Granting Temporary Administrative Rights to Users
Novell Cool Solutions: Tip
By Paul de Yturralde
Digg This -
Posted: 20 Aug 2003
Running NAL applications as ?Secure System User? or ?Unsecure System User? can sometimes fail if the application involves scripting where one application executes another application. I have come up with a workaround to grant temporary Administrative rights to users in order to install these applications, or you could use portions of this solution to simply add a user to the Administrators group.
The process involves running the following types of NAL applications in the order given. (Tested with ZFD 3.2)
NAL Application 1: Add logged-in user to Administrators group by issuing a "net localgroup administrators /add %USERNAME%", as Unsecure System User, and run once. Note: You can replace %USERNAME% with INTERACTIVE in order to grant any future logged-in user Administrative privileges.
NAL Application 2: Remove logged-in user from Administrators group by issuing a "net localgroup administrators /delete %USERNAME%", as Unsecure System User, run once, and with a dependency on Application 4 being already run. The dependency can be made by ensuring that a file distributed by NAL Application 4 be present before NAL Application 2 can be run, or by some other dependency.
NAL Application 3: Run the application that requires Administrative privileges as run once, and with a dependency on Application 4 being already run.
NAL Application 4: Copy Logoff.exe (available on Windows Resource Kit, also found a similar program searching on Google) to somewhere on the local hard drive as Unsecure System User, and run once.
NAL Application 5: Execute ?Logoff.exe /N /F?, as Unsecure System User, and run once.
What will happen?
- User will login, Applications 1, 4, & 5 will launch (2 & 3 can not launch until 4 has been run), user will be logged off without a prompt.
- User logs in Applications 2 & 3 launch which removes the user from the administrators group, and runs the installation program.
The reason why a user must be logged off the workstation, is that a group membership change for the currently logged-in user requires a logoff or a restart. You could force a restart in NAL Application 1, and avoid using logoff.exe but a logoff would be faster.
If you have any questions you may contact Paul at firstname.lastname@example.org
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com