I had tried that but wasn't successful in getting the page to load; I kept getting a service unavailable error and the application pool would crash. Finally figured it out. When I added the account that the executable would run under to the IIS_WPG group, everything fell into place. I'm still not convinced it's secure. I don't like users being able to execute net.exe on a server from a web page. I would bet that there's a lot of havoc that can be wreaked with that command. I intend to pursue alternatives, but at least we don't remove current functionality with our migration. Thanks!
********************** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ********************** > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet > Sent: Wednesday, November 03, 2004 1:22 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Scripting question - Net Send command > > Create a virtual directory for the web page, and configure it > to run as the local or domain user of your choice. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Charlie Kaiser > Sent: Wednesday, November 03, 2004 4:16 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Scripting question - Net Send command > > > That was my thought; I'd prefer not to have IUSR running that > type of executable. Any pointers towards how we could run it > in another account context? I thought about RunAs, but didn't > want to pass pwds in an asp script... Thanks! > > ********************** > Charlie Kaiser > MCSE, CCNA > Systems Engineer > Essex Credit / Brickwalk > 510 595 5083 > ********************** > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > [EMAIL PROTECTED] > > Sent: Wednesday, November 03, 2004 12:25 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Scripting question - Net Send command > > > > It's an ugly hole. My option would be to have the tool run in > > the context of > > another account (like a service account). > > > > > > Sincerely, > > > > D�j� Ak�m�l�f�, MCSE+M MCSA+M MCP+I > > Microsoft MVP - Directory Services > > www.readymaids.com - we know IT > > www.akomolafe.com > > Do you now realize that Today is the Tomorrow you were > worried about > > Yesterday? -anon > > > > ________________________________ > > > > From: [EMAIL PROTECTED] on behalf of Charlie Kaiser > > Sent: Wed 11/3/2004 11:42 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Scripting question - Net Send command > > > > > > > > Yeah; that's kinda what I ran into. Two things... > > One, if we provide access to net.exe to the IUSR account, > how ugly is > > that hole? If they can run net send, they can run net > anything, right? > > Not sure I like that, but I'm not sure how ugly it really > is. Two, how > > do we provide the perms on net.exe? I tried copying it to another > > directory and applying read and execute perms to that > directory, but > > it didn't change anything. Is there a how-to anywhere for us > > non-IIS gurus? > > Thanks! > > > > ********************** > > Charlie Kaiser > > MCSE, CCNA > > Systems Engineer > > Essex Credit / Brickwalk > > 510 595 5083 > > ********************** > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Ken Cornetet > > > Sent: Wednesday, November 03, 2004 11:12 AM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] Scripting question - Net Send command > > > > > > As a security feature on w2k3, the IUSR_ user id has no > > permissions to > > > any files (including net.exe). > > > > > > Either give the IUSR_ account permissions to net.exe, or > > configure the > > > web site to run under a user id that has permission. > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Charlie > > > Kaiser > > > Sent: Wednesday, November 03, 2004 12:42 PM > > > To: [EMAIL PROTECTED] > > > Subject: [ActiveDir] Scripting question - Net Send command > > > > > > > > > We're porting our old intranet (NT4/IIS4) to a new server > > (W2K3/IIS6) > > > and have run into an authentication issue that I need some > > help with. > > > There's a legacy code chunk that does a net send command > to create a > > > popup on a user's PC to tell them a new request has come in > > that they > > > need to deal with. I'd prefer that they used email for this, but > > > apparently checking email regularly is too much trouble for > > them. They > > > want a pop-up. :-) The problem is that we can't get Net > > Send to launch > > > properly. Here's the distilled code: <% > > > dim oWSH > > > Set oWSH = CreateObject("WScript.Shell") > > > oWSH.Run "NET SEND " & "test4" & " testing." > > > %> > > > That is embedded into an ASP file, which is run by a user > connecting > > > to a webpage stored on the new IIS server. The rest of the > > > script includes > > > some authentication procedures that identify the logged > on user and > > > allow or deny page access based on AD Group membership. > > > > > > If I run it from my workstation, with my admin > credentials, it runs > > > fine. If I run it from a PC logged in as a standard user, we get > > > "Microsoft VBScript runtime error '800a0046' Permission denied > > > /CNK/ww2.asp, line 4". > > > > > > Is there a way to: > > > 1. Force the net send command to securely run as a different user > > > without exposing elevated credentials? 2. Use a different > method to > > > create the popup window? > > > > > > Thanks for any help... > > > > > > > > > > > > ********************** > > > Charlie Kaiser > > > MCSE, CCNA > > > Systems Engineer > > > Essex Credit / Brickwalk > > > 510 595 5083 > > > ********************** > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
