How to enable a low privilege user to run an administrative script ?

Hello
I have a problem which seems to come from the lack of "sudo" in Windows.
I want standard low privileges users to be enable to run a script that will give them a result (i-e DB status on Exchange). I don't want to give them any right, so the only solutions i think about are
 - to make a scheduled task on a server, and give them only the right to launch the task (but i'd prefer them not to be able to log on the server, so i don't like it)
 - To create a webpage (ASP.NET, i guess) that runs the script when they click a button. I'm not a dev, i won't be able to do it easily but i think i will have to.
Do you have better ideas please ?

Signed scripts could include authorizations to be ran from some chosen users...
This is not possible in Windows because an process that can escalate inside of a user process allows the user process namespace to access the processes security context. This makes it possible for the process to see the credentials of the script. The password
also has to beencoded in a way that he user can decode so it is almost the same as giving out the admin password.
UAC is designed to protect an admin.  Bypassing authentication or merging it with a users context defeats the security.
The closes we can come is to delegate the authority carefully or to provide a proxy service that is secure.
Access to read the Exchange DB status can be delegated without giving admin access to Exchange.  Post in Exchange forum to learn how to set up Exchange read-only operators.
I recommend that this should be done as a set of reports exposed through a web site.  The reports can be generated daily or more frequently.  This would be more consistent with other management scenarios.
¯\_(ツ)_/¯

Similar Messages

  • How to backup files from other user logged in as administrator

    RE: How to backup files from other user logged in as administrator AND/OR how to repair drive with "Invalid catalog PEOF"
    Hello,
    My MacBook Pro computer’s hard drive is not booting.
    I booted with the base operating system and ran Disk utilities and I got the following messages:
        Invalid catalog PEOF
        The volume could not be verified completely.
        This disk needs to be repaired.
        Disk utility can’t repair this disk. Backup as many files as possible, reformat the disk,
        and restore your backed-up files.
    The problem is that I have a couple of USERS set up on this computer, and it won’t let me backup the files of the second user.  The folders are locked and I can’t access them, even though I am logged in as the administrator.
    I made a boot disk on my other computer ( a MacPro Early 2008 ) desktop computer with the DiskWarrior 4.4 updater,
    but it won’t boot on my MacBook Pro.
    How can I backup these user files so that I can copy them back once I fix the drive?
    or better yet,  How can I repair the Invalid catalog PEOF on this drive?
    Thank you in advance for your time! 
    Bill
    THIS IS THE COMPUTER
    ================
    17” MacBook Pro 2.8GHZ 4GB Ram (purchased in 2009).
    Model: A1297
    Running Mac OSX 10.9.5

    Try using Disk Utility/Restore to copy the backup to a new location. Please note that this will reformat the destination partition which will erase all data.
    Do a backup. Boot to the Recovery Volume (command - R on a restart or hold down the option/alt key during a restart and select Recovery Volume). Run Disk Utility Verify/Repair and Repair Permissions until you get no errors.  Reformat the drive using Disk Utility/Erase Mac OS Extended (Journaled), then click the Option button and select GUID. Then re-install the OS.
    OS X Recovery
    OS X Recovery (2)
    When you reboot, use Setup Assistant to restore your data.

  • How to Enable Authentication to Selected Users

    1. How to enable SAP and AD authentication only for selected users in infoview login page ?
    2. How to disable(remove) enterprise options in down arrow selection in infoview login page for some users?
    We have to make some changes in web.xml?
    Can anyone help me out.
    Thanks!
    Milton

    You have to enable authentication for your application.
    However, for the public pages, you disable this by setting the page's security attribute Authentication to "Page is public".

  • How to find what transaction an user was running for a given period

    hi
    could anybody tel me
    how to find what transaction a particular user was running for a given period
    in the past.............

    Hi,
    U need to findout the list of Tcode excuted by SAP user
    1) Tcode: ST03N
    2) Select Expert Mode option
               (there u find  Server Host name & Today)
       If u select Host name u find DAY/WEEK/Month (same thing will in Today option)
    3)Now u need to select the option of DAY,WEEK etc.
    Now u can find in two ways
    1) Transaction profile (Standard / EarlyWatch)
    2) User (user profile)
    If u select the Transaction profile
    Under these u find the option of Aggregation----application/package/tranasation etc.
    I hope these will help u to findout.
    Regards
    ASR

  • How to enable the printer option in print priview screen in script

    Hi All,
    Please tell me how to enable the printer option in script print priview screen.
    Thanks & Regards
    Murali

    hi
    the print option TDNOPRINT has to be intial  (' ').  NOT 'X'
    TDNOPRINT  CHAR  1  0  No printing from print preview
    this will do.
    Gr., Frank

  • How to restrict the EBS end users to run only two same reports at a time?

    Hi,
    We are using EBS 12.0.6 and database 10.2.0.3.
    Is it possible to restrict the end business users to run only two reports at a time?
    OR
    Is it possible to restrict the end business users to run only two same reports at a time?
    Thanks.

    Is it possible to restrict the end business users to run only two same reports at a time?It is not possible.
    You can either make the report "incompatible" to itself (this means only one user in your company can run it at a time)
    Or not make it incompatible. (That means any user can run it any number of times)
    Incompatibility is a way of specifying which requests cannot be run under which circumstances.
    See http://download.oracle.com/docs/cd/A60725_05/html/comnls/us/fnd/incomp.htm
    You can use Hussain's suggestion to use Concurrent: Active Request Limit profile. You can set this profile value at each user level. But if you decide to set it at global level, remember to keep it a higher value for sysadmin kind of users that run scheduled jobs.
    Hope this helps,
    Sandeep Gandhi

  • How can I setup a scheduled task to run a Powershell Script delivered as a Group Policy Preference

    I have a Powershell script I want to run only once when a user logs onto their system. This script would move all the PST files from the Local drive and the Home drive to a folder location within the users profile. I wanted to run this as a Windows 7 Scheduled Task using Group Policy Preferences. How can I get this to happen short of a logon script? I have updated all the machines to WMF 4.0 so could I use a Scheduled Job instead? I wanted to run the script as the logon user but elevated.#Start Outlook and Disconnect attached PST files.
    $Outlook = New-Object -ComObject Outlook.Application
    $namespace = $outlook.getnamespace("MAPI")
    $folder = $namespace.GetDefaultFolder("olFolderInbox")
    $explorer = $folder.GetExplorer()
    $explorer.Display()
    $myArray= @()
    $outlook.Session.Stores | where{ ($_.FilePath -like'*.PST') } | foreach{[array]$myArray+= $_.FilePath}
    for
    ($x=0;$x-le$myArray.length-1;$x++)
    $PSTPath= $myArray[$x]
    $PST= $namespace.Stores | ?{$_.FilePath -like$PSTPath}
    $PSTRoot= $PST.GetRootFolder() #Get Root Folder name of PST
    $PSTFolder= $Namespace.Folders.Item($PSTRoot.Name) #Bind to PST for disconnection
    $Namespace.GetType().InvokeMember('RemoveStore',[System.Reflection.BindingFlags]::InvokeMethod,$null,$Namespace,($PSTFolder)) #Disconnect .PST
    #Move All PST files to the default location while deleting the PST files from their original location.
    $SourceList = ("$env:SystemDrive", "$env:HOMEDRIVE")
    $Destination = ("$env:USERPROFILE\MyOutlookFiles")
    (Get-ChildItem -Path $SourceList -Recurse -Filter *.PST) | Move-Item -Destination $Destination
    #Attach all PST files from the default location.
    Add-type -assembly "Microsoft.Office.Interop.Outlook" | out-null
    $outlook = new-object -comobject outlook.application
    $namespace = $outlook.GetNameSpace("MAPI")
    dir “$env:USERPROFILE\MyOutlookFiles\*.pst” | % { $namespace.AddStore($_.FullName) }

    Mike,
    I do not understand what appears to be a regular expression above. I did add the PowerShell script to the HKCU RunOnce Key as suggested.
    Windows Registry Editor Version 5.00
    C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -noprofile -sta -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File "C:\scripts\Windows PowerShell\Move-PST.ps1"
     I'm delivering this using Group Policy Preferences. It seems to fail or time out when run because the behavior is different if I run the script from within the PowerShell IDE. I added the parameters to the script and will try it again in the morning.

  • How do you configure a VM image to run a custom script ONCE on startup?

    Hello,
    I am creating a Windows image that will be deployed to the VM depot:
    https://vmdepot.msopentech.com/List/Index
    When the image is run for the first time, I'd like to run a custom script.  However, I only want this script to run the first time the VM is run (and never again).
    How would I do this?
    Thanks!
    Matt

    Hi,
    Please see SetupComplete.cmd at
    http://technet.microsoft.com/en-us/library/dd744268(v=ws.10).aspx
    Anders Bengtsson | Microsoft PFE | blog at http://www.contoso.se

  • How to enable mail notification to user in selfservice form.

    Hi All,
    i am using ebs r12 12.0.6 OS: OUL5x64
    i would like to enable the notification preference for a user using self service form but do not know where.
    i did search in system profile for a particular user but could not find it.
    here is the error
    The notification with the ID of 66182 experienced problems when attempting to dispatch an email notification to the role USER_NAME. Subsequently the notification preference for the following users has been set to DISABLED. Please correct the issue and re-enable their notification preference.
    i know that i can update using sqlplus but prefer the method using self service form.
    please advise.
    Regards,
    Tom

    Tom,
    here is the error
    The notification with the ID of 66182 experienced problems when attempting to dispatch an email notification to the role USER_NAME. Subsequently the notification preference for the following users has been set to DISABLED. Please correct the issue and re-enable their notification preference. See (Note: 412709.1 - Oracle Workflow Documentation Updates for 11i.ATG_PF.H.delta.5 (RUP 5)).
    Regards,
    Hussein

  • How to enable sound card for users(Solved)

    I can start alsa by root bu other users.
    It said not sound card found.

    It's ok now.
    Thank you for your help.

  • How do I get the full user name acceptable for administration approval?

    I migrated my account from my older macbook pro with the same OSX.
    I initially setup the account with my full username and account name the same as on the old machine - but soon discovered that the Migration Assistant wouldn't allow migration this way (the most obvious scenario).
    So I was instructed by Apple Support to create a new different Administrator Account, then remove the old account and perform the Migration. This seemed to work
    After completing the migration I can now log in with my former full Account Name and password (this account has "allow user to administer Computer set") however I now cannot use the Full Account name to authorize changes - it seems not to recognize the password - however I can authorize changes with the short account name and password.
    How can I configure the system so it will recognize the full account name for authorizations?

    Since you failed to do the migration on first boot, the full system name only applies to the original account you set up. All other accounts use the short username. Although you thought you did it the most obvious way, you didn't. The simplest way to get the new machine to act like the old one is to erase the new one, reinstall the software as described in the user manual, and on first boot DON'T create any user account, but use the setup assistant to migrate everything from the old MB. That will solve all of your issues. Afterwards, reinstall any other software that's on the discs that shipped with the machine, run Software Update to get everything up to date, repair permissions, and restart.

  • How to enable live audio streaming in FF running Windows 7

    I am unable to listen to live audio streams, please help !

    Which plugin is used for those streams?
    Your More system details list shows the WMP plugin and the Flash plugin as commonly used plugins to play streams.
    Start Firefox in [[Safe Mode]] to check if one of your add-ons is causing your problem (switch to the DEFAULT theme: Tools > Add-ons > Themes).
    * Don't make any changes on the Safe mode start window.
    See [[Troubleshooting extensions and themes]] and [[Troubleshooting plugins]]

  • Privilege error while running Create Table Script inside Stored Procedure.

    Hello All,
    I have Oracle 10G server and SQL Developer Client,
    I have One User with Appropriate Rights, Login with that user from SQL Developer(client),
    Within my Procedure, Dynamic SQL script is like If I pass in a TABLE NAME as parameter, It Creates that table, but now problem is It throws an error for Privilege.
    Where as if I Execute Create table script outside the procedure(as Normal SQL), it executes Ok, but why it throws Privilege error within procedure ?
    Whether any extra Rights needed for this user to execute such Create Table Dynamic SQL?
    Please Help.
    Thanks,
    j@y

    Elic
    Thanks a lot dude...
    It works now,
    regards,
    j@y

  • Sharing iTunes library/playlist, only one user can run iTunes

    Greetings everyone
    Just got a new aluminum iMac, setting it up for the wife and kids. From the descriptions here, I have set up several accounts to share a single iTunes library, by creating aliases in each user's iTunes folder that point to the shared library. It seems to work great: I only have to import music ONCE (instead of once for each user), and if one user creates or changes a new playlist, everyone sees it, which is exactly what I wanted.
    However, I have run into a small problem, and it is this. Under this setup, with everyone sharing the same library, *only one person can be running iTunes at a time.* If user A is running iTunes and doesn't quit the app when the computer is switched to User B or C, they get the message
    ----- +"The iTunes Library is locked, on a locked disk, or you do not have write permission for this file."+
    ----- Switch back to User A, quit iTunes, and then the others can launch iTunes fine (though again, just ONE of them). Same behavior regardless of whether the user is admin or not.
    So, is there any way to enable more than one user to run iTunes at once under this shared scenario? I'm thinking iTunes may not allow multiple users to access the library file at once, so it may be necessary to have users quit iTunes or log out before switching accounts. Let me know if there is a workaround or if anyone has gotten this to work....
    Thanks in advance!
    sno-man

    Hi, I just read your post here - I'd like to do exactly what you were able to do, that is, sharing one iTunes library with multiple user accounts on my iMac so that we can both use/add to the same library (I also want to do this with iPhoto, so I'm assuming it's the same process); would you mind quickly telling me how you were able to do this? I've been checking around and can't find a reliable answer. I'd appreciate it - thanks!

  • View RSOP data for logged on user that is not administrator

    When troubleshooting group policies I use GPResult and RSOP.msc a LOT!  Since we started deploying Windows 7 I've been having the worst time trying to use these utilities.
    Normally when a user is not getting policies I can just run rsop.msc and see if there is any error information as well as which policies have and have not applied.  In Windows 7 I am prompted for an Admin password when I run rsop.  Well that would
    be fine but now RSOP attempts to gather data for the administrator; I need to see the data for the logged on user.  The only way I've been able to work around this so far is to add the user to the local admin group then I can run rsop and gpresult.  When
    I'm done I have to remove them from the admin group.
    This seems silly to me.  Can anyone tell me how to see RSOP and GPResult data as the USER instead of the Admin.
    Also please do not chime in telling me to run rsop in planning mode as that only tells me what is supposed to happen, not what is actually happening on the system.

    Hi,
    Base on my test and research, there’s impossible to use RSOP.msc with user, and run as administrator when you login with user still doesn’t work.
    That’s necessary to login with administrator and run rsop.msc. It’s a by design feature.
    Thank you for your understanding.
    Regards,
    Leo  
    Huang
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Maybe you are looking for