Dwarfsoft [GPA]

SYSTEM Account Permissions

by on May.25, 2010, under Novell, Scripting, Tweet, Work


Print This Post Print This Post

Recently I have been working on some rather complicated projects preparing our SOE to move from Novell eDirectory to an Active Directory environment. One of the packages I built was required to run periodically and so I set up a Scheduled Task to accomplish this. Rather than introduce a security risk by creating a new Administrator Account I just created the scheduled task to run as the local SYSTEM account. It turns out that the SYSTEM account does not have as much access as I required, especially when managing user registry hives.

After quite some time looking in to how to achieve my goal I came up with a rather simple, yet ultimately hacky, solution. Give the SYSTEM Account Administrative Privileges.

It turns out that the SYSTEM Account, despite not having Administrator level permissions, does have permission to modify group memberships. As such I came up with two functions to manage these permissions for itself:

'*****************************************************************
' Elevates the System Account to a Member of the Administrators Group
Function ElevateSystem
  strSystemUser = "WinNT://NT AUTHORITY/SYSTEM"
  Set objGroup = GetObject("WinNT://./Administrators,group")
  If Not objGroup.isMember(strSystemUser) Then
    objGroup.Add (strSystemUser)
  End If
End Function
 
'*****************************************************************
' Removes the System Account from the Administrators Group
Function RelegateSystem
  strSystemUser = "WinNT://NT AUTHORITY/SYSTEM"
  Set objGroup = GetObject("WinNT://./Administrators,group")
  If objGroup.isMember(strSystemUser) Then
    objGroup.Remove (strSystemUser)
  End If
End Function

I just run ElevateSystem at the start of the script and then RelegateSystem at the end of the script and I have no issue with permissions anymore.

Elegant, yet hacky. Hope somebody found this useful, because it sure beats creating (and then managing) a new Administrator User on thousands of Workstations.

N.B. I should also point out that if you are installing a script onto Workstations that you will be using this kind of workaround on, make sure you set the permissions on it. The last thing you need is somebody hijacking your script to do whatever they want with Administrative Privileges.

Cheers, Chris.

:, , , , , , ,

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!