That was my thought; I'd prefer not to have IUSR running that type of executable. Any pointers towards how we could run it in another account context? I thought about RunAs, but didn't want to pass pwds in an asp script... Thanks!
********************** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ********************** > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Wednesday, November 03, 2004 12:25 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Scripting question - Net Send command > > It's an ugly hole. My option would be to have the tool run in > the context of > another account (like a service account). > > > Sincerely, > > D�j� Ak�m�l�f�, MCSE+M MCSA+M MCP+I > Microsoft MVP - Directory Services > www.readymaids.com - we know IT > www.akomolafe.com > Do you now realize that Today is the Tomorrow you were worried about > Yesterday? -anon > > ________________________________ > > From: [EMAIL PROTECTED] on behalf of Charlie Kaiser > Sent: Wed 11/3/2004 11:42 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Scripting question - Net Send command > > > > Yeah; that's kinda what I ran into. Two things... > One, if we provide access to net.exe to the IUSR account, how ugly is > that hole? If they can run net send, they can run net anything, right? > Not sure I like that, but I'm not sure how ugly it really is. Two, how > do we provide the perms on net.exe? I tried copying it to another > directory and applying read and execute perms to that > directory, but it > didn't change anything. Is there a how-to anywhere for us > non-IIS gurus? > Thanks! > > ********************** > Charlie Kaiser > MCSE, CCNA > Systems Engineer > Essex Credit / Brickwalk > 510 595 5083 > ********************** > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > Ken Cornetet > > Sent: Wednesday, November 03, 2004 11:12 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Scripting question - Net Send command > > > > As a security feature on w2k3, the IUSR_ user id has no > permissions to > > any files (including net.exe). > > > > Either give the IUSR_ account permissions to net.exe, or > configure the > > web site to run under a user id that has permission. > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Charlie Kaiser > > Sent: Wednesday, November 03, 2004 12:42 PM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] Scripting question - Net Send command > > > > > > We're porting our old intranet (NT4/IIS4) to a new server > (W2K3/IIS6) > > and have run into an authentication issue that I need some > help with. > > There's a legacy code chunk that does a net send command to create a > > popup on a user's PC to tell them a new request has come in > that they > > need to deal with. I'd prefer that they used email for this, but > > apparently checking email regularly is too much trouble for > them. They > > want a pop-up. :-) The problem is that we can't get Net > Send to launch > > properly. Here's the distilled code: <% > > dim oWSH > > Set oWSH = CreateObject("WScript.Shell") > > oWSH.Run "NET SEND " & "test4" & " testing." > > %> > > That is embedded into an ASP file, which is run by a user > > connecting to > > a webpage stored on the new IIS server. The rest of the > > script includes > > some authentication procedures that identify the logged on user and > > allow or deny page access based on AD Group membership. > > > > If I run it from my workstation, with my admin credentials, it runs > > fine. If I run it from a PC logged in as a standard user, we get > > "Microsoft VBScript runtime error '800a0046' Permission denied > > /CNK/ww2.asp, line 4". > > > > Is there a way to: > > 1. Force the net send command to securely run as a different user > > without exposing elevated credentials? 2. Use a different method to > > create the popup window? > > > > Thanks for any help... > > > > > > > > ********************** > > Charlie Kaiser > > MCSE, CCNA > > Systems Engineer > > Essex Credit / Brickwalk > > 510 595 5083 > > ********************** > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
