Re: Windows 2000 remote login problems
From: Torgeir Bakken (MVP) (Torgeir.Bakken-spam@hydro.com)
Date: 12/30/02
- Next message: Lew Neuman: "Re: Update CIPHER to 128bit on Win2000"
- Previous message: Joe!: "cannot logon to win2000"
- In reply to: Frank: "Windows 2000 remote login problems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Torgeir Bakken (MVP)" <Torgeir.Bakken-spam@hydro.com> Date: Mon, 30 Dec 2002 20:44:32 +0100
Frank wrote:
> I have a problem that we can't seem to figure out. We
> have several users working from there homes using Windows
> 2000. Whenever a user forgets their Windows password we
> only can have them overnight there laptops into our
> headquarters office to have someone reset it for them. We
> don't have the dial in automatically at bootup here at our
> company so whenever a home user forgets their password for
> Windows 2000 the only thing we can think of to do is mail
> their laptop into us because we cannot give out admin
> passwords to our users. Is there anything we can do,
> maybe a reg hack our something that will allow the users
> to log into their machines without sending the machines
> back to us? I guess overnighting a laptop and then us
> overnighting it back to them is a waste of money for a
> simple password reset.....isn't it?
Hi
A top of my head solution:
Create a limited user account with a known password that never changes (call the
user e.g. Setpassword).
When the user forgets his password, he logs on with the user Setpassword.
What needs to happen now is that a script (vbscript or batch file) is run with
elevated rights, and the script asks for the user name to reset as well as the
new password to set for this user name. The script will of course reject the
user names "Administrator" and "Setpassword". This script must be placed in a
folder where all limited users only has read only access (also for the
Setpassword user).
Changing password from a script (vbscript as well as command line):
Subject: Re: Changing Local account password
http://groups.google.com/groups?selm=3D812375.F653432%40hydro.com
The tricky part is how to get the script to run with elevated rights. Two ways
that should work comes to mind:
A)
Create a service that runs under the system, or with the administrator user
credentials (using e.g. instsrv.exe and srvany.exe)
Subject: Re: Run bat file as service
http://groups.google.com/groups?selm=3D6672FD.D237512A%40hydro.com
Subject: Re: setting a program to run as service
http://groups.google.com/groups?selm=3DC518D3.AB8048CF%40hydro.com
With a vbscript, use the command line "c:\winnt\system32\wscript.exe" to start
the vbscript (adjust the path if necessary).
The service can e.g. be started from a shortcut on the desktop, or from a
script/batch file placed in the startup folder.
To let the limited user account Setpassword be able to start a service:
HOW TO: Grant Users Rights to Manage Services in Windows 2000
http://support.microsoft.com/?kbid=288129
B)
Another option is to use a RunAs-solution that runs the password reset script
with an administrator user.
Below is listed some 3rd party RunAs solution that "hides" user name/password
(buy solutions).
1)
TqcRunAs for Win2k (NTsu for NT4) from Quimeras
http://www.quimeras.com/
TqcRunas can read it's command line that includes
the password from an encrypted file.
2)
NetExec at http://www.netexec.de/
It is a runas/su replacement with much more features. Using the
CustomClient-Creator part you can create your own .exe files that run
a specific command line as another user, while storing the password
encrypted inside the .exe.
3)
RunAs Professional Version 2.x.x
http://www.mast-computer.de
-- torgeir Microsoft MVP Scripting and WMI Porsgrunn Norway
- Next message: Lew Neuman: "Re: Update CIPHER to 128bit on Win2000"
- Previous message: Joe!: "cannot logon to win2000"
- In reply to: Frank: "Windows 2000 remote login problems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
