I'm a new Kbox owner so maybe I'm missing something. It seems to me that the way you write a script to "Run As" someone other that the system account leaves a giant security hole. Looking at the instructions in the Kace KB (posted below) it appears that you are putting a privileged account un/pw in clear text then copying it to a users PC. Am I missing something here? How can I run a script as a specific user without putting the pw out for anyone to see?


KB Article

The KBOX client by default runs everything as the Local System account. This account normally does not have access to network shares, or other access rights that a local administrator account would normally have.You can work around this by embedding this in your script/managed install with a batch file:schtasks /create /ru <username> /rp <password> /st 00:00:00 /sc ONCE /tn kacescript /tr '<msi file you want installed with command line triggers>'
schtasks /run /tn kacescript

That should execute as the <username>
0 Comments   [ - ] Hide Comments


Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
Answer this question or Comment on this question for clarity


If you don't want the credentials displayed in plain text, then I'd suggest you write a compiled application to perform the RunAs for you. I use AutoIt to write installation wrappers with embedded credentials. You're still susceptible to reverse engineering, but with the credentials embedded in a compiled exe, they are much safer than plain text.

You aren't dealing with a security hole in the KBOX, rather a security hole in trying to embed credentials in a batch file. You are correct; if you follow the suggested KACE solution, your credentials will reside in the local KBOX Agent cache inside a batch file in plain text.
Answered 01/23/2010 by: airwolf
Tenth Degree Black Belt

Please log in to comment
I just grant the share read only access for computer objects, that allows the local system account to access shares. Usually I don't want something to install as a specific user, so installing as local system is fine. In the event I need some registry keys created for the specific user, I use the activestate registry keys.
Answered 01/25/2010 by: lindsamw
Orange Senior Belt

Please log in to comment
I'd suggest you write a compiled application to perform the RunAs for you

I'll 2nd that.
Answered 01/28/2010 by: dtuttle
Purple Belt

Please log in to comment