1. calling without "privileged" works well with current local-SYSTEM-account
2. after setting "privileged"-flag I cannot access the local filesystem any longer, although the user for impersonation is DOMAIN-ADMIN-Account and can login on the server correctly.
Whenever I try to run the program directly logged in to the server it runs correctly. But I have the need to get this task run automatically with local-SYSTEM-account.
I tried to use standard-impersonation with LogonUser from advapi32.dll (now removed) as well as giving user-, password- and domain-information to process.startinfo and both together. Neither works in "privileged" mode, both very well in "standard" mode without impersonation.
The intention is to run modifyable vbs-Scripts from the more complex "main"-program and therefore handle future modification requests and enhancements easily. A kind of "framework" using "C:\windows\system32\cscript.exe".
On the server I already changed the "local security settings/Replace a process level token Properties" to allow local System the replacement.
And furthermore I changed the ".Net-Configuration / Runtime-security policy / Permission Set" to allow all code executed. Nothing worked up to now.
Server where the program should run is a domain-member-server Windows 2003 R2 Enterprise edition with SP2 installed.
The "privileged" user is a "Domain Administrator" (therefore has enough rights on the memberserver).
Where is the problem??? What have I to do to get this task run?
Expand|Select|Wrap|Line Numbers
- Private Function callProcedure(ByRef path As String, ByRef procedure As String, ByRef params As String, Optional ByRef privileged As Boolean = False) As String
- dolog(9, "Function callProcedure (" & path & ", " & procedure & ", " & params & ")")
- callProcedure = ""
- Dim proc As Process = New Process()
- proc.StartInfo.UseShellExecute = False
- proc.StartInfo.RedirectStandardOutput = True
- proc.StartInfo.Arguments = params
- proc.StartInfo.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden
- proc.StartInfo.CreateNoWindow = True
- proc.StartInfo.WindowStyle = ProcessWindowStyle.Hidden
- proc.StartInfo.FileName = path & "\" & procedure
- ' set current directory to c:\windows\system32 in order to run scripts correctly - didn't work
- dolog(9, My.User.Name)
- If LCase(Microsoft.VisualBasic.Right(proc.StartInfo.FileName, 3)) = "vbs" Then
- proc.StartInfo.Arguments = proc.StartInfo.FileName & " " & params
- proc.StartInfo.FileName = "c:\windows\system32\cscript.exe"
- End If
- dolog(9, "proc.Startinfo.Arguments=" & proc.StartInfo.Arguments)
- If privileged Then
- dolog(9, "impersonation start")
- proc.StartInfo.UserName = tADUser.Text
- proc.StartInfo.Domain = domainname
- proc.StartInfo.Password = New System.Security.SecureString
- For Each c In (tADPassword.Text)
- proc.StartInfo.Password.AppendChar(c)
- Next
- proc.StartInfo.FileName = "c:\windows\system32\whoami.exe" ' only to test access to local filesystem
- dolog(9, proc.StartInfo.UserName & " " & proc.StartInfo.Domain)
- End If
- Try
- dolog(9, "start ")
- proc.Start()
- proc.WaitForExit(600000)
- Dim sOut As StreamReader = proc.StandardOutput
- callProcedure = sOut.ReadToEnd
- If Not proc.HasExited Then
- dolog(1, "Procedure " & procedure & " did not exit within 10 min. Process is aborted!")
- proc.Kill()
- End If
- dolog(9, "Procedure " & procedure & " started at " & proc.StartTime & " and exited with " & proc.ExitCode & _
- " at " & proc.ExitTime)
- Catch ex As Exception
- dolog(0, "Error: " & Err.Description)
- End Try
- proc = Nothing
- dolog(9, vbCrLf & "callProcedure returns: " & vbCrLf & callProcedure & vbCrLf)
- End Function
Function callProcedure (C:\WINDOWS\system32\adm4USD, pwdresetc.vbs, "username"="anyuser" "password reset"="Y" )
NT AUTHORITY\SYSTEM
proc.Startinfo.Arguments=C:\WINDOWS\system32\adm4U SD\pwdresetc.vbs "username"="anyuser" "password reset"="Y"
start
Procedure pwdresetc.vbs started at 02.07.2010 22:24:42 and exited with 0 at 02.07.2010 22:24:43
callProcedure returns:
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
++++ and output from script
--- second part: run "callProcedure WITH "privileged"-flag:
Function callProcedure (C:\WINDOWS\system32\adm4USD, pwdresetr.vbs, "username"="anyuser" "password reset"="Y" )
NT AUTHORITY\SYSTEM
proc.Startinfo.Arguments=C:\WINDOWS\system32\adm4U SD\pwdresetr.vbs "username"="anyuser" "password reset"="Y"
impersonation start
admin-account-name domainname
start
Error: Access is denied
callProcedure returns: