Re: Perl-Win32-Admin digest, Vol 1 #757 - 4 msgs

Sat, 22 Jun 2002 05:28:08 -0700 

I've found that the problem is authenticating on network shares via remote
WMI. psexec has the same problem ,according to its documentation - it only
uses "impersonate" level DCOM security. So, the problem is setting up
delegation I think - here's the problem, reformulated:

I'm having trouble with getting a WMI-started remote process to run from a
share. Since I'm running from a share, I need to use delegation but I can't
get this to work at all - the WMI initial call fails if I specify "delegate"
level impersonation. I'm using Perl and this is the line:

$WMIProc=Win32::OLE->GetObject("winmgmts:{impersonationLevel=delegate,author
ity=kerberos:DOMAIN\\server}!\\\\$machine\\root\\cimv2:Win32_Process"

Facts:

* It works with "impersonate" set for impersonationLevel (but won't run
network share programs because there is no delegation).
* I'm running this from the DC (Win2k sp2) onto a WinXP box, both in same AD
domain.
* I'm running it as a domain admin account that is trusted for delegation
* The machine I'm connecting to via WMI is Trusted for Delegation
* I tried running this as the builtin domain Admin account but the "Trusted
for Delegation" box is greyed out for this user (any idea why, apart from it
being a security risk?)
* The DCOM error reported is "security related error" so it must be
delegation problems.


Any clues appreciated. Anyone who has sucessfully opened a "delegate"
impersonationLevel connection in perl, please let me know what you had to
do!

PK


----- Original Message -----
From: "Tom McIntyre" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, June 21, 2002 9:01 PM
Subject: RE: Perl-Win32-Admin digest, Vol 1 #757 - 4 msgs


> > I'm trying to write some scripts to update a load of XP workstations
> > centrally - they need to run a program on a server share but I can't get
> > this to work:
> >
> > $handle->Create("\\\\server\\share\\program.exe",\\\\server\\share);
>
> If you're willing to cheat, you could try this:
>
> http://www.sysinternals.com/ntw2k/freeware/psexec.shtml
>
>
>
> _______________________________________________
> Perl-Win32-Admin mailing list
> [EMAIL PROTECTED]
> To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
>


_______________________________________________
Perl-Win32-Admin mailing list
[EMAIL PROTECTED]
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs

Reply via email to