Hi Glenn

You could have a batch file  that creates a scheduled task and then
launches that task 5 minutes later.  The task can run with different
credentials.  The batcht will need the password coded into it tho.

--Create it--
schtasks /create /s  Comp_Name  /tn  "Job_Name"  /tr  "c:\script_torun "
/sc once /st 23:55:00 /RU domain\username rp password

--Run it ahead of schedule --
schtasks /run /s Comp_Name  /tn Job_Name

--Delete it --
schtasks /delete  /s Comp_Name  /TN  "Job_Name  /F

Regards;

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]


                                                                                
                                                             
                      "Glenn Corbett"                                           
                                                             
                      <[EMAIL PROTECTED]        To:       
<[email protected]>                                                
                      au>                            cc:       (bcc: James 
Day/Contractor/NPS)                                               
                      Sent by:                       Subject:  [ActiveDir] OT: 
Delegating managment rights over data drives                  
                      [EMAIL PROTECTED]                                         
                                                       
                      tivedir.org                                               
                                                             
                                                                                
                                                             
                                                                                
                                                             
                      07/07/2005 06:26 PM                                       
                                                             
                      ZE10                                                      
                                                             
                      Please respond to                                         
                                                             
                      ActiveDir                                                 
                                                             
                                                                                
                                                             




All,

As per the subject, we are attempting to delegate management of home
directories to another management area, but have a couple of restrictions
in that these users should actually not have access to the drives once they
are created.

We have looked at a number of options, and the current one is to launch a
process as a user with higher privledges that does the actual setting of
the permissions to the drive, locking out the user running the application.

Question I have then, is the RunAs command doesnt allow passing in of a
user name and password on the command line (only a user name).  The person
running this script / application wont know the password of the account
used to make these changes.  Is there a way via script or batch file to
launch a process as another user that sets these permissions ? I've been
hunting around, and I've found the Win32 API call I need, but looks like a
large amount of overkill.

Alternatively, can the NTFS permissions be set in such a way that a person
has the ability to create subdirectories and files, change permissions, and
then not have access to the directory structure they just created ? (I'm
presuming by removing themselves from the permissions list, but what if
inheritance is turned on ?)

Thanks

Glenn



List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to