Re: How to redirect output of shell command using WMI

From: Stivie S. (stefan.suesser_at_computacenter.com)
Date: 04/29/04

Next message: atk: "win 2003 logon script won't run"

Previous message: Stivie S.: "RE: Help with a logon script"
In reply to: Jagdish S. Khedekar: "Re: How to redirect output of shell command using WMI"
Next in thread: Jagdish S. Khedekar: "Re: How to redirect output of shell command using WMI"
Reply: Jagdish S. Khedekar: "Re: How to redirect output of shell command using WMI"
Messages sorted by: [ date ] [ thread ]

Date: Thu, 29 Apr 2004 01:41:04 -0700

Hi Jagdish,

you encounter a strange problem that is indeed security related, but "by design". When you have a WMI script that needs access to the network, the script will run fine when you run it under your creadentials from a command prompt. It will not work when you run it remotely! In short, this problem arises because WMI scripts can only make one network "hop", meaning that a script run from your local machine can make a connection to the network without any problem. But, when running remotely, you already have two hops: your machine connects to the remote machine to run the script, and the remote machine wants to access the network - this is not supportet by defaullt. If your machines are members of an Active Directory domain, you can workaround this problem by using delegation, meaning that you trust the computer account of the remote machine for delegation, a configuration that is set on the computer object in AD.
There is a nice article about this behaviour, which you can access here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/connecting_to_a_3rd_computer-delegation.asp

     ----- Jagdish S. Khedekar wrote: -----

     Hi Al,

     Thanks for your elaborate response.
     But this the script given will not work for me,
     as the "File and Printer Sharing for Microsoft Networks" service is disabled
     on the remote machine.
     Because of this, I cannot use shares like "d$" for the remote machine.
     But I can very well use the share on my machine from the remote machine.

     Also one more point I would mention here is that, when I run the command
     actully from the remote machine's command prompt,
     its working fine and I could get the output on my machine's share.

     Please let me know if anybody have any inputs on this.

     Thanks and best regards,
     Jagdish.


     "Al Dunbar [MS-MVP]" <alan-no-drub-spam@hotmail.com> wrote in message
     news:#My#qDVLEHA.2624@TK2MSFTNGP09.phx.gbl...
>> "Jagdish S. Khedekar" <jagdish@jopasana.com> wrote in message
> news:eowrTtTLEHA.2400@tk2msftngp13.phx.gbl...
>> Hi Group,
>>>> I want to redirect the output of command executed on remote machine.
>> When I redirect the output on the share on same remote machine, its
> working
>> with the code given below.
>> But its not working for the share on my machine.
>> It should not be security credentials problem, becuase I am 'local
     admin'
> on
>> the remote machine.
>>>> Please help me out in this problem.
>> I am not positive on this, and have not tried this kind of thing just yet,
> but I suspect that it may be a permissions/credentials problem.
>> When you use "{impersonationLevel=impersonate}!", I do not believe that a
> process actually runs on the remote system under your credentials. Rather,
     I
> think that whatever service is running on the remote machine runs under
     the
> context of the local admin account, which, by definition, has no privs
> outside of that one machine. It uses your credentials only to determine if
> your account has the permissions required to run WMI script on its local
> machine from a remote machine.
>> However things work under the hood, I suspect that this restriction is
> either by design for security purposes, or that it is impossible to do
> otherwise. Note that it is one thing for your local wmi script to tell the
> remote computer who you are, but quite another to enable it to access
> resources that it has no access to, without passing more than just some
     kind
> of token of your identity. Note that this is how NTFS security works: the
> file system can provide access to NTFS folders and files based on your
     group
> membership without its having to know your password.
>> You could try using runas explicitly in your script, however, this would
> open up a number of potential security issues that could be difficult to
     get
> a good handle on.
>> Conversely, you could revert back to the version that writes the output to
     a
> file on the target computer, and later run a script to pull this file back
> to your computer.
>> Perhaps even simpler would be to run a script like this on your computer:
>> @echo off
> set remotecomputer=%1
> set remotepath=D$\oracle\ora92\bin"
>>C:\remotedirs\%1.txt dir \\%remotecomputer%\%remotepath%
>> and then type commands such as:
>> remlist jupiter
> remlist saturn
>> or put this in a batch file with the list of computer names in another:
>> @echo off
> for /f %%F in (complist.txt) do call remlist %%F
>> /Al
>>> Thanks and best regards,
>> Jagdish.
>>>> Code Snippet :
>> --------------------------------------------------------------------------
> --
>> --------------------------------
>> strCompleteCommand = "cmd.exe /c " & """" & "dir" & " > " &>> "\\compname\sharename\out.txt" & """"
>>>> Set objProcess = GetObject("winmgmts:" _
>>& "{impersonationLevel=impersonate}!\\" & RemoteComputer &>> "\root\cimv2:Win32_Process")
>>>> Set objWMIService = GetObject("winmgmts:" _
>>& "{impersonationLevel=impersonate}!\\" & StrComputer &
     "\root\cimv2")
>>>> Set objStartup = objWMIService.Get("Win32_ProcessStartup")
>>>> Set objConfig = objStartup.SpawnInstance objConfig.ShowWindow =
>> HIDDEN_WINDOW
>>>> intError = objProcess.Create(strCompleteCommand, "D:\oracle\ora92\bin",
>> objConfig, intProcessId)
>> --------------------------------------------------------------------------
> --
>> --------------------------------
>>>>>>

Next message: atk: "win 2003 logon script won't run"

Previous message: Stivie S.: "RE: Help with a logon script"
In reply to: Jagdish S. Khedekar: "Re: How to redirect output of shell command using WMI"
Next in thread: Jagdish S. Khedekar: "Re: How to redirect output of shell command using WMI"
Reply: Jagdish S. Khedekar: "Re: How to redirect output of shell command using WMI"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: yet another question on file names with spaces?
... > I agree, the echo is redudant. ... > know what they are before the script runs - see below. ... > finding whether they are also on the remote machine. ... > images and pdfs which I only want to transfer once. ...
(comp.unix.shell)
Re: Remove programs with a script?
... While I execute this I get error: ... The script passed to CreateScript must be a WSH hosted script ... The remote machine needs to have WshRemote enabled: ... WshRemote instances do not run in the context of the visible, ...
(microsoft.public.scripting.wsh)
Re: Remove programs with a script?
... While I execute this I get error: ... The script passed to CreateScript must be a WSH hosted script ... The remote machine needs to have WshRemote enabled: ... WshRemote instances should never attempt to produce any visible ...
(microsoft.public.scripting.wsh)
Re: Problem with WMI.
... I am running a script to get the logged on user on a remote machine ... administrator is logged on to remote machine. ... For Each objComputer in colComputer ... computername as an argument. ...
(microsoft.public.scripting.vbscript)
Re: How to redirect output of shell command using WMI
... But this the script given will not work for me, ... I cannot use shares like "d$" for the remote machine. ... Also one more point I would mention here is that, when I run the command ... Note that this is how NTFS security works: ...
(microsoft.public.windows.server.scripting)