Database Search

match allmatch any Look in all areasLook in current areas Check all datesPrevious dayPrevious 3 daysPrevious weekPrevious fortnightPrevious monthPrevious 2 monthsPrevious 3 monthsPrevious half-yearPrevious year

TechHome

Services

• 1219 Error with AddDrive
• Account Expires after wntUserAddDat
• Add Domain Group to Local Administrator Remotely
• Add Everyone to Administrators Group
• Add Global Groups in Domain
• Adding Domain to Workstation
• Adding Users and Setting Flags
• Adds User Account to Local Administrator Group
• Allow Inheritable Permissions from Parent
• Builtin Group SID convert to Name
• Bypass NT Ctrl Alt Del to Logon
• Changing Computer Name and Machine Account
• Changing Domain Passwords Sample Code
• Check For Disabled Computer Account
• Check if You Have Local Admin Rights
• Checking an Accounts Password
• Checking for Old Users
• Convert SID to User ID
• Converting SID to Domain - Account Name
• Create Directories and Set NT Access Permissions
• Dealling With Inheritiable Permissions
• Decode Logon Hours
• Determine if Computer is in a Workgroup or Domain
• Determine if PC is Member of Domain
• Determine Inheritance
• Determining if Current User is Authenticated
• Disable Allow Inheritable Permissions
• Domain Trusts Explained
• Error 673 WntPrivAdd
• Error 684 using wntAccess functions
• Find Domain for a Computer
• Foreign Language support of the Win32 Network Extender
• Get a Users Primary Group
• Get Domain User Info
• Get Machine Administrator Userid
• Get SID from Username
• Get the Currently Logged on User in NT
• Get the SID of a Workstation
• Get User Name and wntUserProps
• How to determine if a file is in use on LAN
• How to disable Allow inheritable permissions
• How to Get the Local Adminstrator Account
• How WntServerList Determines a Server
• Inherit NTFS Persmissions
• Interpreting Access Rights
• Is Domain User a Local Admin
• Is User Logged into Domain or Local Account
• Is wntChgPswd Encrypted
• Issue with AccessMod on Remote Machine
• Keeping Track of Last User Login
• List only Windows 2000 Systems
• List Open Connections
• List Terminal Servers
• Listing Directory Shares with Permissions
• Losing Mapped Drive Connections in XP
• Matching SID to ProfileList folder
• NT Auditing
• NT Extender and NT4 No Service Packs
• NT Network Extender and UPN Account Names
• Obtain Share Permissions
• Obtain user sid
• Port Required for WntUserGetDat
• Problems caused by ADMT
• Pull Trusted Domain List
• Reboot user with no shutdown privileges
• Remotely Reboot and wntShutDown
• Remove Everyone Access from D
• Rename User in an AD Domain
• Reset Passwords in Active Directory
• Reset Permissions when Inheritable is Enabled
• Rights to use wntFileUsers
• Runwithlogon and Bad Username
• RunWithLogon Parameter Size
• RunWithLogon versus RunAsUser
• Searching NT Users and Find by Last Name
• Server Description Field
• Setting File Permissions with wntAccessAdd
• Setting NT Policies
• Setting Service Permissions
• Shutdown All NT Servers
• SID values - AD - round tripping and ADMT
• Synchronize password from NT Domain to Novell
• The NT extender functions in Active Directories
• Trouble determining admin rights
• Trusting Domain List
• Unlock Account with wntUserSetDat
• User Login and Log out Information
• User Profile Last Logon
• Win 2000 AutoAdminLogon
• wntAccess... and Specifying Remote Drives
• WntAccessAdd and Change Modify Registry
• wntAccessAdd and Inherited Rights
• WntAccessAdd and Inheritence
• wntAccessAdd and Invalid User - Group
• wntAccessAdd and NTFS
• WntAccessAdd error 546 Invalid file directory name
• wntAccessAdd Inheritable Permissions
• wntAccessAdd Problem on NT 4
• wntAccessAdd Share Problem on Windows 7
• wntAccessAdd versus w95AccessAdd Tips
• wntAccessDel Error 599 Invalid Level
• wntAccessGet and Username Parameter
• WntAccessList DFS share
• wntAccessList Problem
• wntAccessMod Registry Issue
• wntAcctList Returns Incorrect Flag Values
• wntAcctPolSet Error
• wntAddDrive and Unicode
• WntAddDrive launches an Explorer window
• wntAddPrinter after WntRunAsUser
• wntauditadd and inheritance
• wntAuditAdd and MS Patch
• WntCancelCon Error 511 Device in Use
• wntChgPswd 562 Invalid User Name
• wntChgPswd and Error 586
• wntChgPswd and Error 589 Error Changing Password
• wntChgPswd and Error 677
• wntChgPswd behavior different between W2K and NT4
• wntCurrUsers Behavior
• wntDomainSync Error 695
• wntEventLog Problem
• wntGetCon Error 509 Network component is Not Started or Invalid
• wntMemberDel- error 571
• wntMemberGrps returns 0 on DC running AD
• wntMemberGrps wntMemberSet - 562 invalid user name
• wntMemberList Behavior
• wntMemberList Error 522
• wntMemberList Problems
• wntOwnerGet - wntOwnerSet Tips
• wntOwnerSet Error 547
• wntRemoteTime and 530 Access Denied Error
• wntRemoteTime and Daylight Savings Time
• wntRunAsUser -- Security Side Effects
• wntRunAsUser 713 Unable to Set Window Station Access
• wntRunAsUser and Act as Part of OS Clarification
• wntRunAsUser and Called Scripts
• wntRunAsUser and Debugging Problem
• wntRunAsUser and No Permission on Local Machine
• wntRunAsUser Discussion in French
• wntRunAsUser Error 637
• wntRunAsUser Error 638
• wntRunAsUser Function - 1
• wntRunAsUser Function - 2
• wntRunAsUser Function - 3
• wntRunAsUser Function Used Twice in Script
• wntRunAsUser RunWithLogon Security Context
• wntRunAsUser to AutoAdminLogon after Reboot
• wntRunAsUser Windowstation and Desktop Permissions on WinXP
• wntServerList and wntServiceAt
• wntServerType
• wntShutDown Error 694
• wntUser... and Update User Accounts
• wntUserAdd Adding a Domain User
• wntUserAdd Bug
• WntUserAddDat and Max_storage
• wntUserGetDat 524 Unable to Access Specified Server
• wntUserGetDat and Logon_hours Flag
• wntUserSetDat and Logon Hours
• wNTUserXXXDat Function and Flags
• wxxUserGetDat and Last Logon Date

Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.

wntRunAsUser to AutoAdminLogon after Reboot

Keywords: 	 wntRunAsUser

---

Question:

Does anyone have experience in setting network controls or Windows policies in Winbatch to automatically log onto to a system? Any thoughts? This question may be far fetched or extremely complex; however, I have setup routines created that reboot the system but require someone to sign onto the network after each install interval. It would be great to have code to automatically log onto to Windows and continue the install process.

Feedback on this is greatly appreciated.

Answer:

Here are a couple of scripts that demonstrate how to set up the AutoAdminLogon stuff in the registry and then how to autologon with admin rights and do a wntRunAsUser.

Make sure you've got the setting "Act as part of the operating system" set under User Manager/Policy menu (for the particular user who's logging in with Admin rights). Also note that after you make the above change, you have to logout and relogin for the setting to take effect.

In Reskit Suppl. 3 there is an utility called NTRIGHTS.exe you can use to change user rights. Handy when you need to change user rights for the user who are going to execute wntRunAsUser.

You have to grant these advanced user rights to the user who is going to run the script in which you are going to use WntRunAsUser. You have to grant them (using the user manager) on the machine where they will be needed, OR to grant this user right you can write another script (below). After giving a user a right or privilege, the user must logoff then log back on for the right or privilege to become effective. It cannot all be done in one script.

There are two users.

1. The original logged in user.
2. The user that you want to "Run As".

Make sure the original user has the "Act as part of OS": rights on the local machine for his account. If you use User Manager to give the rights, then the user must log off then log on BEFORE the rights are effective. The user that you want to "Run As" does not need any special rights, but it is usually an admin account anyways.

Note that the administrator users don't necessarily have all the rights. Especially not the Advanced user rights. You can easily verify which user rights they retain in user manager.

Example:

Let's say you have a user Charles and a user Administrator. You need to grant Charles the following advanced user rights:

"Act as part of the operating system"
"Increase quotas"
"Replace a process level token"

Once you did this using the User Manager, you log off and log back in. Of course it's all right to reboot your PC entirely as well.

You log in as Charles once again and now you can try to execute your script with the wntRunAsUser line in it.

---

SETUPUSER.WBT

; This script is preparing a common user to be able to use the wntRunAsUser function.
; It has to be run as an administrator.

; Ce script preparera un utilisateur normal pour le rendre capable d'exécuter la fontion wntRunAsUser
; Il faut l'exécuter en tant qu'adminstrateur.

AddExtender("WWWNT34i.DLL")

; Create a new user on the local machine for our little demo
; Pour la démonstration on va créer un nouvel utilisateur sur la machine locale

wntUserAddDat("name", "newuser")
wntUserAddDat("password", "xxx")
wntUserAddDat("flags", 1)
wntUserAddDat("acct_expires", "0000:00:00:00:00:00")
wntUserAdd("")

; Let's give it the necessary privileges
; On va le donner les privilèges nécessaires

wntPrivAdd("","newuser","SeTcbPrivilege")
wntPrivAdd("","newuser","SeIncreaseQuotaPrivilege")
wntPrivAdd("","newuser","SeAssignPrimaryTokenPrivilege")

; We need to relogon as this newuser
; On sort de Windows, pour recommencer comme ce newuser

Message("Warning",StrCat("This script will log you out of this session",@crlf,"Please relogin as
'newuser'",@crlf,"on the local computer",@crlf,"using the password: 'xxx'"))

IntControl (66, 0, 0, 0, 0)

Exit

---

CONFIGUREIT.WBT:

;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
;Script #1  - CONFIGUREIT.WBT - RUN THIS SCRIPT FIRST.  IT CONFIGURES 
;EVERYTHING AND SETS UP THE REGISTRY TO RUN SCRIPT #2 (RUNASUSER.WBT).
;
;In this script (CONFIGUREIT.WBT):
;
;1. Check username.  If currently logged on user is admin, then don't bother writing to the Winlogon 
;   section.   Just run the test script that *does something* using wntRunAsUser and some other admin
;   type activity.
;
;2. Otherwise, if not Admin user, write admin user info into the Winlogon part of registry for next 
;   login session.  Then set up the RunOnce key to run the RUNASUSER.WBT script next logon and reboot 
;   the machine.
;
;~~~~~~~~~~~~~~~~~~~
;In second script (RUNASUSER.WBT) launched by CONFIGUREIT.WBT:
;
;1.  The AutoAdminLogon happens.
;
;2.  Do the task that requires admin privileges.
;
;3.  Undo the Admin registry stuff since the current user is not the administrator, set AutoLogon to 0,
;    and reboot.

AddExtender("WWWNT34I.DLL")

curuser=wntGetUser(@default)
;Message("Current User is", curuser)

reguser=RegQueryValue(@REGMACHINE,"Software\Microsoft\Windows NT\CurrentVersion\Winlogon[DefaultUserName]")

if strlower(curuser)==strlower("Administrator") ;or customize as necessary to someone with admin privileges

  ;You're an Admin, go ahead and do a RunAsUser without additional settings required
  Group = "Users"
  User = reguser
  Pass = "YkSu1234"

  Domain = "YOURDOMAIN"
  PDC = "\\YOURPDC" 
  thegroups=wntMemberLst2(PDC,Group,@LOCALGROUP)
  thegroups=strreplace(thegroups,@tab,@crlf)
  Message("List of Members Before Change", thegroups)

  wntRunAsUser(Domain, User, Pass, 2, 0)

  curuser=wntGetUser(@default)
  ;Message("Current User is", curuser)

  ;Now do the Admin task
  ans = AskLine("Add User", "What is the name of a valid domain\user you want to add to %Group%?", "")
  rslt = wntMemberSet(PDC, Group, ans, @LOCALGROUP)

  thegroups=wntMemberLst2(PDC,Group,@LOCALGROUP)
  thegroups=strreplace(thegroups,@tab,@crlf)
  Message("List of Members After Change", thegroups)

  Message("All", "Done")
  exit
else
  ;currently logged on user is NOT admin user
  desktop=ShortCutDir("Desktop")

  domainname="YOURDOMAIN"
  username="administrator"  ;or someone with admin privileges
  password="YkSu1234"

  ;change the necessary settings for Adminautologon at next logon
  RegSetValue(@REGMACHINE,"Software\Microsoft\Windows NT\CurrentVersion\Winlogon[DefaultDomainName]",domainname)
  RegSetValue(@REGMACHINE,"Software\Microsoft\Windows NT\CurrentVersion\Winlogon[DefaultUserName]",username)
  RegSetValue(@REGMACHINE,"Software\Microsoft\Windows NT\CurrentVersion\Winlogon[DefaultPassword]",password)
  RegSetValue(@REGMACHINE,"Software\Microsoft\Windows NT\CurrentVersion\Winlogon[AutoAdminLogon]","1")

  ;First add the Winbatch script that'll do the autoadminlogon into the RunOnce key
  RegSetValue(@REGMACHINE, "Software\Microsoft\Windows\CurrentVersion\RunOnce[wbfile]", "c:\temp\runasuser.exe")
  ;Message("Before", "IntControl")

  ;now do the logout.  The machine will logout out current user, autologonadmin, and run the RUNASUSER.EXE script.
  IntControl(66,0,0,0,0)
endif

RUNASUSER.WBT:

; This is script #2.  It is the script that was loaded into the Runonce part of the 
; registry by script #1.  
;
; This script will do the wntRunAsUser and demonstrate how you can do an admin-level
; task.  One problem is that if this script is cancelled at any point, the admin level
; settings in the registry and Autoadminlogon might still be set in the registry (depending
; upon when it was cancelled), so this is a potential security problem, so I've added the
; Intcontrol(12,8,0,0,0) to prevent user cancellation.
;


IntControl(12,8,0,0,0)
AddExtender("WWWNT34I.DLL")

;Now you should have administrator rights... do a RunAsUser then set Winlogon settings back to NULL
Group = "Users"
User = RegQueryValue(@REGMACHINE,"Software\Microsoft\Windows NT\CurrentVersion\Winlogon[DefaultUserName]")
Pass = RegQueryValue(@REGMACHINE,"Software\Microsoft\Windows NT\CurrentVersion\Winlogon[DefaultPassword]")

Domain = "YOURDOMAIN"
PDC = "\\YOURPDC" 
thegroups=wntMemberLst2(PDC,Group,@LOCALGROUP)
thegroups=strreplace(thegroups,@tab,@crlf)
Message("List of Members Before Change", thegroups)

ans = AskLine("Add User", "What is the domain\user you want to add", "")

;Make sure you've got the setting "Act as part of the operating system"
;set under User Manager/Policy menu (for the particular user who's logging in with Admin rights).
;Also note that after you make the above change, you have to logout and relogin for the setting
;to take effect.
;
;In Reskit Suppl. 3 there is an utility called NTRIGHTS.exe 
;you can use to change user rights. Handy when you need to change user rights for the
;user who are going to execute wntRunAsUser

wntRunAsUser(Domain, User, Pass, 2, 0)

Errormode(@off)
;now add the new user to the group
rslt = wntMemberSet(PDC, Group, ans, @LOCALGROUP)
Errormode(@cancel)
err=LastError()

if err==562 
   Display(1,"Warning", "Your Username was not Valid")
	goto setreg
else
  if err
    Display(1, "Warning", "An error has occurred.")
    goto setreg
  endif
endif

;now list out all the new users
thegroups=wntMemberLst2(PDC,Group,@LOCALGROUP)
thegroups=strreplace(thegroups,@tab,@crlf)
Message("List of Members After Change", thegroups)

Message("All Done", "You've accomplished your chore.  Now get ready to relogon...")

;we fall through to here immediately if we get an error on the MemberSet function.
:setreg
;Now change autoadminlogon settings back to NULL
  RegSetValue(@REGMACHINE,"Software\Microsoft\Windows NT\CurrentVersion\Winlogon[DefaultDomainName]","[]")
  ;RegSetValue(@REGMACHINE,"Software\Microsoft\Windows NT\CurrentVersion\Winlogon[DefaultUserName]","administrator")
  RegSetValue(@REGMACHINE,"Software\Microsoft\Windows NT\CurrentVersion\Winlogon[DefaultPassword]","[]")
  RegSetValue(@REGMACHINE,"Software\Microsoft\Windows NT\CurrentVersion\Winlogon[AutoAdminLogon]","[0]")

;now logout as current admin user
IntControl(66,0,0,0,0)

---

Article ID:   W14383

Filename:   wntRunAsUser to AutoAdminLogon after Reboot.txt

File Created: 2001:04:25:16:21:28

Last Updated: 2001:04:25:16:21:28