I wish to open and process a text file on a remote Windows server using PowerShell.
We have something (roughly) like the following:
$path = "\\server1\c$\Users\gavin\Desktop\mylogfile.log"
Get-Content $path
Apparently, I can only get this to work when I have Admin rights to server1.
For security reasons, I cannot have unlimited access to all the servers I wish to access.
Is there a way of getting around this, given that I can only have less than full Admin rights?
I am thinking in terms of getting IT to alter my group privileges etc. on the remote machine(s).
\\server1\C$ is a so-called administrative share. They're hidden shares for administrator access to remote computers' filesystems. Accessing these requires admin privileges for security reasons.
Ask an administrator to create a dedicated share that allows you access, or (better yet) have the servers create the logs in a central location to which you have access.
Related
Is there a Windows C++ API to execute a command as a different user ? I am trying to mount a CIFS share from a service which is running as sys admin and I am currently logged in as a Kiosk user so when I try to mount the share using "net use .." I get access denied.
With CreateProcessWithLogin, you can execute a command with an arbitrary user provided you have valid credentials. Alternatively, can can use a combination of LogonUser and CreateProcessAsUser / CreateProcessWithToken.
Rather than requiring credentials including a password stored as plaintext (not recommended from a security POV), you could also grant required permissions to the kiosk user so that the current user context is sufficient for accessing the data and/or mapping the network drive.
If that is not an option, your application could have a manually configured persistent network drive as a prerequisite. The credentials would then be managed by Windows.
Currently we require Domain Administrator access to transfer a domain account between computers using Windows Easy Transfer.
Is it possible to grant a user access to the Transfer without granting them full Domain rights?
Thanks.
I am trying to use named pipes on Windows XP SP2+. The pipe server will be a service, running as some kind of administrator / system level account. The pipe client could be any user, possibly a guest, possibly an admin. In my case, I am fine with having a guest account successfully communicate with my service running as administrator.
Before I start using the pipe in my client code, I want to validate that the other side of the pipe is really owned by an administrator / the system.
I have discovered the GetSecurityInfo function, and I think I should be able to use that as part of the solution. However, I don't know how to get from a SID to an "is admin" check.
The default owner for all objects created by an administrative account (including the system account) is the well-known Administrators group, and you can't assign ownership of an object you create to someone else without administrative privilege.
So you can check as follows:
Use GetSecurityInfo to fetch the SID of the owner of the pipe object.
Use CreateWellKnownSid with the WinBuiltinAdministratorsSid option to create a SID for the Administrators group.
Use EqualSid to compare the two SIDs.
Make sure that when you open the pipe (using CreateFile) you pass the SECURITY_IDENTIFICATION flag to ensure that the potentially malicious server cannot impersonate you.
I have a script written in Visual Basic that starts a process (given to the script as an argument) on a remote system (again, given as an argument) using WMI. This script works fine when using an Administrator account on the remote system, but when using a non-administrator account, I get the following error:
ConnectServer Failed w/ (-2147024891) Access is denied.
I'd like to be able to run processes on remote systems as a non-administrator user with this script, and I'm pretty sure the problem is due to security settings on the remote system, but I've not been able to reset the right ones.
It sounds like you need to configure launch and activation permissions for this user, on the target machine, via DCOMCNFG. By default non-admin users do not have remote launch and activiation permissions.
Alternatively, depending on the operating system you are connecting to, there may be a "Distributed COM Users" group to which you can add your user. This group already has the appropriate permissions. The Distributed COM Users group was first included in Windows Server 2003 Service Pack 1 (DCOM Security Enhancements).
You can read more about WMI and DCOM permissions here. More detailed steps on how to configure WMI and DCOM are included in the serverfault thread Which permissions/rights does a user need to have WMI access on remote machines?.
I'm going to write a script to disable/enable network access for applications in windows. My idea was to write a script that runs a windows shell command that do this.
The scripting is the easy path, but i don't know how to do the "denying" part. Any ideas?
This sounds like a task better suited to letting Windows user / group security handle.
For example, assuming you're on Active Directory and have administration privileges, you could create a user account with the very specific access your app needs, and configure your app to authenticate with the network using that user's credentials.
Then your app through AD would access the network within the constraints of that user account's privileges, and if necessary deny them access to specific network resources.