Home / user-312990

rubynorails's questions

Martin Hope
rubynorails
Asked: 2015-11-13 18:34:47 +0800 CST
  • 1

I am an enterprise admin (Sr. Network Engineer), but my team does not manage Active Directory, so I am a little unfamiliar with policies and what is required to do what I am trying to achieve, and even the AD admins are failing me when it comes to my predicament.

I have a command that I am trying to turn into a script that is giving me some really weird behavior, and I need help sorting it out.

First things first:

  • From my local workstation, I can open a command window by Shift-clicking and running as my domain admin user, and the command works just fine.
  • From my local workstation, if I put this command in a script, and Shift-click to run the script as my domain admin user, the script/command works fine (as long as I give my domain admin account permissions).
  • On the target machine where I want this script to run, I have confirmed that another domain admin can successfully execute the command.
  • If I launch a command prompt on this target machine when logged in with my domain admin account, the command fails (and also as a script).

Before you suggest something I've already tried or will not benefit me:

  • runas is not an option, because this script should not be interactive and prompted for a password.
  • The /savecred parameter for run as is not an option because of password/security/audit policies.

I have achieved the basic functionality, but it's messy:

The basic command is something like this:

\\server\share\unlock.exe . username

The only way I can successfully execute this command without any Shift-clicking or runas nonsense is by putting this command in C:\Users\Username\Desktop\unlock.bat and then from my local machine creating a separate batch file that includes the following:

psexec \\targetmachine -u domainadmin -p domainpassword "C:\Users\Username\Desktop\unlock.bat"

Questions and possible theories:

  • If I double-click this batch file on the target machine, should it not run as the username of the domain admin account that I'm logged into?
  • Is it possible that since my domain admin is an admin on the target machine that when I run this command, it is trying to run as local Administrator?
  • Every time I open a command prompt on this machine, it's automatically an Administrative prompt. Is it possible that what I need is an un-elevated prompt, and if so, how do I get one when it automatically launches an Administrator prompt?

Other details:

  • This is a terminal server running Windows 2008 R2 with a few different users accessing it, so I don't want to modify the behavior of how cmd.exe launches every time or anything.
  • I realize I could specify a user if I run this as a scheduled task, but right now, I just want to run it from this server as a standalone script or command without any Shift-clicking.

My main goal is to be able to logon to this server and simply double-click the batch file (and also be able to execute from a command prompt), while logged in as my domain admin account, which should be able to do this.

active-directory