Monday, June 07, 2004

Delegation, Active Directory and WMI

Note: Do not start "researching" anything on Friday afternoon.

I can explain. I have this project where I'm on Computer A, and I need to run an executable on Computer B. (This executable is one of them command line utilities with no UI) The problem really is that this little executable is on Computer C...and A, B and C are all on my little network here.

Since everyone was running Windows 2000, I assumed we could use WMI to connect from A to B as an Administrative user. Then, I could run this executable from C by creating a "Win32_process" on B (with \\C\something.exe as the executable filename) Not that simple, it turned out.

The problem is that when you run code on Computer A which connects to Computer B using WMI, you need to pass a set of credentials, usually a domain admin username/password. When you request B to access a third computer (C), the code runs in the context of the "LocalSystem" user in B, NOT the username/password you supplied! And LocalSystem, by default, does not get access to network resources.

So what do you do? One of two things:
1) This URL explains the architecture of Delegation. Basically you allow Computer B, a domain computer, access to all network resources. The caveats? Computer B needs to be in the same domain, and needs to be registered in Active Directory. Also, your friendly neighbourhood Network Administrator is going to kill you.

2) You can "copy" the executable file to the remote computer and then execute it. (the LocalSystem has access to Local System resources. "Duh" - Ed.) I found another URL at Microsoft that shows you how to do all of this. Concept? Map a drive, z:, on to the remote computer (B) with the domain admin username/password, and then use the CopyFile function to copy from "\\C\somefolder\myexe.exe" to "z:\temp\myexe.exe", for example. You might wonder, what if nothing's shared on the remote computer - well, there's always an "ADMIN$" share or "C$" share that you can use. Or so I think.

Coming back to the note above. I had to stay late figuring all of this out, because I hate coming in on Saturdays. So, once again, DO NOT start something new, at work, on Friday afternoon.

posted by Deepak Shenoy at 1:03 AM

2 Comments:

Anonymous Anonymous said...

Use Russinovich's PSExec: http://www.sysinternals.com/ntw2k/freeware/psexec.shtml

--gabr

1:31 AM  
Blogger Deepak Shenoy said...

Had seen that, thanks! But they don't give you the source code to it, unfortunately. And I can't redistribute these EXEs either, so it won't really work for me...

2:09 AM  

Post a Comment

<< Home