1

I am an enterprise admin (Sr. Network Engineer), but my team does not manage Active Directory, so I am a little unfamiliar with policies and what is required to do what I am trying to achieve, and even the AD admins are failing me when it comes to my predicament.

I have a command that I am trying to turn into a script that is giving me some really weird behavior, and I need help sorting it out.

First things first:

  • From my local workstation, I can open a command window by Shift-clicking and running as my domain admin user, and the command works just fine.
  • From my local workstation, if I put this command in a script, and Shift-click to run the script as my domain admin user, the script/command works fine (as long as I give my domain admin account permissions).
  • On the target machine where I want this script to run, I have confirmed that another domain admin can successfully execute the command.
  • If I launch a command prompt on this target machine when logged in with my domain admin account, the command fails (and also as a script).

Before you suggest something I've already tried or will not benefit me:

  • runas is not an option, because this script should not be interactive and prompted for a password.
  • The /savecred parameter for run as is not an option because of password/security/audit policies.

I have achieved the basic functionality, but it's messy:

The basic command is something like this:

\\server\share\unlock.exe . username

The only way I can successfully execute this command without any Shift-clicking or runas nonsense is by putting this command in C:\Users\Username\Desktop\unlock.bat and then from my local machine creating a separate batch file that includes the following:

psexec \\targetmachine -u domainadmin -p domainpassword "C:\Users\Username\Desktop\unlock.bat"

Questions and possible theories:

  • If I double-click this batch file on the target machine, should it not run as the username of the domain admin account that I'm logged into?
  • Is it possible that since my domain admin is an admin on the target machine that when I run this command, it is trying to run as local Administrator?
  • Every time I open a command prompt on this machine, it's automatically an Administrative prompt. Is it possible that what I need is an un-elevated prompt, and if so, how do I get one when it automatically launches an Administrator prompt?

Other details:

  • This is a terminal server running Windows 2008 R2 with a few different users accessing it, so I don't want to modify the behavior of how cmd.exe launches every time or anything.
  • I realize I could specify a user if I run this as a scheduled task, but right now, I just want to run it from this server as a standalone script or command without any Shift-clicking.

My main goal is to be able to logon to this server and simply double-click the batch file (and also be able to execute from a command prompt), while logged in as my domain admin account, which should be able to do this.

rubynorails
  • 389
  • 3
  • 14
  • @PJMahoney - it is the same domain admin account that I am using to run cmd.exe as a different user on my local machine as the one that I am logging in with on the TS. I have all necessary permissions to this location. I also tried to state earlier that my domain admin acount *IS* a local admin on the TS. Also, I *DID* confirm visually that the other admin got this to work on this specific server. There is no UAC prompt or DEP, that is not the issue. – rubynorails Nov 13 '15 at 23:19
  • @PJMahoney - also, the issue with typing the password is that I want to be able to distribute this batch file to other domain admins on this TS without having to modify it so that they can run it as-is when logged into their domain admin accounts and have it execute as-intended. I just don't understand why I can't doubleclick the file and have it work. I have also visually confirmed in AD Users and Groups that the command/script actually works in the scenarios that I listed. If I can PsExec to the box and run the script, then I should be able to logon to the box and run it, plain and simple. – rubynorails Nov 13 '15 at 23:23
  • @PJMahoney - Correct, from my local Windows 10 machine that is joined to the domain, I am logged in with a local account. I can Shift-click cmd.exe and run as my domain admin account, where this command works with no issues whatsoever. By "domain admin" I do mean, as you said, a member of the AD admin security group. When I run from my local machine as a different user, the domain admin account is the one I am referring to. – rubynorails Nov 14 '15 at 02:33
  • @PJMahoney - I will try to post an error message later tonight or possibly later this weekend. I just got off of a brutal on-call week, and don't have any intentions of firing up the VPN at the moment, but I can tell that the program DOES execute, it just does not unlock the user or display the status of the user. The specific error is an `LDAP_bind` error (or something of that sort). The other domain admin had me check the `%LOGONSERVER%` environment variable, and even when I set it the same as his, the program failed to unlock or show the status of the user, at which point he gave up. – rubynorails Nov 14 '15 at 02:36
  • @PJMahoney - That is exactly the unlock.exe that I am referring to, and I have seen it firsthand work flawlessly with Windows 2008 R2. Some of our admins use it all the time on that OS, and like I said, I witnessed a guy Shift-click > Run as his domain admin account, and it worked, and also, like I said, I can PsExec to this remote Windows 2008 R2 box from my local Windows 10 box and execute the batch file located on the 2008 R2 box just fine. – rubynorails Nov 14 '15 at 02:40

1 Answers1

0

I knew all of this was too weird to be true.

  • I just now logged in as normal to the Terminal Server using my domain admin account.
  • I double-clicked the script
  • It worked flawlessly.

This does not answer the question of the troubles I was having yesterday and the issues that I was seeing, however, I have accomplished my main goal of double-clicking the script normally and having it execute as-expected with the intended results.

I made no changes, whatsoever, between yesterday and today.

My guess is that it was "just one of those things..."

rubynorails
  • 389
  • 3
  • 14
  • my suggestion is that you need a service account that is a special way to run commands anywhere and keep the password protected. maybe an option. Remember to accept an answer if it solved already – djdomi Oct 24 '21 at 20:17