Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.
Keywords: wntRunAsUser
Feedback on this is greatly appreciated.
Make sure you've got the setting "Act as part of the operating system" set under User Manager/Policy menu (for the particular user who's logging in with Admin rights). Also note that after you make the above change, you have to logout and relogin for the setting to take effect.
In Reskit Suppl. 3 there is an utility called NTRIGHTS.exe you can use to change user rights. Handy when you need to change user rights for the user who are going to execute wntRunAsUser.
You have to grant these advanced user rights to the user who is going to run the script in which you are going to use WntRunAsUser. You have to grant them (using the user manager) on the machine where they will be needed, OR to grant this user right you can write another script (below). After giving a user a right or privilege, the user must logoff then log back on for the right or privilege to become effective. It cannot all be done in one script.
There are two users.
Note that the administrator users don't necessarily have all the rights. Especially not the Advanced user rights. You can easily verify which user rights they retain in user manager.
"Act as part of the operating system" "Increase quotas" "Replace a process level token"Once you did this using the User Manager, you log off and log back in. Of course it's all right to reboot your PC entirely as well.
You log in as Charles once again and now you can try to execute your script with the wntRunAsUser line in it.
; This script is preparing a common user to be able to use the wntRunAsUser function. ; It has to be run as an administrator. ; Ce script preparera un utilisateur normal pour le rendre capable d'exécuter la fontion wntRunAsUser ; Il faut l'exécuter en tant qu'adminstrateur. AddExtender("WWWNT34i.DLL") ; Create a new user on the local machine for our little demo ; Pour la démonstration on va créer un nouvel utilisateur sur la machine locale wntUserAddDat("name", "newuser") wntUserAddDat("password", "xxx") wntUserAddDat("flags", 1) wntUserAddDat("acct_expires", "0000:00:00:00:00:00") wntUserAdd("") ; Let's give it the necessary privileges ; On va le donner les privilèges nécessaires wntPrivAdd("","newuser","SeTcbPrivilege") wntPrivAdd("","newuser","SeIncreaseQuotaPrivilege") wntPrivAdd("","newuser","SeAssignPrimaryTokenPrivilege") ; We need to relogon as this newuser ; On sort de Windows, pour recommencer comme ce newuser Message("Warning",StrCat("This script will log you out of this session",@crlf,"Please relogin as 'newuser'",@crlf,"on the local computer",@crlf,"using the password: 'xxx'")) IntControl (66, 0, 0, 0, 0) Exit
;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ;Script #1 - CONFIGUREIT.WBT - RUN THIS SCRIPT FIRST. IT CONFIGURES ;EVERYTHING AND SETS UP THE REGISTRY TO RUN SCRIPT #2 (RUNASUSER.WBT). ; ;In this script (CONFIGUREIT.WBT): ; ;1. Check username. If currently logged on user is admin, then don't bother writing to the Winlogon ; section. Just run the test script that *does something* using wntRunAsUser and some other admin ; type activity. ; ;2. Otherwise, if not Admin user, write admin user info into the Winlogon part of registry for next ; login session. Then set up the RunOnce key to run the RUNASUSER.WBT script next logon and reboot ; the machine. ; ;~~~~~~~~~~~~~~~~~~~ ;In second script (RUNASUSER.WBT) launched by CONFIGUREIT.WBT: ; ;1. The AutoAdminLogon happens. ; ;2. Do the task that requires admin privileges. ; ;3. Undo the Admin registry stuff since the current user is not the administrator, set AutoLogon to 0, ; and reboot. AddExtender("WWWNT34I.DLL") curuser=wntGetUser(@default) ;Message("Current User is", curuser) reguser=RegQueryValue(@REGMACHINE,"Software\Microsoft\Windows NT\CurrentVersion\Winlogon[DefaultUserName]") if strlower(curuser)==strlower("Administrator") ;or customize as necessary to someone with admin privileges ;You're an Admin, go ahead and do a RunAsUser without additional settings required Group = "Users" User = reguser Pass = "YkSu1234" Domain = "YOURDOMAIN" PDC = "\\YOURPDC" thegroups=wntMemberLst2(PDC,Group,@LOCALGROUP) thegroups=strreplace(thegroups,@tab,@crlf) Message("List of Members Before Change", thegroups) wntRunAsUser(Domain, User, Pass, 2, 0) curuser=wntGetUser(@default) ;Message("Current User is", curuser) ;Now do the Admin task ans = AskLine("Add User", "What is the name of a valid domain\user you want to add to %Group%?", "") rslt = wntMemberSet(PDC, Group, ans, @LOCALGROUP) thegroups=wntMemberLst2(PDC,Group,@LOCALGROUP) thegroups=strreplace(thegroups,@tab,@crlf) Message("List of Members After Change", thegroups) Message("All", "Done") exit else ;currently logged on user is NOT admin user desktop=ShortCutDir("Desktop") domainname="YOURDOMAIN" username="administrator" ;or someone with admin privileges password="YkSu1234" ;change the necessary settings for Adminautologon at next logon RegSetValue(@REGMACHINE,"Software\Microsoft\Windows NT\CurrentVersion\Winlogon[DefaultDomainName]",domainname) RegSetValue(@REGMACHINE,"Software\Microsoft\Windows NT\CurrentVersion\Winlogon[DefaultUserName]",username) RegSetValue(@REGMACHINE,"Software\Microsoft\Windows NT\CurrentVersion\Winlogon[DefaultPassword]",password) RegSetValue(@REGMACHINE,"Software\Microsoft\Windows NT\CurrentVersion\Winlogon[AutoAdminLogon]","1") ;First add the Winbatch script that'll do the autoadminlogon into the RunOnce key RegSetValue(@REGMACHINE, "Software\Microsoft\Windows\CurrentVersion\RunOnce[wbfile]", "c:\temp\runasuser.exe") ;Message("Before", "IntControl") ;now do the logout. The machine will logout out current user, autologonadmin, and run the RUNASUSER.EXE script. IntControl(66,0,0,0,0) endif
; This is script #2. It is the script that was loaded into the Runonce part of the ; registry by script #1. ; ; This script will do the wntRunAsUser and demonstrate how you can do an admin-level ; task. One problem is that if this script is cancelled at any point, the admin level ; settings in the registry and Autoadminlogon might still be set in the registry (depending ; upon when it was cancelled), so this is a potential security problem, so I've added the ; Intcontrol(12,8,0,0,0) to prevent user cancellation. ; IntControl(12,8,0,0,0) AddExtender("WWWNT34I.DLL") ;Now you should have administrator rights... do a RunAsUser then set Winlogon settings back to NULL Group = "Users" User = RegQueryValue(@REGMACHINE,"Software\Microsoft\Windows NT\CurrentVersion\Winlogon[DefaultUserName]") Pass = RegQueryValue(@REGMACHINE,"Software\Microsoft\Windows NT\CurrentVersion\Winlogon[DefaultPassword]") Domain = "YOURDOMAIN" PDC = "\\YOURPDC" thegroups=wntMemberLst2(PDC,Group,@LOCALGROUP) thegroups=strreplace(thegroups,@tab,@crlf) Message("List of Members Before Change", thegroups) ans = AskLine("Add User", "What is the domain\user you want to add", "") ;Make sure you've got the setting "Act as part of the operating system" ;set under User Manager/Policy menu (for the particular user who's logging in with Admin rights). ;Also note that after you make the above change, you have to logout and relogin for the setting ;to take effect. ; ;In Reskit Suppl. 3 there is an utility called NTRIGHTS.exe ;you can use to change user rights. Handy when you need to change user rights for the ;user who are going to execute wntRunAsUser wntRunAsUser(Domain, User, Pass, 2, 0) Errormode(@off) ;now add the new user to the group rslt = wntMemberSet(PDC, Group, ans, @LOCALGROUP) Errormode(@cancel) err=LastError() if err==562 Display(1,"Warning", "Your Username was not Valid") goto setreg else if err Display(1, "Warning", "An error has occurred.") goto setreg endif endif ;now list out all the new users thegroups=wntMemberLst2(PDC,Group,@LOCALGROUP) thegroups=strreplace(thegroups,@tab,@crlf) Message("List of Members After Change", thegroups) Message("All Done", "You've accomplished your chore. Now get ready to relogon...") ;we fall through to here immediately if we get an error on the MemberSet function. :setreg ;Now change autoadminlogon settings back to NULL RegSetValue(@REGMACHINE,"Software\Microsoft\Windows NT\CurrentVersion\Winlogon[DefaultDomainName]","[]") ;RegSetValue(@REGMACHINE,"Software\Microsoft\Windows NT\CurrentVersion\Winlogon[DefaultUserName]","administrator") RegSetValue(@REGMACHINE,"Software\Microsoft\Windows NT\CurrentVersion\Winlogon[DefaultPassword]","[]") RegSetValue(@REGMACHINE,"Software\Microsoft\Windows NT\CurrentVersion\Winlogon[AutoAdminLogon]","[0]") ;now logout as current admin user IntControl(66,0,0,0,0)
Article ID: W14383
Filename: wntRunAsUser to AutoAdminLogon after Reboot.txt
File Created: 2001:04:25:16:21:28
Last Updated: 2001:04:25:16:21:28