By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
459,729 Members | 1,370 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 459,729 IT Pros & Developers. It's quick & easy.

impersonated user cannot access local filesystem on W2K3 R2 server

P: 4
attached code-segment is used
1. calling without "privileged" works well with current local-SYSTEM-account
2. after setting "privileged"-flag I cannot access the local filesystem any longer, although the user for impersonation is DOMAIN-ADMIN-Account and can login on the server correctly.

Whenever I try to run the program directly logged in to the server it runs correctly. But I have the need to get this task run automatically with local-SYSTEM-account.
I tried to use standard-impersonation with LogonUser from advapi32.dll (now removed) as well as giving user-, password- and domain-information to process.startinfo and both together. Neither works in "privileged" mode, both very well in "standard" mode without impersonation.

The intention is to run modifyable vbs-Scripts from the more complex "main"-program and therefore handle future modification requests and enhancements easily. A kind of "framework" using "C:\windows\system32\cscript.exe".

On the server I already changed the "local security settings/Replace a process level token Properties" to allow local System the replacement.
And furthermore I changed the ".Net-Configuration / Runtime-security policy / Permission Set" to allow all code executed. Nothing worked up to now.

Server where the program should run is a domain-member-server Windows 2003 R2 Enterprise edition with SP2 installed.
The "privileged" user is a "Domain Administrator" (therefore has enough rights on the memberserver).

Where is the problem??? What have I to do to get this task run?


Expand|Select|Wrap|Line Numbers
  1.     Private Function callProcedure(ByRef path As String, ByRef procedure As String, ByRef params As String, Optional ByRef privileged As Boolean = False) As String
  2.         dolog(9, "Function callProcedure (" & path & ", " & procedure & ", " & params & ")")
  3.         callProcedure = ""
  4.  
  5.         Dim proc As Process = New Process()
  6.         proc.StartInfo.UseShellExecute = False
  7.         proc.StartInfo.RedirectStandardOutput = True
  8.         proc.StartInfo.Arguments = params
  9.         proc.StartInfo.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden
  10.         proc.StartInfo.CreateNoWindow = True
  11.         proc.StartInfo.WindowStyle = ProcessWindowStyle.Hidden
  12.         proc.StartInfo.FileName = path & "\" & procedure
  13.         ' set current directory to c:\windows\system32 in order to run scripts correctly - didn't work
  14.         dolog(9, My.User.Name)
  15.         If LCase(Microsoft.VisualBasic.Right(proc.StartInfo.FileName, 3)) = "vbs" Then
  16.             proc.StartInfo.Arguments = proc.StartInfo.FileName & " " & params
  17.             proc.StartInfo.FileName = "c:\windows\system32\cscript.exe"
  18.         End If
  19.         dolog(9, "proc.Startinfo.Arguments=" & proc.StartInfo.Arguments)
  20.         If privileged Then
  21.             dolog(9, "impersonation start")
  22.             proc.StartInfo.UserName = tADUser.Text
  23.             proc.StartInfo.Domain = domainname
  24.             proc.StartInfo.Password = New System.Security.SecureString
  25.             For Each c In (tADPassword.Text)
  26.                 proc.StartInfo.Password.AppendChar(c)
  27.             Next
  28.             proc.StartInfo.FileName = "c:\windows\system32\whoami.exe" ' only to test access to local filesystem
  29.             dolog(9, proc.StartInfo.UserName & " " & proc.StartInfo.Domain)
  30.         End If
  31.         Try
  32.             dolog(9, "start ")
  33.             proc.Start()
  34.             proc.WaitForExit(600000)
  35.             Dim sOut As StreamReader = proc.StandardOutput
  36.             callProcedure = sOut.ReadToEnd
  37.             If Not proc.HasExited Then
  38.                 dolog(1, "Procedure " & procedure & " did not exit within 10 min. Process is aborted!")
  39.                 proc.Kill()
  40.             End If
  41.             dolog(9, "Procedure " & procedure & " started at " & proc.StartTime & " and exited with " & proc.ExitCode & _
  42.                   " at " & proc.ExitTime)
  43.         Catch ex As Exception
  44.             dolog(0, "Error: " & Err.Description)
  45.         End Try
  46.  
  47.         proc = Nothing
  48.         dolog(9, vbCrLf & "callProcedure returns: " & vbCrLf & callProcedure & vbCrLf)
  49.     End Function
  50.  
---- First part: run "callProcedure without "privileged"-flag runs best:
Function callProcedure (C:\WINDOWS\system32\adm4USD, pwdresetc.vbs, "username"="anyuser" "password reset"="Y" )
NT AUTHORITY\SYSTEM
proc.Startinfo.Arguments=C:\WINDOWS\system32\adm4U SD\pwdresetc.vbs "username"="anyuser" "password reset"="Y"
start
Procedure pwdresetc.vbs started at 02.07.2010 22:24:42 and exited with 0 at 02.07.2010 22:24:43

callProcedure returns:
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

++++ and output from script


--- second part: run "callProcedure WITH "privileged"-flag:
Function callProcedure (C:\WINDOWS\system32\adm4USD, pwdresetr.vbs, "username"="anyuser" "password reset"="Y" )
NT AUTHORITY\SYSTEM
proc.Startinfo.Arguments=C:\WINDOWS\system32\adm4U SD\pwdresetr.vbs "username"="anyuser" "password reset"="Y"
impersonation start
admin-account-name domainname
start
Error: Access is denied

callProcedure returns:
Jul 3 '10 #1
Share this question for a faster answer!
Share on Google+

Post your reply

Sign in to post your reply or Sign up for a free account.