Solve : Using batch files for temporary user access to the local admin

1.	Solve : Using batch files for temporary user access to the local admin group?
Answer» Users on my office network need to run an application/command (eg: regsvr32 -u "c:\PROGRAM Files\Outlook Add-in\ShinseiOutlookCom.dll") that requires local admin rights. For security purposes, we prefer not to provide users with local admin rights. Would you recommend trying to write a BATCH file to add each user to the local admin group when he or she clicks the program's desktop? This privilege level would only last until the user exits the program...Any body can suggest me on this? Thanks, BijuQuote from: Biju007 on September 13, 2011, 09:46:59 PM Would you recommend trying to write a batch file to add each user to the local admin group when he or she clicks the program's desktop? This privilege level would only last until the user exits the program...Any body can suggest me on this? The problem you run into if you use batch is that in order to write it, it would have to have a hardcoded USERNAME and password. There are some ways to use backdoor options to make it very difficult for the user to obtain the password, but in most cases, when using batch, it is very difficult to make it impossible. The work around that we have used to a great deal of success in my working environment is a batch file that merely starts another batch file located on a network drive as a SPECIFIED user. That user is the only user with access to the .txt file that contains the administrative name and password, and then the file imports those items into the program to run. It's a big end-around process and it would be a lot easier if the network allowed us to run other software other than batch files, but we have what we have and that's how we have worked it. If you would like, I can give you a sample of the two batch files. My SUGGESTION though would be to go with some other programming medium that would alow you to hardcode the username and password but not allow it to be readily available to the user.It is great idea which you offered to me, Thanks for that. I came to know in a batch file we can call VB script in-order to secure the administrative name and password. But right now; if you can share the sample batch files as you told I can try to implement as my requirement. Looking forward from you. Biju B.Batch 1 Code: [Select]net use z: /delete /y net use z: \\networklocation /USER:[emailprotected] -password /persistent:no start z:\batch2.bat /username=joe.schmo /password=password Batch 2 Code: [Select]@echo off net use b: /delete /y net use b: \\anothernetworklocation /persistent:no set /p adminuser=<b:\adminuser.txt set /p adminpass=<b:\adminpass.txt net use b: /delete /y start c:\localprogram.exe /username=%adminuser% /password=%adminpass% Let me know if you run into any issues.

Solve : Using batch files for temporary user access to the local admin group?

Answer»

Users on my office network need to run an application/command (eg: regsvr32 -u "c:\PROGRAM Files\Outlook Add-in\ShinseiOutlookCom.dll") that requires local admin rights. For security purposes, we prefer not to provide users with local admin rights. Would you recommend trying to write a BATCH file to add each user to the local admin group when he or she clicks the program's desktop? This privilege level would only last until the user exits the program...Any body can suggest me on this?

Thanks,

BijuQuote from: Biju007 on September 13, 2011, 09:46:59 PM

Would you recommend trying to write a batch file to add each user to the local admin group when he or she clicks the program's desktop? This privilege level would only last until the user exits the program...Any body can suggest me on this?

The problem you run into if you use batch is that in order to write it, it would have to have a hardcoded USERNAME and password. There are some ways to use backdoor options to make it very difficult for the user to obtain the password, but in most cases, when using batch, it is very difficult to make it impossible. The work around that we have used to a great deal of success in my working environment is a batch file that merely starts another batch file located on a network drive as a SPECIFIED user. That user is the only user with access to the .txt file that contains the administrative name and password, and then the file imports those items into the program to run. It's a big end-around process and it would be a lot easier if the network allowed us to run other software other than batch files, but we have what we have and that's how we have worked it. If you would like, I can give you a sample of the two batch files. My SUGGESTION though would be to go with some other programming medium that would alow you to hardcode the username and password but not allow it to be readily available to the user.It is great idea which you offered to me, Thanks for that. I came to know in a batch file we can call VB script in-order to secure the administrative name and password. But right now; if you can share the sample batch files as you told I can try to implement as my requirement.

Looking forward from you.

Biju B.Batch 1

Code: [Select]net use z: /delete /y
net use z: \\networklocation /USER:[emailprotected] -password /persistent:no

start z:\batch2.bat /username=joe.schmo /password=password

Batch 2

Code: [Select]@echo off
net use b: /delete /y
net use b: \\anothernetworklocation /persistent:no
set /p adminuser=<b:\adminuser.txt
set /p adminpass=<b:\adminpass.txt
net use b: /delete /y

start c:\localprogram.exe /username=%adminuser% /password=%adminpass%

Let me know if you run into any issues.

Solve : Using batch files for temporary user access to the local admin group?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment