Download the Flash player at www.macromedia.com.
Home
Solutions
Solution Archives
Software Products
Site Search

 

03-Apr-05, ZWDynaUser Article posted! (Pt. 1)

28-Mar-05, Windows Process Authority article posted!

28-Mar-05, ZWXPDrive article posted!

22-Mar-05, ZENworks Enhancement Software Posted!

22-Mar-05, Site Updated!
Legacy Article - Information may be dated.

The Power of Zen 2.0 hidden in Zen 1.1

One of the "Zenest" features of Zenworks 2.0 is the ability to allow NAL applications to be defined to use "system impersonation."  When this option is selected, the program will execute using the authority of the OS's internal system account.  This will allow programs that require "admin" privileges to be run by users who are not administrators.

Through a little creative work, Zenworks can allow users on a "secure" NT station the ability to install any software, install selected software, start/stop services, add device drivers, or execute software that will not even run without administrative privileges.

Zenworks 1.1 does not allow a user to interactively exercise these authorities as they can in Zen 2.0.  Events can be scheduled use the "NetWare Scheduler" to run with "system impersonation", but the draw back is that a user does not have the ability to request these privileges.  The even simply happens either at login or a pre-specified time.  This is quite a limitation and one of the reasons I find Zen20 so compelling.

Needing this ability prior to the release of Zen20, however, I created a work around which actually gave the users the ability to be able to request these privileges on the fly!

Feature Solution

  1. Create a scheduled action in either a "User Policy" or "Workstation Policy".
     
  2. Set this action to run as  "unsecure system user".
     
  3. Set this action to execute at "user login".
     
  4. This action should execute a batch file called "go.bat" from the server
    GO.BAT-> 'Start "ADMIN PC" /min cmd.exe /cF:\PUBLIC\install.bat'
  5. Go.bat will execute the batch file "INSTALL.BAT" so that it runs minimized on the task bar with the title "ADMIN PC".  The batch file is running with "system authority" and anything called from the batch file will also run with "system authority."  If the batch file is ever terminated, the command session that is open with "system authority" will close and thus prevent unauthorized access to a command prompt.
     

    INSTALL.BAT
    @echo off
    :top cls
    @echo 1) Install Printer
    @echo 2) Install/Remove Programs
    @echo 3) Modify Services
    choice /c:123 "Please Select 1,2, or 3?"
    if errorlevel 3 goto services
    if errorlevel 2 goto programs
    if errorlevel 1 goto printers
    goto top
    :services
    start f:\public\services.lnk (a short cut to the services icon in control panel)
    goto top
    :programs
    control appwiz.cpl (calls the add/remove programs)
    pause
    goto top
    :printers Control printers (calls the add/remove printers program)
    pause
    goto top

  6. The "INSTALL.BAT" uses the choice command which allows the choices of 1, 2, or 3, which specify a certain action to take.  This batch file can be expanded to accept far more than 3 choices.  Also, the three actions here is only a sampling of what can be done with this method.  (Note: DOS 6.22 version of choice.com works fine with NT 4.0 or Win95/98)
  7. After each action is executed, the batch file returns to the top and allows the user to request another action or minimize for later use.
  8. Before any action defined with system impersonation can be executed from a network drive, the workstation must be properly registered and assigned rights to the network.   Please see the "Workstation Manager" section for more details.
     

Below is a link to my solution which was published on Novell's CoolSolutions website.

http://www.novell.com/coolsolutions/zenworks/trenches/tr_nt_admin_authority_zw.html