Privelege Vs Group access check

  • Thread starter Thread starter satv73
  • Start date Start date
S

satv73

Hi,
I wanted to analyze what kind of privelege is need to launch a
specific process on a remote machine which is under the same [using
WMI].

I created a test user and granted all WMI/DCOM side accesses. Now I am
able to perform all the standard WMI calls like remote process lookup
et.c using the test user. But when I tried to launch the specific
process using "Win32_Process" create with the test user, it gives error
[=2]. I kept on adding previleges one by one from the Local security
policy on the client machine for the test user and at some point, I
ended up giving more than what Administrator has [like Part of
operating system], still the same error was occuring. But it works, if
I simply add the test user under "Administrators" group.

This made me to think whether if somewhere, the WMI Win32_Process
security is explictly looking for whether the test user is a part of
"Administrators" group, then this previlege experiment will not help.

Anybody can comment on this?

Thanks in advance
Sathish
 
Create method doesnt check Specifically for administrators group member. It
uses CreateProcessAsUser abse API and so it should work fo any user who has
access.
Can you try doing it through wbemtest or take a workign script from MSDN to
see if your test code has some problem??
Or else if you can share your code??

Thanks,
Manbinder Pal Singh

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Also chekc your remote machines configuration. more details at
http://msdn2.microsoft.com/en-us/library/aa389290.aspx

Thanks,
Manbinder Pal Singh

This posting is provided "AS IS" with no warranties, and confers no rights.


Manbinder Pal Singh said:
Create method doesnt check Specifically for administrators group member.
It uses CreateProcessAsUser abse API and so it should work fo any user who
has access.
Can you try doing it through wbemtest or take a workign script from MSDN
to see if your test code has some problem??
Or else if you can share your code??

Thanks,
Manbinder Pal Singh

This posting is provided "AS IS" with no warranties, and confers no
rights.

Hi,
I wanted to analyze what kind of privelege is need to launch a
specific process on a remote machine which is under the same [using
WMI].

I created a test user and granted all WMI/DCOM side accesses. Now I am
able to perform all the standard WMI calls like remote process lookup
et.c using the test user. But when I tried to launch the specific
process using "Win32_Process" create with the test user, it gives error
[=2]. I kept on adding previleges one by one from the Local security
policy on the client machine for the test user and at some point, I
ended up giving more than what Administrator has [like Part of
operating system], still the same error was occuring. But it works, if
I simply add the test user under "Administrators" group.

This made me to think whether if somewhere, the WMI Win32_Process
security is explictly looking for whether the test user is a part of
"Administrators" group, then this previlege experiment will not help.

Anybody can comment on this?

Thanks in advance
Sathish
Click to expand...
Click to expand...
 
Manbinder,
Sorry about the delay. Here is a sample script that I used.
=========================================================================
strComputer = "SATHISH-VMXP1"
strCommand = "c:\windows\notepad.exe"
Set objLocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService =
objLocator.ConnectServer(strComputer,"root\cimv2",
"mydomain\normaluser","Normalpass123")

Set objNewJob = objWMIService.Get("Win32_ScheduledJob")
' Please adjust timings according to current
errJobCreate = objNewJob.Create _
(strCommand , "********151800.000000+330", _
False, 2, ,False, JobId)
If errJobCreate = 0 Then
WScript.Echo "Job created successfully: " & VBNewLine _
& "Notepad.exe scheduled to run repeately at 14.30 (2:30 P.M.)
PST" & VBNewLine _
& "on Mon, Wed, and Fri."
Else
WScript.Echo "Job not created. Error code = " & errJobCreate
End If
========================================================================

Thanks
Sathish
 
Did you go to the links I gave and configured your server machine to which
you are connecting?
Please give DCOM/wmi rights to the user with which you are connecting.

After configuring , try running the script again.


Thanks,
Manbinder Pal Singh

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Back
Top