none
How To Run A VBScript As The LocalSystem Account

    Question

  • Hi,
    Does anyone know how to run a vbscript as the localsystem account?  I need to be able to do this on demand, not as a scheduled task or to call the script from a service that is already running as the localsystem account.  The RUNAS command does not work for this.

    Any help woudl be greatly appreciated.
    Wednesday, July 29, 2009 5:51 PM

Answers

  • Hi Bill,

    A local admin works only if it is a domain account that has been added to the local admins, which only domain admins is there after a domain join.  We need to automate/script this and don't want to use a domain admin account.  The built-in admin account doesn't work because it's not part of the domain, but for some reason the localsystem account does.

    Thanks.
    Hi YabetT,

    I logged onto a domain-member machine using the local built-in 'administrator' account, and I ran the following command:

    net localgroup administrators domain\username

    The command added 'domain\username' (I picked a non-admin test account on my domain) to the Administrators group.

    Bill
    • Marked as answer by YabetT Thursday, July 30, 2009 11:52 PM
    Thursday, July 30, 2009 6:28 PM
    Moderator

All replies

  • Hi YabetT,

    Why?

    Bill
    Wednesday, July 29, 2009 7:08 PM
    Moderator
  • Hi Bill,

    It's not for nefarious purposes.  Background:

    We use Altiris to deploy physical systems.  Part of the Altiris job is to add the server to an AD domain when finished.  Altiris uses a local client which runs under the localsystem account, and launches a VB script which adds a domain group to the local admins.

    We need to do the same when deploying VM's (not using Altiris).  However since they have no agent running under the localsystem account, I need to reproduce this functionality.

    Hopefully this helps.
    Wednesday, July 29, 2009 8:01 PM
  • Hi YabetT,

    But you don't need to run as LocalSystem in order to add to the local Administrators group...? Running the script in the context of an account that's a member of Administrators should work, shouldn't it?

    Bill
    Wednesday, July 29, 2009 9:04 PM
    Moderator
  • Hi Bill,

    A local admin works only if it is a domain account that has been added to the local admins, which only domain admins is there after a domain join.  We need to automate/script this and don't want to use a domain admin account.  The built-in admin account doesn't work because it's not part of the domain, but for some reason the localsystem account does.

    Thanks.
    Thursday, July 30, 2009 11:29 AM
  • why you say RUNAS command doesnt work for local account?
    Thursday, July 30, 2009 2:58 PM
  • The RUNAS command does not work for the LocalSystem account.
    Thursday, July 30, 2009 5:25 PM
  • It works.

    Try runas /user:<<local computer name>>\<<local user name>> <<command to run>>
    Amol
    Thursday, July 30, 2009 5:49 PM
  • Hi Bill,

    A local admin works only if it is a domain account that has been added to the local admins, which only domain admins is there after a domain join.  We need to automate/script this and don't want to use a domain admin account.  The built-in admin account doesn't work because it's not part of the domain, but for some reason the localsystem account does.

    Thanks.
    Hi YabetT,

    I logged onto a domain-member machine using the local built-in 'administrator' account, and I ran the following command:

    net localgroup administrators domain\username

    The command added 'domain\username' (I picked a non-admin test account on my domain) to the Administrators group.

    Bill
    • Marked as answer by YabetT Thursday, July 30, 2009 11:52 PM
    Thursday, July 30, 2009 6:28 PM
    Moderator
  • That works - thanks!
    Thursday, July 30, 2009 11:52 PM