Anyway to have Local System Account Impersonate Domain Admin Account?
We use a Bomgar Remote Support Appliance, which has the nifty feature of having a back end command shell that can be used from the SysAdmin/HelpDesk side and not show up on the User's desktop.
The problem with this is that it runs as the Local System Account.
What I need to do is give our SysAdmin/HelpDesk the ability to run commands such as Net Use to temporarily map drives using Admin credentials to access shares that contain IT files/folders/docs etc. that the normal user credentials would not have access to.
Is their a way to run a script that would basically have the Local System Account impersonate and Admin Account to run the needed commands?
This might not be a great explanation of what I'm trying to accomplish, but maybe it's a start.
The problem with this is that it runs as the Local System Account.
What I need to do is give our SysAdmin/HelpDesk the ability to run commands such as Net Use to temporarily map drives using Admin credentials to access shares that contain IT files/folders/docs etc. that the normal user credentials would not have access to.
Is their a way to run a script that would basically have the Local System Account impersonate and Admin Account to run the needed commands?
This might not be a great explanation of what I'm trying to accomplish, but maybe it's a start.
0 Comments
[ + ] Show comments
Answers (2)
Please log in to answer
Posted by:
bourskov
12 years ago
Hi...
Don't know your support app, but maybe you could use PsExec from PsTools?! Is more or less the same, but I believe you can RunAs any account in this tool, but I'm not sure..
http://technet.microsoft.com/en-us/sysinternals/bb896649
Cheers
Bo Urskov
Don't know your support app, but maybe you could use PsExec from PsTools?! Is more or less the same, but I believe you can RunAs any account in this tool, but I'm not sure..
http://technet.microsoft.com/en-us/sysinternals/bb896649
Cheers
Bo Urskov
Posted by:
Teitan
12 years ago
I came across a similar problem a few days ago and this was my solution:
On the server which has the folder shared we've created a new user account which has the needed permissions to the share.
In my script i've connected the network share with the net use /user:useraccount@servername PASSWORD
It wouldn't be a good idea to have those account data in clear text in a script so I've created a vb.net exe which runs the net use command. This .exe is then called in the script.
I hope it is relatively clear what i mean.
On the server which has the folder shared we've created a new user account which has the needed permissions to the share.
In my script i've connected the network share with the net use /user:useraccount@servername PASSWORD
It wouldn't be a good idea to have those account data in clear text in a script so I've created a vb.net exe which runs the net use command. This .exe is then called in the script.
I hope it is relatively clear what i mean.
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.
