While not super secure, you can use a compiled AutoIT script to elevate
a process. You can also look into powershells credential cache stuff I
think.
James Pulver
CLASSE Computer Group
Cornell University
On 10/19/2016 11:24 AM, James Rankin wrote:
Task Scheduler can run stuff with admin rights, and the triggers are pretty
granular...
-----Original Message-----
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On
Behalf Of Melvin Backus
Sent: 19 October 2016 16:08
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] RE: CMAK profiles without admin rights
OK, so let's try running this around the defensive ends. :)
Instead of letting the CMAK profile update the route table with it's normal
cmroute.dll method, I can manually update the routes with post-connect tasks,
etc. The logic is straightforward enough to do it and remove it at disconnect.
I even have scripted a user creation process during the profile installation
to build an admin level user on the machine to use for the purpose. All well
and good. I was planning on doing a runas to call the required scripts so
they'll work, but gee, I can't pass the password, it prompts for it.
Any words of wisdom on silently running an admin level task? Since I'm
assuming BYOD units will have admin level access anyway this is really only for
our portable users to prevent having to give them admin rights to actually run
the VPN.
--
There are 10 kinds of people in the world...
those who understand binary and those who don't.
-----Original Message-----
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On
Behalf Of Kurt Buff
Sent: Tuesday, October 18, 2016 3:56 PM
To: ntsysadm <ntsysadm@lists.myitforum.com>
Subject: Re: [NTSysADM] RE: CMAK profiles without admin rights
I'm afraid not.
We use the 2012R2 DirectAccess, and it's a champ (with one caveat - I've had a
fair amount of problems with Win10 1607, it loses connections with regularity,
and I don't know if there's an update for either client or server that helps.)
For a backup (and those without company laptops to take home) we use an
Aventail/Dell EX6000 for SSL VPN, and it Just Works.
Kurt
On Tue, Oct 18, 2016 at 10:55 AM, Melvin Backus <melvin.bac...@byers.com> wrote:
My apologies if I stepped too closely to those extremities. :)
I'd really love to get this in place as it would solve more than one nagging
problem. Any words of wisdom to ease that journey?
--
There are 10 kinds of people in the world...
those who understand binary and those who don't.
-----Original Message-----
From: listsad...@lists.myitforum.com
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff
Sent: Tuesday, October 18, 2016 1:20 PM
To: ntsysadm <ntsysadm@lists.myitforum.com>
Subject: Re: [NTSysADM] RE: CMAK profiles without admin rights
Ah. I first configured DirectAccess with 2008R2 and UAG 2010, and have since
migrated to 2012 R2. That name change didn't catch up with me...
And I resemble that remark - We're no more than 10 miles from the campus of the
Evil Empire, on the border between Redmond and Krkland...
Kurt
On Tue, Oct 18, 2016 at 9:24 AM, Melvin Backus <melvin.bac...@byers.com> wrote:
URA = Universal Remote Access = DirectAccess 2012
You know how our friends in the great NW like to rename things. :)
--
There are 10 kinds of people in the world...
those who understand binary and those who don't.
-----Original Message-----
From: listsad...@lists.myitforum.com
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff
Sent: Thursday, October 13, 2016 7:00 PM
To: ntsysadm <ntsysadm@lists.myitforum.com>
Subject: Re: [NTSysADM] RE: CMAK profiles without admin rights
URA? I do not know this term.
However, it looks like it might be related to DirectAccess, and I was going to
make a snarky comment about you needing to implement that.
It's so beautifully transparent, and just works.
Kurt
On Thu, Oct 13, 2016 at 12:00 PM, Melvin Backus <melvin.bac...@byers.com> wrote:
I just confirmed that this doesn't work, at least on my W10 box. UAC is off,
when you try to run either a route add to manually add a route or when
cmroute.dll runs to automatically update the routes you're prompted for
elevation and since the user isn't in the administrator group they can't
elevate.
I've been working on getting URA in place anyway. Maybe this will
finally be the push to make it happen. :)
--
There are 10 kinds of people in the world...
those who understand binary and those who don't.
-----Original Message-----
From: listsad...@lists.myitforum.com
[mailto:listsad...@lists.myitforum.com] On Behalf Of James M. Pulver
Sent: Thursday, October 13, 2016 9:00 AM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] RE: CMAK profiles without admin rights
If the problem is the routes don't get published, you can put Users in Network
Configurator Operators group, and turn off UAC, and then normal users can
update their route maps.
James Pulver
CLASSE Computer Group
Cornell University
On 10/13/2016 07:46 AM, Melvin Backus wrote:
Budget for this is nil but I'll have a look and see. The
installation of the connectoid isn't the issue, it's all runtime
when the user tries to connect to the VPN.
--
There are 10 kinds of people in the world...
those who understand binary and those who don't.
*From:* listsad...@lists.myitforum.com
[mailto:listsad...@lists.myitforum.com] *On Behalf Of *James Rankin
*Sent:* Thursday, October 13, 2016 7:15 AM
*To:* ntsysadm@lists.myitforum.com
*Subject:* [NTSysADM] RE: CMAK profiles without admin rights
You can use privilege management tools like AppSense Application
Manager, RES, Scense and the like to configure specific files that
can run with elevated rights.
There's also tools like CPAU from JoeWare which can run scripts
with elevated privileges so that you can get the profile build to complete
maybe?
*From:* listsad...@lists.myitforum.com
<mailto:listsad...@lists.myitforum.com>
[mailto:listsad...@lists.myitforum.com] *On Behalf Of *Melvin
Backus
*Sent:* 13 October 2016 12:05
*To:* ntsysadm@lists.myitforum.com
<mailto:ntsysadm@lists.myitforum.com>
*Subject:* [NTSysADM] CMAK profiles without admin rights
Hello folks,
We've been working on removing admin rights for users in our
environment. One snag we've run into is related to our RAS VPN
connections and CMAK profiles. In order to make everything work
we're using CMAK to build the profile which includes routing, etc.
We can't seem to find a way to get those to work without admin
rights because cmroute.dll won't run without elevation. Any
recommendations on how to get around this or possibly push the
routes once during initial install and not have to run them at connect time?
Thanks
--------------------
Melvin Backus | Sr. Systems Engineer | Byers Engineering Company |
404.497.1565
Service Desk | 404-497-1599 | https://servicedesk.byers.com
--
There are 10 kinds of people in the world...
those who understand binary and those who don't.