. The user has it's own environment and I thought with the appropriate security privileges he should be able to make some changes. (e.g. activate the duplexer, change the text of the banner).
Answer:
Sounds like a directory permissions problemIf you log in normally as that same user, can you access everything okay?
It seems like the user might not have access to some of the directories he uses (like some of the start menu stuff. What file is it failing on.
Article ID: W13577
Filename: wntRunAsUser Function - 1.txt
File Created: 2002:12:19:12:50:48
Last Updated: 2002:12:19:12:50:48