send local passowrd for another system to runas command
-
Wednesday, August 15, 2012 4:01 AM
Hi !
I liked to send password to runas command and i found this script and it works ok
set WshShell = WScript.CreateObject("WScript.Shell") WshShell.run "runas /user:domain\user %comspec%" 'Open command prompt WScript.Sleep 1000 WshShell.SendKeys "password" 'send password WshShell.SendKeys "{ENTER}" set wshshell = nothing
But here is my problem. let me give you a brief
I have a monitoring server. and a server whose W3scv service crashes too much and then a web fails to open.
so here is the mission of monitoring server. every time that service crash, restart it.
the monitoring cannaot start a service but can run a batch file or a vbscript.
so my script should run some commands in another system (sc \\bad server restart | .... )
so far so good. we can use the script above to send a domain admin password to a vbs file and run it.
but the problem.... that server is not (and should not be) joined to domain
and run as does not work with this and says bad user name / logon failure
assume the remote server is BADSERVER and a local admin account on it is LOCALADMIN
I tested it and unfortunately the run as does not work in this context
"runas /user:LOCALADMIN "My Script" "
or
"runas /user:BADSERVER\LOCALADMIN Myscript"
is there a way to fix this ?
All Replies
-
Wednesday, August 15, 2012 6:42 AM
$service=get-wmiobject win32_service -filter 'Name="w3svc"' -computer badserver -credential badserver/administrator $service.StartServive()
¯\_(ツ)_/¯
-
Wednesday, August 15, 2012 7:49 AM
$service=get-wmiobject win32_service -filter 'Name="w3svc"' -computer badserver -credential badserver/administrator $service.StartServive()
¯\_(ツ)_/¯
Thanks
but it asks for password ! how can i automate entering password in this script ?
as i said it should be automatically run and password should be sent to it
-
Wednesday, August 15, 2012 12:07 PM
This is by design, you should never put a password in plain text.
Have you considered Trigger a PowerShell Script from a Windows Event
Hint you can use alternate credentials on a scheduled task.
Mike
-
Wednesday, August 15, 2012 5:20 PM
i know that
but the server is just in my hand
and there are ways to encrypt it
scheduled task can not do this
you can not tell a scheduled task to use a password for the script within it.
-
Wednesday, August 15, 2012 5:52 PMModerator
Hi,
You can run the scheduled task on the server you're monitoring, not the remove machine you are using to monitor the server.
Bill
-
Thursday, August 16, 2012 5:23 AM
Hi,
You can run the scheduled task on the server you're monitoring, not the remove machine you are using to monitor the server.
Bill
Hi !
what do you mean ?
using psexec or something like that ?
-
Thursday, August 16, 2012 2:30 PMModerator
Hi,
Copy your monitoring script to the remote server, and run it as a scheduled task on that remote server. This is not a scripting question.
Bill
-
Thursday, August 16, 2012 2:34 PM
Hi,
Copy your monitoring script to the remote server, and run it as a scheduled task on that remote server. This is not a scripting question.
Bill
Dear Bill
Sorry But i think you did not notice my situation
this is not a scheduled task
this is an script which should be run when an alarm is triggered on monitoring server
so the monitoring server shoud stop and start the service on remote computer
-
Thursday, August 16, 2012 2:43 PMModerator
Hi,
Then I'm not sure what you are asking. There's not really sufficient information in your initial question to provide an informed answer. But one thing is for sure: You cannot script the password to the runas command, and this is by design.
Bill
-
Thursday, August 16, 2012 2:56 PM
this is not a scheduled task
this is an script which should be run when an alarm is triggered on monitoring server
so the monitoring server shoud stop and start the service on remote computer
Run the ttask under domain credentials. Place teh user account in the Power Users or Administrators on the remote system.
Use WMI and domain credentials.
In all cases you problem will be security inless you use a domain admin account to run this as a task,
All events in the event log allow for alternate credentials to be used because the event tasks are created as scheduled tasks. They are just scheduled directly by the receipt of an event.
Noramally we run these scripts on the server where we want to restart the service. Services can have up to 3 steps all of which can be a restart or all can be to execute a script or any combination. This can be set up to restart the sevice forever and send email or any other type of message.
Open the services mmc snap-in and look at the recover tab of the service properties.
These settings can be set remotely using the SC command.
¯\_(ツ)_/¯
-
Thursday, August 16, 2012 3:02 PM
this is not a scheduled task
this is an script which should be run when an alarm is triggered on monitoring server
so the monitoring server shoud stop and start the service on remote computer
Run the ttask under domain credentials. Place teh user account in the Power Users or Administrators on the remote system.
Use WMI and domain credentials.
In all cases you problem will be security inless you use a domain admin account to run this as a task,
All events in the event log allow for alternate credentials to be used because the event tasks are created as scheduled tasks. They are just scheduled directly by the receipt of an event.
Noramally we run these scripts on the server where we want to restart the service. Services can have up to 3 steps all of which can be a restart or all can be to execute a script or any combination. This can be set up to restart the sevice forever and send email or any other type of message.
Open the services mmc snap-in and look at the recover tab of the service properties.
These settings can be set remotely using the SC command.
¯\_(ツ)_/¯
Thanx
But I told you the remote system is not joined to domain
-
Thursday, August 16, 2012 3:29 PMModerator
Hi,
This sounds more like a security question or a question for the vendor of your monitoring software rather than a scripting question.
Bill
-
Thursday, August 16, 2012 3:36 PM
But I told you the remote system is not joined to domain
Doesn't matter. Use a proxy account. Use a local avvout with the same name and password as an admin account on the remote server. This works if both server are in the same workgroup.
This way you do not need to sue credentials on the SC command.
¯\_(ツ)_/¯
-
Thursday, August 16, 2012 4:54 PM
Then monitoring server is in the domain
but the remote server is not because of security consideration
now, with these conditions, do you think a local account with same name and password on the joined system will do the job on the remote one ?
i will test it but simply i do not think it works cause if this works, the remotecomputer\localadmin should work too (which does not)
- Edited by MohammadG Thursday, August 16, 2012 4:59 PM
-
Thursday, August 16, 2012 5:53 PMModerator
Hi,
This is not a scripting question. If you have a specific scripting question, please ask. Otherwise we need to mark an answer or move this question to a more appropriate forum.
Bill
-
Friday, August 17, 2012 12:39 AM
Then monitoring server is in the domain
but the remote server is not because of security consideration
now, with these conditions, do you think a local account with same name and password on the joined system will do the job on the remote one ?
i will test it but simply i do not think it works cause if this works, the remotecomputer\localadmin should work too (which does not)
Make the computers workgroup name teh same as the domains netbios name. It should work then.. I does in 2003 and XP/Win7.
¯\_(ツ)_/¯
-
Friday, August 17, 2012 5:56 AM
hmm
sounds interesting.
so tell me if i am well understood
the monitoring server is in the domain named test.com
So, I go to workgroup settings of the remote computer and set it to TEST
then i will make a user and password as a local admin there and just the same on the monitoring server
and then tell the monitoring server to run the script under this user credentials
is that ok ?- Edited by MohammadG Friday, August 17, 2012 6:06 AM
-
Friday, August 17, 2012 9:00 AMThat's the idea. As long as the server being monitored is not a Domain Controller, because DC's can't have local accounts.
Grant Ward, a.k.a. Bigteddy
-
Friday, August 17, 2012 9:26 AM
That's the idea. As long as the server being monitored is not a Domain Controller, because DC's can't have local accounts.
Grant Ward, a.k.a. Bigteddy
As i told multiple times, the monitoring server is member of a domain and the monitored one is not even in the domain, and so not a DC
I will test the mentioned way and put the results here
-
Friday, August 17, 2012 10:41 AM
A proxy logon works if the two servers are part of a domain or are in the same workgroup or if the workgroup name is the same as the domain name.
To work the two accounts must have the identical name and the exact same password.
If you would just use PowerShell all of your troubles would be over.
¯\_(ツ)_/¯
- Edited by jrvMicrosoft Community Contributor Friday, August 17, 2012 10:57 AM
-
Friday, August 17, 2012 10:49 AM
A proxy logon works if the two sereber are part of a doamin or ain the same workgroup or if teh workgroup name is the same as the domain name.
To work the two accounts must have the identical name and the exact same password.
If you would just use PowerShell all of your troubles would be over.
¯\_(ツ)_/¯
No problem with powershell
my monitoring server (PRTG) accepts powershell scripts !
do you know any powershell script which i can ease this problem without all those proxy accounts and tricks and ...
-
Friday, August 17, 2012 10:59 AM
No problem with powershell
my monitoring server (PRTG) accepts powershell scripts !
do you know any powershell script which i can ease this problem without all those proxy accounts and tricks and ...
I posted this way back in the beginning. Her it is reformatted so it is easier to see.
$service=get-wmiobject win32_service ` -filter 'Name="w3svc"' ` -computer badserver ` -credential badserver/administrator $service.StartService()
¯\_(ツ)_/¯
- Edited by jrvMicrosoft Community Contributor Friday, August 17, 2012 10:59 AM
-
Friday, August 17, 2012 11:01 AM
No problem with powershell
my monitoring server (PRTG) accepts powershell scripts !
do you know any powershell script which i can ease this problem without all those proxy accounts and tricks and ...
I posted this way back in the beginning. Her it is reformatted so it is easier to see.
$service=get-wmiobject win32_service ` -filter 'Name="w3svc"' ` -computer badserver ` -credential badserver/administrator $service.StartService()
¯\_(ツ)_/¯
Thanks
But as i told you below your post (you can scroll up and see) it asks for password and needs user intervention (a box pops up and tells you to enter the password)
i copy my reply to you again
""""
Thanks
but it asks for password ! how can i automate entering password in this script ?
as i said it should be automatically run and password should be sent to it
"""""""""""
- Edited by MohammadG Friday, August 17, 2012 11:03 AM
-
Friday, August 17, 2012 1:24 PM
You cannot have it both ways. Either you have a trusted account or you have to supply credentials. You can use a local account as long as it is a proxy account. If you use a proxy account you do not need to supply credentials.
I do not know how to be more clear.
¯\_(ツ)_/¯
-
Friday, August 17, 2012 1:29 PM
Create the password file as follows:
(get-credential).password|convertFrom-SecureString|set-content c:\scripts\password.txt
Use the password file as follows:
$user = 'grant-pc\grant' $cred = New-Object System.Management.Automation.PsCredential $user,(Get-Content c:\scripts\password.txt | ConvertTo-SecureString)
Now, remember, I've got my bullet-proof vest on!Grant Ward, a.k.a. Bigteddy
-
Friday, August 17, 2012 1:34 PM
Create the password file as follows:
(get-credential).password|convertFrom-SecureString|set-content c:\scripts\password.txt
Use the password file as follows:
$user = 'grant-pc\grant' $cred = New-Object System.Management.Automation.PsCredential $user,(Get-Content c:\scripts\password.txt | ConvertTo-SecureString)
Now, remember, I've got my bullet-proof vest on!
Grant Ward, a.k.a. Bigteddy
Thanks
this is i am looking for
ok ! assuming i entered my password in a text file and made the $cred using that !
now can you tell me how can i tell the script Mr.JRV wrote above to use this $cred as the password it needs and do not ask for a password ?
shoud I add another parameter to the script or ...
-
Friday, August 17, 2012 1:40 PM
$service=get-wmiobject win32_service ` -filter 'Name="w3svc"' ` -computer badserver ` -credential $cred $service.StartService()Grant Ward, a.k.a. Bigteddy
-
Friday, August 17, 2012 1:59 PM
Thank you so much
currently i can not access the servers cause i am on holidays
i will test it ASAP and give you feedback
Thanks to all
-
Friday, August 17, 2012 2:03 PMI have tested it in a domain environment, and it works there. Can't guarantee it'll work from domain to workgroup.
Grant Ward, a.k.a. Bigteddy
-
Friday, August 17, 2012 2:06 PM
This is the point - from domain to workgroup
cause from domain to domain, the vbs script above works
anyway thanks so much BigTeddy, Jrv and all guys there
i will tell you the results. hope it works
-
Friday, August 17, 2012 2:39 PMIf you name your workgroup the same as the netbios name of your domain, as jrv advised, you should be ok.
Grant Ward, a.k.a. Bigteddy
-
Friday, August 17, 2012 10:42 PM
Hello,
You can test with CPAU Tool.
CPAU -u %COMPUTERNAME%\administrator -p Pa$$word01 -ex "cscript.exe C:\Script.vbs" -nowarn
And read this article:
Why doesn't the RunAs program accept a password on the command line?
Regards
- Marked As Answer by MohammadG Tuesday, August 21, 2012 1:08 PM
-
Tuesday, August 21, 2012 1:11 PM
Hello,
You can test with CPAU Tool.
CPAU -u %COMPUTERNAME%\administrator -p Pa$$word01 -ex "cscript.exe C:\Script.vbs" -nowarn
And read this article:
Why doesn't the RunAs program accept a password on the command line?
Regards
Great answer and Greater tool !
very very good
it made the job very easy
Just ran this :
cpau -u myworkgroupcomputer\local user -p password -ex "sc \\myworkgroupcomputer start w3svc" -nowarn
and it was all done
Thanks to all!
-
Monday, August 27, 2012 2:43 PMModerator
Just ran this :
cpau -u myworkgroupcomputer\local user -p password -ex "sc \\myworkgroupcomputer start w3svc" -nowarn
and it was all doneOf course, this is egregiously insecure as you've embedded administrative credentials in plain-text in a script. Not recommended.
Bill
.png)
