Re: how to install services remotly from domain server?

From: sji_tech (shawn_at_nccsc.k12.in.us)
Date: 12/17/04

  • Next message: Michael J. Pelletier: "Re: How to install MSN Messenger on WinNT" 
    Date: 16 Dec 2004 15:39:31 -0800

    Ahh yes, remotely executing something that requires administrative
    priviledges...don't bet on accomplishing that with login scripts.

    Just today I was poised with a similar and critical dilemna. We
    detected a worm that entered our network. Even though it involved just
    one known machine, we decided to take proactive action anyway and
    execute the cleanup tool from Symantec. Much to the software
    administrator's dismay, it required administrative rights on the
    machines, so he could not drop it into a startup/login script and be
    done with it (that is, without exposing the administrator
    password...bad dog, bad, you should never do that!).

    You will probably discover as well that remote execution of whatever
    involving 3 hosts (i.e. the file to be executed sits on a share, you
    will be unable to execute it even with administrative priviledges since
    doing so will require delegation). At least, that was the case when I
    was working on it with WMI and had to work around it by copying the
    file to the target machine first.

    Here's some hints that may prove helpful:

    Enumerate the target computers in Active Directory or generate a list.

    Copy the executable to the machine by some means from a server logged
    in as administrator using the list
    Execute it using WMI.

    Of course, doing it this way means that all machines will have to
    already be on as a prerequisite. I suppose that one could use a magic
    packet and use WOL before doing this.

    Here are snippets of code that may help (vbScript):

    Enumerating Computers from Active Directory (adapted from Windows
    Script Center):

    Const ADS_SCOPE_SUBTREE = 2
    Set objConnection = CreateObject("ADODB.Connection")
    Set objCommand = CreateObject("ADODB.Command")
    objConnection.Provider = "ADsDSOObject"
    objConnection.Open "Active Directory Provider"
    Set objCOmmand.ActiveConnection = objConnection
    objCommand.CommandText = _
    "Select Name, Location from 'LDAP://" & strOU & strDomain & "' " _
    & "where objectClass='computer'"
    objCommand.Properties("Page Size") = MAX_PCS
    objCommand.Properties("Timeout") = 30
    objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
    objCommand.Properties("Cache Results") = False
    On Error Resume Next
    Set objRecordSet = objCommand.Execute
    if Err.Number <> 0
    ' put your error handling here
    Err.Clear
    end
    end if

    objRecordSet.MoveFirst

    dim index
    dim AD_Computer()
    redim AD_Computer(MAX_PCS)

    index=0
    Do Until objRecordSet.EOF
    AD_Computer(index) = objRecordSet.Fields("Name").Value
    objRecordSet.MoveNext
    index=index+1
    Loop

    where MAXPCS is equal to or greater than the number of computers you
    wish to enumerate, strDomain is your domain in LDAP format
    ("DC=some,DC=domain,DC=com" for some.domain.com), strOU is the OU you
    wish to enumerate (leave it blank to enumerate the entire directory,
    and use LDAP convention here too, "OU=some_sub_OU,OU=someOU", and
    AD_Computer is the array that will hold all of the computer names.

    Copying a file:

    Set oExec = WshShell.Exec("cmd /C copy " & strPath & strFile & " \\" &
    strName & "\C$\" & strPath)

    where strPath is the path to the file, File is the filename, strName is
    the name of the target computer, and strPath is the target destination.

    This assumes that you have administrative shares enabled on the
    machines and that Win2K/XP is installed on C
    (they are by default).

    Executing it:

    Set objWMIService = GetObject("winmgmts:\\" & strName &
    "\root\cimv2:Win32_Process")
    On Error Resume Next
    Error = objWMIService.Create(Remote_Command, null, null, intProcessID)
    If Err.Number = 0 Then
    ' Success, do whatever you need to here
    Else
    ' Failure, perhaps logging it would be a good idea

    Err.Clear
    End If

    where Remote_Command is the path and file with commandline options that
    you wish to execute.

  • Next message: Michael J. Pelletier: "Re: How to install MSN Messenger on WinNT"

    Relevant Pages

    • Admin does not have access
      ... When I tried to execute regedit.exe, I got the message, "You ... administrator". ... causing the regedit to not work. ... Now if I try to Add Network Components to add my Ethernet card back, ...
      (microsoft.public.win2000.general)
    • Re: Issue with Image Difference Engine
      ... My image runs with Administrator AutoLogon. ... everything I execute runs under Administrator account, ... have permission to do any modification to HKCR in registry. ... will need to run IDA with the loglevel 3 under an account which does have ...
      (microsoft.public.windowsxp.embedded)
    • swen: unable to run regedit
      ... I am now logged in as administrator, ... I still can't get the registry fix script to run. ... When I first tried to execute it, up popped a dialog saying it couldn't ... I've looked at the fixes ...
      (microsoft.public.security.virus)
    • [Full-disclosure] [Windows XP] possible privilege escalation
      ... being logged in the simple user account and having Windows ... I executed an installation executable file ... but to Administrator (It's worth ... running an installation app using "Execute as..."), ...
      (Full-Disclosure)
    • Re: WMI Remote Process start in VB.NET
      ... removed as we do not want this to remain on our users computers. ... regarding the disappointment that the .net framework is not backwards ... Dim mClass As ManagementClass = New ... MsgBox("Failed to execute application. ...
      (microsoft.public.win32.programmer.wmi)