Make a DSC Script resource execute with elevated privileges

Hello Everyone,
Is there a built-in way into DSC to make it execute certain resources as administrator with elevated privileges on Windows 8.1?
What's i'm trying to achieve for example is install SQL Express 2012 in a Script DSC resource, but it keeps telling me that i'm not admin with and fails. If i run the same command from command prompts ("As administrator") it succeeds.
C:\downloads\SQLEXPR_x64_ENU.exe /Action=Install /qs /IAcceptSQLServerLicenseTerms /InstanceName=sqlexpress /ROLE=AllFeatures_WithDefaults /SQLSYSADMINACCOUNTS="BUILTIN\Administrators"
A similar situation is when I want to disable Windows Firewall in a WindowsProcess resource:
powershell.exe "netsh firewall set opmode disable"
That would also blow up because i'm not admin.
I've tried to give the admin credentials to the DSC resources but it seems on windows 8.1, it's different from "Run as Administrator"
So far I've managed to achieve some of this by running it from a PSExec session to the same machine which i'm currently configuring, but this seems like a hack to me.
Please let me know if there is a way around this.
Thanks in advance!
Ivan Kosharov

Any update on this?

Similar Messages

How to execute power shell script file inside DSC script resource

Hi,
How to execute /call powershell scirpt file inside DSC script resource , some thing like below and capture the status of execution.
Node $AllNodes.NodeName
Script ExecuteSQLDeploy
#SetScript = {powershell.exe .\SQLDeploy.ps1 "param1" "param2" "param3" "param4" "param5" }
#TestScript= {powershell.exe .\SQLDeploy.ps1 "param1" "param2" "param3" "param4" "param5 }
#GetScript= { return $true;}
Basawaraj

Thanks for reply.
Now i am able to execute the power shell script with DSC. I am getting no error when i run , but the script logic wrote inside ( deploying sql incremental changes ) not working . I am using SQLCMD in the powershell script to deploy sql
changes . Can you please elaborate on "script is compatible with DSC" , the script
should not contain write-host cmdlet.... etc something like that.
Copying recursively from ****************************** to ************************** succeeded.
Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
An LCM method call arrived from computer ************ with user sid **********************************************
[V-BAKANT]: LCM: [ Start Set ]
[V-BAKANT]: LCM: [ Start Resource ] [[Script]ExecuteSQLDeploy]
[V-BAKANT]: LCM: [ Start Test ] [[Script]ExecuteSQLDeploy]
[V-BAKANT]: LCM: [ End Test ] [[Script]ExecuteSQLDeploy] in 0.1110 seconds.
[V-BAKANT]: LCM: [ Start Set ] [[Script]ExecuteSQLDeploy]
[V-BAKANT]: LCM: [ End Set ] [[Script]ExecuteSQLDeploy] in 0.3010 seconds.
[V-BAKANT]: LCM: [ End Resource ] [[Script]ExecuteSQLDeploy]
[V-BAKANT]: LCM: [ End Set ]
[V-BAKANT]: LCM: [ End Set ] in 0.8810 seconds.
Operation 'Invoke CimMethod' complete.
Time taken for configuration job to complete is 0.923 seconds
Basawaraj

Adopmnctl.sh script is executing with status 2

while starting oracle EBS 12R the script adopmnctl.sh is executing with status 2

Hi,
What is the OS?
Was this working before? Any changes have been done recently?
Please post the complete error message from the startup script log file.
Also, please run AutoConfig and see if it completes successfully or not.
Thanks,
Hussein

Xp_cmdshell with elevated privilege

Hi,
I am facing issue with XP_cmdshell after upgrading OS form Windows 2003 to 2008.Actually there was one scheuled JOb in SQL server which run WMI command to fetch disk space details from all the server in our environemnet.Command I used for this is
wmic /node:Myservername LOGICALDISK get Systemname,Caption,VolumeName,Description,FileSystem,Freespace,Size /format:csv.xsl 1>>c:\test1.txt 2>>c:\testerror.txt
It was configured in SQL Agent Jobs & it run through one proxy account which having Local admin access to all the Servers.
There was no issue till 2003 to run the Jobs.Job ran sucessfully daily basis.But problem started after upgrading Windows to 2008 & I am able to identify why this jobs failing now & but not getteing any option to resolved this.
Actually from 2008 there is term UAC(User Access Conttrol) which means there are certain task which you can not run even if you have Administrator privilege until you ran the application with "Run as Administrator".
When I ran above command with just clicking cmd.exe it fails with error 'Access Denied' but same command if we ran after clicking 'Run as Administrator',it shows the output.
This is the reason my Job is also failing with error 'Access Denied' but I am not sure how I can implement 'Run as Administrator' for elevated privilege for xp_cmdshell.
Googled suggest to run command 'runas' to open the command promt with Administrator access but I don't think it will work in this case.This is actually run the cmd with for perticular user but it also not give elevated privilage so that I can run my WMIC
command.
Any suggestion apprecaited
Rgds
Debasish Bhattacharya

You can create proxy account for doing this
http://www.mssqltips.com/sqlservertip/2143/creating-a-sql-server-proxy-account-to-run-xpcmdshell/
Please Mark This As Answer if it solved your issue
Please Vote This As Helpful if it helps to solve your issue
Visakh
My Wiki User Page
My MSDN Page
My Personal Blog
My Facebook Page

Run with user privileges but write to restricted folder

In Windows Server 2008 R2 (and in an Active Directory domain), the login and logoff scripts are run with user privileges.
Suppose that I run script1.ps1, when user1 logs in; I need that script1.ps1 is associated to user1, because it will write some informations about that user: it modifies a log file in a folder. Anyway, script1.ps1 will be run with user1 privileges.
I obviously made that file and that folder accessible (readable/writable) to user1: but I actually don't want the user to modify that log file. I would like that
only the script could do it.
Is there a way to work around this problem? Maybe should I run script1.ps1 in a different way?

Henry. You can add a subscription to a server that subscribes t event log entries on user computers. Subscribe to the logon/logoff events. Now you have a central repository of logon and logoff events.
There is no way to accomplish what you are asking to do. Any file that can be written to in logon script or during a user session can be changed by the user.
Bil is suggesting a "startup" script that runs when the user logs on and not when the computer starts. A user startup script runs as the user and not system.
Another method is to schedule a script that run at logon. This can run as system and write to a file that the user cannot change.
¯\_(ツ)_/¯

Execute Calc script in Maxl with compained all script

Hi,
I have nearly 20 Calc script in one of the application. I need to run all the script once I change the calc script.
Execute calculation default 'databasename.application-name' ;
Is there any command in MaxL directly use to run all the calc script?
Kindly let me know.

I'm not sure why anyone would want to run 20 scripts. If I wanted to do that I would combine them into one or two. If your heart is set on running ALL the scripts in your database, You could do something like create a generic MaxL script like:
Execute calculation sample.basic.$1
then in your batch script have a statement that selects all of the files that end in .csc for the directory and pass them to the script essmsh mymaxl.mxl Filename
I'll assume either the scripts are named in the order you want them to run or you could rename them with a numberic to indicate the run order.

How to write a shell script to execute a procedure with out parameter

Hi,
How to write a shell script to execute a procedure with out parameter.
here is my procedure
PROCEDURE sample(invar1 VARCHAR2,
invar2 VARCHAR2,
invar3 VARCHAR2,
invar4 VARCHAR2,
ecode out number);
Any example really helpfull
Thanks in advance

Or if we're passing values in, maybe something like:
Test procedure:
CREATE OR REPLACE PROCEDURE p (myin IN VARCHAR2, myout OUT VARCHAR2)
AS
BEGIN
    myout :=
        CASE myin
            WHEN 'A' THEN 'APPLE'
            WHEN 'B' THEN 'BANANA'
            ELSE 'STARFRUIT'
        END;
END;Shell script:
#!/bin/bash
my_shell_variable=$1
unset ORACLE_PATH
sqlplus -s un/pw@db <<-EOF
set feedback off pause off
set pagesize 0
set autoprint off
VAR out varchar2(30)
VAR myin varchar2(30)
exec :myin := '${my_shell_variable}'
BEGIN
p(:myin, :out);
END;
print out
exit
EOFTest:
/Users/williamr: xx A
APPLE
/Users/williamr: xx B
BANANA
/Users/williamr: xx
STARFRUITObviously in a real script you would not hardcode the password or let it show in a "ps" listing.
Message was edited by:
William Robertson

How to make "visa find resource" working with Agilent device

I am trying to use Agilent 82357B GPIB device with LabVIEW for instrument control.
I have checked:
1.       NI-VISA (ver 5.1.1) is the primary visa by checking visa.dll properties under windows\system32 folder
2.       Enable NIVISATulip.dll in NI Max Explorer
3.       Enable the Agilent libraries to work with NI 488.2 in Agilent IO library (ver 16).
I am able to communicate with the instrument in Max Explorer and talk to the instrument in LabVIEW with VISA write for almost all commands.
But I can NOT make one particular visa function (Visa find resource) working with Agilent 82357B GPIB.
With NI USB GPIB device, the same code above can find attached instruments as below, where GPIB1 is the Agilent device and GPIB0 is the NI device.
I have no clue on how to make “visa find resource” working with Agilent device.
Please help.
Solved!
Go to Solution.

Quick question. Did you also enable 488 support in Agilent?
If that does'not work try this. and well see if you found a bug
Jeff

How can you run a command with elevated rights on a remote server with invoke-command ?

I am trying to run a script on a remote server with invoke-command. The script is starting and is running fine, but the problem is that it should be running with elevated rights on the remote server. On the server where I start the invoke-command, my account has the necessary rights.
The server were I launch the invoke-command is a W2K8 R2. The remote box is a W2K3 with powershell v2.0 installed.
When I launch the script on the remote-box from the command line, I don't get the access denied's.
Is there a way to do this ?
Thanks in advance

The script that I want to run is to install the windows updates. I get an access denied on the download of the updates.
When I execute the script on an W2K8 box, (not remotely) and I run it with non-elevated rights, I get the same error.
The script is running fine when it is launched on W2K3 box locally with a domain account that has local admin rights, or on a W2K8 R2 server with a domain account that has local admin rights, but with elevated rights.
Thanks in advance for your help.
#=== start script ====
param($installOption="TESTINSTALL",$rebootOption="NOREBOOT")
Function Show-Help
Write-Host ""
Write-Host "SCRIPT: $scriptName <installOption> <RebootOption>"
Write-Host ""
Write-Host "DESCRIPTION: Installatie van WSUS updates op de lokale server"
Write-Host ""
Write-Host "PARAMETERS"
Write-Host " -installOption <[INSTALL|TESTINSTALL]>"
Write-Host " -rebootOption <[REBOOT|NOREBOOT|REBOOT_IF_UPDATED]>"
Write-Host ""
Write-Host "EXAMPLE:"
Write-Host "$ScriptName -installOption INSTALL -rebootOption REBOOT_IF_UPDATED"
Write-Host "$ScriptNAme INSTALL NOREBOOT"
Write-Host ""
Write-Host "Indien beide parameter weggelaten worden zijn de defaultwaarden :"
Write-Host " installOption=TESTINSTALL "
Write-Host " RebootOption=NOREBOOT"
Write-Host ""
Exit
#Include alle globale variablen
$CEIF_WIN_PATH = (get-content env:CEIF_WIN_PATH)
$includeFile=$CEIF_WIN_PATH + "\Scripts\include_win.ps1"
. $includeFile
#initialiseer error count
$errcnt=0
$scriptName=$MyInvocation.MyCommand.Name
#argumenten controleren
$arrInstallOption= "TESTINSTALL", "INSTALL" # Mandatory variable with predefined values
If (!($arrInstallOption –contains $installOption)){ Show-Help }
$arrRebootOption = "REBOOT", "NOREBOOT","REBOOT_IF_UPDATED" # Mandatory variable with predefined values
If (!($arrRebootOption –contains $rebootOption)){ Show-Help }
#Logfile opbouwen
$logfile = get-logfileName($MyInvocation.MyCommand.Name)
Log-scriptStart $MyInvocation.MyCommand.Name $logfile
function Get-WIAStatusValue($value)
switch -exact ($value)
0 {"NotStarted"}
1 {"InProgress"}
2 {"Succeeded"}
3 {"SucceededWithErrors"}
4 {"Failed"}
5 {"Aborted"}
function boot-server()
if ($installOption -eq "TESTINSTALL")
logger "TESTINSTALL : - Reboot local Server" $logfile
else
logger " - Reboot local Server" $logfile
$thisServer = gwmi win32_operatingsystem
$thisServer.psbase.Scope.Options.EnablePrivileges = $true
$thisServer.Reboot()
$logmsg="Install option = " + $installOption + ", RebootOption = $rebootOption"
logger "$logmsg" $logfile
logger "" $logfile
logger " - Creating WU COM object" $logfile
$UpdateSession = New-Object -ComObject Microsoft.Update.Session
$UpdateSearcher = $UpdateSession.CreateUpdateSearcher()
logger " - Searching for Updates" $logfile
$SearchResult = $UpdateSearcher.Search("IsAssigned=1 and IsHidden=0 and IsInstalled=0")
logger " - Found [$($SearchResult.Updates.count)] Updates to Download and install" $logfile
$Updates=$($SearchResult.Updates.count)
logger "" $logfile
foreach($Update in $SearchResult.Updates)
if ($Update.EulaAccepted -eq 0)
$Update.AcceptEula()
# Add Update to Collection
$UpdatesCollection = New-Object -ComObject Microsoft.Update.UpdateColl
$UpdatesCollection.Add($Update) | out-null
if ($installOption -eq "TESTINSTALL")
else
# Download
logger " + Downloading Update $($Update.Title)" $logfile
$UpdatesDownloader = $UpdateSession.CreateUpdateDownloader()
$UpdatesDownloader.Updates = $UpdatesCollection
$DownloadResult = $UpdatesDownloader.Download()
$Message = " - Download {0}" -f (Get-WIAStatusValue $DownloadResult.ResultCode)
if ($DownloadResult.ResultCode -eq 4 )
{ $errcnt = 1 }
logger $message $logfile
# Install
logger " - Installing Update" $logfile
$UpdatesInstaller = $UpdateSession.CreateUpdateInstaller()
$UpdatesInstaller.Updates = $UpdatesCollection
$InstallResult = $UpdatesInstaller.Install()
$Message = " - Install {0}" -f (Get-WIAStatusValue $InstallResult.ResultCode)
if ($InstallResult.ResultCode -eq 4 )
{ $errcnt = 1 }
logger $message $logfile
logger "" $logfile
#Indien er een fout gebeurde tijdens download/installatie -> stuur mail naar windowsteam
if ( $errcnt -gt 0 )
logger " - Fout tijdens de uitvoering van script -> send mail" $logfile
$mailSubject=$MyInvocation.MyCommand.Name
$msg = new-object Net.Mail.MailMessage
$att = new-object Net.Mail.Attachment($logfile)
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
$msg.From = $mailFrom
$msg.To.Add($mailTo)
$msg.Subject = $mailSubject
$msg.Body = “Meer details in attachement”
$msg.Attachments.Add($att)
$smtp.Send($msg)
#Moet de server herstart worden ?
if ($rebootOption -eq "REBOOT_IF_UPDATED" )
if ($Updates -gt 0)
#Reboot the server when updates are installed
boot-server
elseif ($rebootOption -eq "REBOOT")
#reboot the server always
boot-server
else
#Do not reboot the server
logger "Do not reboot the server" $logfile
Log-scriptEnd $MyInvocation.MyCommand.Name $logfile
exit 0

Unix scripts to interact with Windows NT

Hi,
I would like to know whether I'll be able to create a program using KOrn shell scripting that can ftp a file from one Unix machine to an NT machine and then it has to run a Java Program in the Windows Environment and in the end,it needs to be ftp -ed back to the Unix machine.
Is this possible?
What would be the exact commands to ftp a file from a unix server to a directory on a Windows NT server?
Also to run the JAVA program in Windows ?
Are there any tools to make it easier in the market?
Any idea or solutions are welcome.

Sounds like your working in a mixed O/S environment.
From my experience it is probably easier for you to set the job running from NT and have your NT box ftp to your Solaris box, get the JAVA file, run the JAVA file and have the NT box ftp the results back to the Solaris box. This is very easy to configure:
Create a simple text file called ftp.txt in c:\ on your NT box. Add the following lines:
ftpaccount
P4s5W0rD
lcd c:\where\you\want\the\JAVA\file\to\run\from
hash
bin
cd /dir/with/JAVA/file/in/it
get JAVAfile
close
bye
Save this text file.
The first line is the UNIX account you will be logging into on the Solaris box;
The second line is the password for the UNIX account;
The third line switches to the local directory on your NT box where you want the JAVA file to sit;
The fourth line tells ftp to turn on hash marking; the fifth line tells ftp to transfer files in binary mode;
The sixth line changes to the directory in which your JAVA file is held;
The seventh line gets the JAVA file (replace JAVAfile with the name of the file)
The eight line closes the connection to the Solaris box;
The ninth line ends the ftp utility on NT.
Create a second txt file called ftp2.txt and add the following commands:
ftpaccount
P4s5W0rD
lcd c:\where\the\results\file\sits
hash
bin
cd /dir/where/results/file/needs/to/be/put
put resultfilename
close
bye
The first line is the UNIX account you will be logging into on the Solaris box;
The second line is the password for the UNIX account;
The third line switches to the local directory on your NT box where the JAVA result file sits;
The fourth line tells ftp to turn on hash marking; the fifth line tells ftp to transfer files in binary mode;
The sixth line changes to the directory on the Solaris box in which you want your results file to sit;
The seventh line puts the results file on the Solaris box;
The eight line closes the connection to the Solaris box;
The ninth line ends the ftp utility on NT.
Now create a bat file to run the ftp-scripts and execute the JAVA file ie ftp.bat. Add the following lines:
ftp -i -s:"c:\ftp.txt" 10.1.18.208:
<next line needs to be the DOS command to run the java file on NT ie c:\Temp\DMS0104\jinit11819.exe -s -m>
ftp -i -s:"c:\ftp2.txt" 10.1.18.208:
where 10.1.18.208 is the ip address of the Solaris box
whenever you need to run the script at the command prompt run c:\ftp.bat, or you can schedule it to run using the "at" command.
If I haven'e explained this very clearly look in BigAdmin scripts or search the net as there are hundreds of examples of ftp scripts.

How to engage Shell Script resource action in an Active Sync workflow.

A little background, at my organization I have IDM set up simply to recognize changes in LDAP and transmit those changes, via active sync, to AD. We don't yet use the IDM interface to make any changes to users, instead we use external interfaces that we have written to make changes to LDAP which then get picked up via Active Sync and synchronized to AD. However, in addition to AD, there are several other resources that we would like to gradually wrap into this active sync workflow via native and custom resource adapters. Currently I am working on a simple Shell Script resource to manage Linux home directories. I have written all the necessary code and created the resource itself within IDM. This all seems to work, I can create, delete, disable, etc.. users in our Linux environment from the IDM interface.
Here is the problem, I would like to integrate the creation, deletion, enabling, disabling, etc.. of users into the same Active Sync workflow that engages whenever a change is made to LDAP. This way, whenever a user is created in LDAP (and consequently AD), that user will be granted a home directory in Linux. Unfortunately it seems that Shell Script Resources are not enabled for Active Sync. Any ideas on how one might accomplish this?
Thanks in advance.

Thank you for the prompt reply. Funny thing is that I have been banging my head on this problem for a couple weeks now (this is my first attempt at real customization ... ). I finally got desperate and decided to reach out for help. After I posted this message I came to a realization that ended up solving the problem for me, go figure.
For anyone in my place I can relate what I ended up doing, simple as it was. Keep in mind, of course, that this is a highly customized environment that I am working in so the specifics probably wont apply. What I basically did, is I found an LDAPCreateUserProcess form that gets invoked when Active Sync is run. For all I could tell, this simply processed the new attributes that came through Active Sync and related them to their llighthouse / AD counterarts. But I noticed a line like this:
<Field name="waveset.resources">
<Expansion>
<filterdup>
<appendAll>
<ref>waveset.resources</ref>
<s>AD</s>
</appendAll>
</filterdup>
</Expansion>
</Field>
and simply added the name of my shell script resource under the <s>AD</s> line. That was it.
Anyway, thanks bobm53, I can now get on with my life :-)

Shell Script Resource-Timeout error

Hi!!
I have an issue with the Shell Script Resource, the problem is as follows:
When I created a user in this resource and appears a error message:
com.waveset.util.WavesetException: An error occurred adding user 'user01' to resource 'Shell Script'. com.waveset.util.WavesetException: Script failed waiting for "_,)#+(:" in response "" com.waveset.util.WavesetException: Script processor timed out with nothing to read and the following unprocessed text: "".
I added the timeout property = 300 000 in my shell script is as follows:
<ResTypeAction restype='Shell Script' timeout='300000'>
but it doesn't work.
I had the IDM 8 with the patch 4 but the problem beging when I did upgrade to patch 4 to 6.
Does anyone knows what could be the problem.
Thanks in advance!

Hello!
That isn't the problem the test connection works fine but when I try provisioning a user the shell script execute some instructions, in the shell script I need to set the timeout property in order to give more time to finish execute the instructions before the script execute the following command.
I tested the timeout property in the shell script and work to fine for IDM 8 patch 4 I upgrade to patch 10 and stopped to work.
Does anyone knows What could be the rigth way to set the timeout property in a resource action for shell script resource?
Thanks...

How to launch an application with elevated administrator account privilege from windows service even if the account has not yet logon

Here is the case:
OS environment: Windows 7
There are two user accounts in my system, standard user "S" and administrator account "A", and there is a windows service running with "Local System" privilege.
Now i logged-in with account "S", and i want to launch an application with elevated administrator account "A" from that service program, so here is the code snippet:
int LaunchAppWithElevatedPrivilege (
LPTSTR lpszUsername, // client to log on
LPTSTR lpszDomain, // domain of client's account
LPTSTR lpszPassword, // client's password
LPTSTR lpCommandLine // command line to execute e.g. L"C:\\windows\\regedit.exe"
DWORD dwExitCode = 0;
HANDLE hToken = NULL;
HANDLE hFullToken = NULL;
HANDLE hPrimaryFullToken = NULL;
HANDLE lsa = NULL;
BOOL bResult = FALSE;
LUID luid;
MSV1_0_INTERACTIVE_PROFILE* profile = NULL;
DWORD err;
PTOKEN_GROUPS LocalGroups = NULL;
DWORD dwLength = 0;
DWORD dwSessionId = 0;
LPVOID pEnv = NULL;
DWORD dwCreationFlags = 0;
PROCESS_INFORMATION pi = {0};
STARTUPINFO si = {0};
__try
if (!LogonUser( lpszUsername,
lpszDomain,
lpszPassword,
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
&hToken))
LOG_FAILED(L"GetTokenInformation failed!");
__leave;
if( !GetTokenInformation(hToken, (TOKEN_INFORMATION_CLASS)19, (VOID*)&hFullToken,
sizeof(HANDLE), &dwLength))
LOG_FAILED(L"GetTokenInformation failed!");
__leave;
if(!DuplicateTokenEx(hFullToken, MAXIMUM_ALLOWED, NULL,
SecurityIdentification, TokenPrimary, &hPrimaryFullToken))
LOG_FAILED(L"DuplicateTokenEx failed!");
__leave;
DWORD dwSessionId = 0;
WTS_SESSION_INFO* sessionInfo = NULL;
DWORD ndSessionInfoCount;
bResult = WTSEnumerateSessions(WTS_CURRENT_SERVER_HANDLE, 0, 1, &sessionInfo, &ndSessionInfoCount);
if (!bResult)
dwSessionId = WTSGetActiveConsoleSessionId();
else
for(unsigned int i=0; i<ndSessionInfoCount; i++)
if( sessionInfo[i].State == WTSActive )
dwSessionId = sessionInfo[i].SessionId;
if(0 == dwSessionId)
LOG_FAILED(L"Get active session id failed!");
__leave;
if(!SetTokenInformation(hPrimaryFullToken, TokenSessionId, &dwSessionId, sizeof(DWORD)))
LOG_FAILED(L"SetTokenInformation failed!");
__leave;
if(CreateEnvironmentBlock(&pEnv, hPrimaryFullToken, FALSE))
dwCreationFlags |= CREATE_UNICODE_ENVIRONMENT;
else
pEnv=NULL;
if (! ImpersonateLoggedOnUser(hPrimaryFullToken) )
LOG_FAILED(L"ImpersonateLoggedOnUser failed!");
__leave;
si.cb= sizeof(STARTUPINFO);
si.lpDesktop = L"winsta0\\default";
bResult = CreateProcessAsUser(
hPrimaryFullToken, // client's access token
NULL, // file to execute
lpCommandLine, // command line
NULL, // pointer to process SECURITY_ATTRIBUTES
NULL, // pointer to thread SECURITY_ATTRIBUTES
FALSE, // handles are not inheritable
dwCreationFlags, // creation flags
pEnv, // pointer to new environment block
NULL, // name of current directory
&si, // pointer to STARTUPINFO structure
&pi // receives information about new process
RevertToSelf();
if (bResult && pi.hProcess != INVALID_HANDLE_VALUE)
WaitForSingleObject(pi.hProcess, INFINITE);
GetExitCodeProcess(pi.hProcess, &dwExitCode);
else
LOG_FAILED(L"CreateProcessAsUser failed!");
__finally
if (pi.hProcess != INVALID_HANDLE_VALUE)
CloseHandle(pi.hProcess);
if (pi.hThread != INVALID_HANDLE_VALUE)
CloseHandle(pi.hThread);
if(LocalGroups)
LocalFree(LocalGroups);
if(pEnv)
DestroyEnvironmentBlock(pEnv);
if(hToken)
CloseHandle(hToken);
if(hFullToken)
CloseHandle(hFullToken);
if(hPrimaryFullToken)
CloseHandle(hPrimaryFullToken);
return dwExitCode;
I passed in username and password of account "A" to method "LaunchAppWithElevatedPrivilege", and also the application i want to launch, e.g. "C:\windows\regedit.exe", but when i run the service program, i found it do launch
"regedit.exe" with elevated account "A", but the content of regedit.exe is pure back. screenshot as below:
Can anyone help me on this?

You code is not dealing with the DACL access to Winsta0\Default. Only the LocalSystem account will have full access and the interactively logged on user which is why regedit is not displaying properly. You'll need to grant access to your user.
You also need to deal with UAC since that code is going to give you a non-elevated token via LogonUser(). You need to get the full token via a call to GetTokenInformation() + TokenLinkedToken.
thanks
Frank K [MSFT]
Follow us on Twitter, www.twitter.com/WindowsSDK.

How to make a calc script on a dense dimension ?

Dears,
I want to make a calculation script on a dense dimension where :
- I want to get an input from a member, then make a mathematical calculation , then populate the result in another member at the same dimension .
For More Clarification :
I have the following fix
CALC ALL ;
FIX ("SAR","Working.V01","Budget2012","FY12","G_10","NM_CAT01","Employee General","BegBalance")
"Internal Transportation" = "Monthly Transportation"*30 ;
ENDFIX
-Internal transportation and monthly transportation are 2 members on FB_account dimension (dense dimension) .
Waiting for your response, Thanks in advance.

Dear ,
I appreciate your feedback . But, My problem is that after executing the calc script , No calculation happens .
by another means ,
-If I wrote "Internal transportation" = 500 ; --> It put 500 in it
-If I wrote "Internal transportation" = "Internal transportation" * 100 ; --> No calculation happened but it executed successfully
-if I wrote "Internal transportation" = "Monthly transportation" = 500; --> No calculation happened but it executed successfully
I don't know Why ???

My 'run with administrative privileges' script no longer works - help

Hey all. I have an applescript that shuts down the computer that I made a while back. I pulled it out today to use it and it no longer works. Here's part of the code I'm having trouble with:
do shell script ¬
"sudo shutdown -h now" password "myadminpassword" with administrator privileges
On old machines this worked great, I would just put the admin password where myadminpassword is and it would work perfectly. Now though, I run it on my machine and I get the prompt to enter my admin username and password before it will shutdown.
Now this is going on a remote install so I need it to work. Any ideas? The machine is running snow leopard, but it seems to still work on an old leopard macbook pro.

Well, for one, do not use sudo in do shell script.
The whole 'with administrator privileges' part takes care of elevating your privileges. sudo has no place in do shell script.
Don't know if that's your issue, but it's the first thing I'd fix.
If that doesn't help, are you running the script as your admin user?
Nowhere in your script are you defining the username to run the command as, therefore it will attempt to run as the current user who may not be the same as your admin user, nor have the same password. You might need to include the username:
do shell script "shutdown -h now" user name "admin" password "myadminpassword" with administrator privileges

Make a DSC Script resource execute with elevated privileges

Similar Messages

Maybe you are looking for