samba - Mar 2005 - Administrator-privileged logon scripts under limited mode on XP?

At our organization, we're currently gradually migrating the 
workstations from Windows 98 to Windows XP, while retaining the use of 
our samba server as a PDC. For those who may remember my previous post, 
our upgrade to Samba 3.0.11 from an ancient version (2.2.3) I inherited 
went extremely well, and I was thoroughly impressed how little I had to 
change to get everything running.

Anyways, I want the Windows XP users to mostly be in a limited user mode 
when on the domain, so they can't randomly install silly little games 
chock-full of spyware and other such things, unlike in Windows 98 where 
they always have Administrator access to their machine, even when logged 
in on the network.

However, clever use of the login.bat, as bad as it was to do it, was 
used to run things with administrator level privileges under Windows 98, 
such as installing certain updates or programs automatically, removing 
certain common spyware programs, copying useful utilities such as putty, 
gnugrep and vncviewer to a system directory for purposes of running from 
the $PATH, regedit'ing registry keys, etc. The login.bat under Windows 
XP, however, runs with user level privileges, which is in limited mode, 
meaning there's only so much I can do with it.

So, the question is, is there any way to run a logon script that has 
local Administrator privileges while running on a Windows XP machine 
joined to the samba domain in limited mode?

I've googled for some time and I hope I haven't missed anything, but I 
have yet to find anything that allows a logon script with anything but 
user-level (limited mode under XP) privileges, though I have heard some 
remote mentioning of it. It would be quite a nice thing to have, 
especially with the growth of our organization, so I could do more to 
each machine by remote without having to go through the ordeal of 
running a Windows Server, which is mostly out of the question as far as 
I'm concerned. Any suggestions for solutions would be much appreciated.

Thanks!

> -----Original Message-----
> From: samba-bounces+mitch=webcob.com@lists.samba.org [mailto:samba-
> bounces+mitch=webcob.com@lists.samba.org] On Behalf Of Hunter Rognstad
> Sent: March 2, 2005 10:38 AM
> To: samba@lists.samba.org
> Subject: [Samba] Administrator-privileged logon scripts under limited
> modeon XP?
> 
> However, clever use of the login.bat, as bad as it was to do it, was
> used to run things with administrator level privileges under Windows 98,
> such as installing certain updates or programs automatically, removing
> certain common spyware programs, copying useful utilities such as putty,
> gnugrep and vncviewer to a system directory for purposes of running from
> the $PATH, regedit'ing registry keys, etc. The login.bat under Windows
> XP, however, runs with user level privileges, which is in limited mode,
> meaning there's only so much I can do with it.
> 
[Mitch says:] I think your users can be local admin's while being on the
domain login, but it requires enabling that on each workstation - if that's
what you want to do - as for elevating privileges of a login script, I think
it's impossible - I looked into scripting the runas tool and was told it was
intentionally impossible.

A work around I am playing with is writing a service running locally as
"admin" to accept certain commands and options from non-admin users
and
execute them, returning results over a pipe...

Sort of off topic, but I share your grief ;-)

m/

Hunter Rognstad wrote:
> 
> So, the question is, is there any way to run a logon script that has 
> local Administrator privileges while running on a Windows XP machine 
> joined to the samba domain in limited mode?
Many alternatives, such as sanur. I'm using it when need to install 
antivirus to W2k clients.

http://www.commandline.co.uk/sanur/


-- 

--beast