samba - May 2005 - run a script with "administrator" credentials?

I saw Active Directory a bit today and was impressed with the ease one 
can manage many Windows workstations with that.

Especially I liked the software installation (too bad it can install MSI 
packages only) and the ability to run custom scripts on the workstations 
(when the boot up etc.).

Is it possible to run a custom script for a given machine when it boots 
up (that is already joined to the domain), with administrator 
credentials (for example, to install software)?

For now it seems to me that it's only possible to run a "machine script
- %m" or a "user script - %u" with the credentials of a user.


-- 
Tomek

fre, 20.05.2005 kl. 19.05 skrev Tomasz Chmielewski:
> I saw Active Directory a bit today and was impressed with the ease one 
> can manage many Windows workstations with that.
> 
> Especially I liked the software installation (too bad it can install MSI 
> packages only) and the ability to run custom scripts on the workstations 
> (when the boot up etc.).
> 
> Is it possible to run a custom script for a given machine when it boots 
> up (that is already joined to the domain), with administrator 
> credentials (for example, to install software)?
I don't know about running scripts as a *machine* at logon/boot time,
but I've discovered that Windows 2000 and later have an executable
called runas, which can run .msi installation programs (using msiexec)
with elevated privileges at *user* logon.

However, this method introduces so many security risks (password in
scripts on the netlogon share, etc) that it probably isn't worth the
hassle. I've gone off it, anyway (even though there are doubtful
workarounds such as commercial/paid encryptedrunas).

I don't have any details to hand right now, but google for msiexec and
runas and look in the Microsoft knowledge base.

There have been those on this list who've written that they're no
Windows experts. Well, I've hated Windows and pushed its tecchie details
from me for years, but as soon as one begins with Samba, one bloody well
has to become a Windows expert, like it or not. I could rant on, but
nuff said.
> For now it seems to me that it's only possible to run a "machine
script
> - %m" or a "user script - %u" with the credentials of a
user.
No, you can run at elevated privileges. But for me it ain't worth the
extra hassle with my machine and user park (respectively 80 and 1150+ at
a single site).

--Tonni

-- 
Nothing sucksseeds like a pigeon without a beak ...

mail: tonye@billy.demon.nl
http://www.billy.demon.nl
 
They'll love us, won't they? They feed us, don't they? ...

On Fri, 20 May 2005 19:05:42 +0200 Tomasz Chmielewski <mangoo@mch.one.pl>
wrote:

TC> Is it possible to run a custom script for a given machine when it boots
up
TC> (that is already joined to the domain), with administrator 
TC> credentials (for example, to install software)?

A machine script can be run at bootup.
It runs with Administrative privileges and
can be used to install software (we do!).

Use gpedit.msc on the client to define a the startup script
-->Local Computer policy -->Computer Configuration
-->Windows Settings --> Scripts (Startup Shutdown)

The script may reside on a samba share.

We are using an imaging system to deploy machines
and all new machines have the script defined.

You could perhaps copy the file
%SystemRoot%\system32\Group Policy\Machine\Scripts\scripts.ini
to already deployed machines but I don't know if
it's sufficient 

ex of a scripts.ini:

[Startup]
0CmdLine=\\Sambaserver\Publicshare\Startup.cmd
0Parameters



-- 
Jean-Jacques   Moulis                              Tel:  (013) 281684
ISY                                                Fax:  (013) 139282
Link?ping University                            E-mail: jj@isy.liu.se
581 83 Link?ping