run script remotely as another user

[kansaspcdoc]

I just in the last couple of weeks found AutoIT and am a total newbie.

This is my problem... I have a small closed network and would like to be able to make a script that would allow me to run MS patches with admin rights. I would like to distribute this exe or a shortcut for users to apply that are not admins but are in need of the patches to protect them from themselves.

This is what I have tried so far but it doesn't seem to work for me...

RunAsSet ("user", "domain", "password" , 2)

Opt("RunErrorsFatal", 1)

RunWait("\\fullnetworkpath\Windows2000-KB828028-x86-ENU.EXE /Z /U")

any help would be greatly appreciated.

Edited August 24, 2005 by kansaspcdoc

[seandisanti]

I just in the last couple of weeks found AutoIT and am a total newbie.

This is my problem... I have a small closed network and would like to be able to make a script that would allow me to run MS patches with admin rights. I would like to distribute this exe or a shortcut for users to apply that are not admins but are in need of the patches to protect them from themselves.

This is what I have tried so far but it doesn't seem to work for me...

RunAsSet ("user", "domain", "password" , 2)

Opt("RunErrorsFatal", 1)

RunWait("\\fullnetworkpath\Windows2000-KB828028-x86-ENU.EXE /Z /U")

any help would be greatly appreciated. 

<{POST_SNAPBACK}>

a few things to look at.

1) may want to specify running directory in your runwait

...never a bad idea with Run() or RunWait()

2) may want to use real error trapping.

...rather than having a blind exit (atleast during troubleshooting)

i'd suggest commenting out the 'Opt("RunErrorsFatal", 1)' until your script is running exactly as you want it to. then add code after any operations that could fail. like your RunAsSet(), you could do like:

$ERRORCHECK = RunAsSet ("user", "domain", "password" , 2)
if $errorcheck = 0 then msgbox(0,"Upgrade","OS doesn't support running as another user")

or add checks of @error after functions that set the error macro if they fail. also you should assign function calls to variable so that you can check the return value for debugging purposes like in the $ERRORCHECK example above, especially for functions that don't set @error...

[BigDod]

Instead of using full network path it may be better to use DriveMapAdd to map a drive to the required folder. Once the update was run the drive mapping could be removed with DriveMapDel.

[Gigglestick]

Are you sure the user your using in RunAsSet has permission to the network fileshare? You may need to force Windows to connect to that share using DriveMapAdd first, then DriveMapDel when you're done.

Just so we're clear: The topic subject is "run script remotely as another user". Are you trying to run something on another computer from yours or distributing your script to that computer and running it? ...in a login script for example. If you're trying to make another machine run the MS patch, you're going about it completely wrong. There's nothing "remote" about the script you posted; you're running the script locally on another machine.

Edit: HAHA! BigDod beat me to the punch!

Edited August 24, 2005 by c0deWorm

[BigDod]

Edit: HAHA!  BigDod beat me to the punch!

<{POST_SNAPBACK}>

My typing and reading the help file must be getting faster

[seandisanti]

Instead of using full network path it may be better to use DriveMapAdd to map a drive to the required folder. Once the update was run the drive mapping could be removed with DriveMapDel.

<{POST_SNAPBACK}>

i've had issues with DriveMapAdd that i wasn't able to solve or get help on, so i personally shy away from using it...

my issue with DriveMapAdd

[kansaspcdoc]

Like I said I am a total newbie and titled the thread one way then decieded to explain what I was up too in the post. As I age here I'll learn the right way to pose questions to the group.

It really doesn't matter to me how I achieve this task whether it be local or remote I have no preference as long as it get's done.

I currently have a batch file that will run all the patches that do not require admin rights, I need to create a script that I can run from that batch file that will install the patch with admin rights.

All the users I'm attempting to push this too have this common drive mapped already and all have access to the files. But they need local admin rights to run some of the MS patches.

[seandisanti]

Like I said I am a total newbie and titled the thread one way then decieded to explain what I was up too in the post. As I age here I'll learn the right way to pose questions to the group.

It really doesn't matter to me how I achieve this task whether it be local or remote I have no preference as long as it get's done.

I currently have a batch file that will run all the patches that do not require admin rights, I need to create a script that I can run from that batch file that will install the patch with admin rights.

All the users I'm attempting to push this too have this common drive mapped already and all have access to the files. But they need local admin rights to run some of the MS patches.

<{POST_SNAPBACK}>

did you try either of my suggestions? what were the results?

[Gigglestick]

This post is overkill and is a non-AutoIt solution, but here goes...

I currently have a batch file that will run all the patches that do not require admin rights, I need to create a script that I can run from that batch file that will install the patch with admin rights.

Why not just use this in your batch file:

echo password|runas /netonly /user:domain\username "\\fullnetworkpath\Windows2000-KB828028-x86-ENU.EXE /Z /U"

Runas will wait until the patch completes, similar to RunWait. Of course, this exposes the password to anyone with read access to the batch file, or you could change it to something like:

if "%1"=="" goto :nousername
if "%2"=="" goto :nopassword
echo %2|runas /netonly /user:%1 "\\fullnetworkpath\Windows2000-KB828028-x86-ENU.EXE /Z /U"
goto :end

:nousername
echo You must enter a username!
goto :usage

:nopassword
echo You must enter a password!
goto :usage

:usage
echo Usage: %0 domain\username password
goto :end

:end

or to execute all patches in the \\fullnetworkpath folder, change it to:

if "%1"=="" goto :nousername
if "%2"=="" goto :nopassword
if "%3"=="/runas" goto :installpatches
echo %2|runas /netonly /user:%1 "%0 %1 %2 /runas"
goto :end

:installpatches
rem We've already in RunAs mode, so pushd should work.
pushd \\fullnetworkpath
for /f "tokens=*" %%a in ('dir /a/b Windows2000-KB*.EXE') do start /wait "%%a /Z /U"
popd
rem Unmap the drive that pushd created!
goto :end

:nousername
echo You must enter a username!
goto :usage

:nopassword
echo You must enter a password!
goto :usage

:usage
echo Usage: %0 domain\username password
goto :end

:end

[kansaspcdoc]

expandcollapse popup

$ERRORCHECK = RunAsSet ("user", "domain", "password" , 2)if $errorcheck = 0 then msgbox(0,"Upgrade","OS doesn't support running as another user")This seemed to work but I'm trying to hardcode admin credentials in the compliled script so anyone can run it from a network share. I only listed one patch here but have several to apply. I have a batch file that contains all the patches and command line switches that I run when I deploy a new machine. In an effort to make life easier I am trying to use this script with admin rights run the batch file which would allow a user that is not an admin to run them. All the machines have the same generic local admin account.


            
        

        

        
    

    
    

    

                    
                    
                        
                    
                    
                

                    

                    
                    






    

    

    
        
            
                


    
        
    

                
                
                    
                        

                    
                
            
        
        
            
                


Gigglestick
            
            
                Posted August 24, 2005
                
            
        
    
    
        


Gigglestick
            
        
        
            
                
                    


    
        
    

                    
                    
                        

                    
                
            
            
                Active Members
                
            
            
                
                    
                        
                            
                                
                            
                                 489
                            
                                
                            
                        
                        
                    
                
            
            
                

            
        
    
    
        



    
        
            
                
                    
                    
                    
                    
                    
                
            
            
                
                    
                    
                        
                        
                        
                        
                        
                        
                            
                                
                            
                            
                            
                            
                            
                            
                        
                    
                
                
            
        

        
           
           Posted August 24, 2005
           
            
            
                
                
            
        
    

    

    

    
        
        
            

$ERRORCHECK = RunAsSet ("user", "domain", "password" , 2)

if $errorcheck = 0 then msgbox(0,"Upgrade","OS doesn't support running as another user")

This seemed to work but I'm trying to hardcode admin credentials in the compliled script so anyone can run it from a network share. I only listed one patch here but have several to apply. I have a batch file that contains all the patches and command line switches that I run when I deploy a new machine. In an effort to make life easier I am trying to use this script with admin rights run the batch file which would allow a user that is not an admin to run them. All the machines have the same generic local admin account.

Just out of curiosity, is your batch file hardcoded with specific patch filenames, or do you generally run all patches in the share? If they're hardcoded, you might think about using an INI file for a list of patches to apply and eliminate the batch file. If you're applying all patches in the share, you might think about using FileFindNextFile to have AutoIt cycle through all of them and force a reboot and eliminate the batch file.

Lastly, are you using QCheck before you reboot? WinXP/2003+ don't require it, but Win2K still does to the best of my knowledge.

[kansaspcdoc]

This post is overkill and is a non-AutoIt solution, but here goes...

Are there only certain things that AutoIt is supposed to be used for?? For me it is a very important solution and if this works (however simple it may be to you) it would possibly allow me to introduce it to a company as a solution for improved patch management and other repetative tasks that require admin rights that could be compiled so that admin credentials can be passed securely....

[seandisanti]

$ERRORCHECK = RunAsSet ("user", "domain", "password" , 2)

if $errorcheck = 0 then msgbox(0,"Upgrade","OS doesn't support running as another user")

This seemed to work but I'm trying to hardcode admin credentials in the compliled script so anyone can run it from a network share. I only listed one patch here but have several to apply. I have a batch file that contains all the patches and command line switches that I run when I deploy a new machine. In an effort to make life easier I am trying to use this script with admin rights run the batch file which would allow a user that is not an admin to run them. All the machines have the same generic local admin account.

[post="103140"]<{POST_SNAPBACK}>[/post]

seemed to work meaning that you didn't get to see the message saying that the operating system doesn't support? and i just thought of something also. in order to apply the patch, you have to be using the login info of the local administrator right? few things to check in your RunAsSet()... i dont' think you want to use the 2 flag on the end to check the credentials with local users...maybe a 0? also, maybe try to use "" for the domain, or "MachineName" with machinename obviously being the computer name...

[kansaspcdoc]

Just out of curiosity, is your batch file hardcoded with specific patch filenames, or do you generally run all patches in the share?  If they're hardcoded, you might think about using an INI file for a list of patches to apply and eliminate the batch file.  If you're applying all patches in the share, you might think about using FileFindNextFile to have AutoIt cycle through all of them and force a reboot and eliminate the batch file.

Lastly, are you using QCheck before you reboot?  WinXP/2003+ don't require it, but Win2K still does to the best of my knowledge.

<{POST_SNAPBACK}>

Yes I they are hardcoded in the batch file and I really like the filefindnext... I will try that and yes I am using qchain and it is 2000.

[kansaspcdoc]

seemed to work meaning that you didn't get to see the message saying that the operating system doesn't support?  and i just thought of something also.  in order to apply the patch, you have to be using the login info of the local administrator right?  few things to check in your RunAsSet()... i dont' think you want to use the 2 flag on the end to check the credentials with local users...maybe a 0? also, maybe try to use "" for the domain, or "MachineName" with machinename obviously being the computer name...

<{POST_SNAPBACK}>

with auto it can you pass the machine name "." so that it can be run on anymachine as long as the local credentials are there?

I will change the flag to a 0 as well.

[seandisanti]

with auto it can you pass the machine name "." so that it can be run on anymachine as long as the local credentials are there?

I will change the flag to a 0 as well.

<{POST_SNAPBACK}>

Don't think so, but you can use @ComputerName, but dont' surround it with quotes like a literal string when you use it. it's a macro, you have to treat it like a variable