# run .vbs against remote computer



## hqnet (Nov 14, 2009)

Hi,

I am trying to put toghether a .vbs that would allow some one with no "user accounts" administration skills or priviledges to activate or disable a specific account in a remote computer.

The goal is to make her capable to grant or deny access to the tech support staff of particular application running on two Win 2000 computers running in the lan.

So far I got the vbs working against my test machine, but I can´t get it to run against a remote machine, I fiddled with the users accounts existing in both machines but still couldn´t get it right. 
My guess is that I am not presenting proper credentials to the target.

I am attaching the full source, but I think this is the key snippet:

```
strComputer = "."
        strUsername = "Usuario"
        strTarget = "PRINCIPAL"

        Set objUser = GetObject("WinNT://" & strComputer & "/" & strUsername &"")
```
That is the basic code, when I replace the "." in strComputer the script seems unable to locate the target machine, after some tinkering I managed to get a permissions error but I am not sure how I did it. 
The strTarget is only used (at least so far) to show as information to the user.

The user's system has XP, the targets where accounts should be affected run windows 2000 pro

Any help will be appreciated.
HQ


----------



## hqnet (Nov 14, 2009)

I forgot to mention there is no Domain/AD in this network.


----------



## TheOutcaste (Aug 8, 2007)

I believe the *GetObject("WinNT://"...* will only connect to a domain, or local computer, not a Remote computer. You have to use WMI for that.
Here's a starting point:
Connecting to WMI on a Remote Computer

You have to connect with an account that has Admin privileges, so either the user needs to have an Admin account, or the credentials need to be stored in the script.

If you don't want to give them Admin rights, you can run a script/Scheduled Task on each Win2K PC under an Admin account that checks a shared folder for a file every minute or so. If the file is present, the account is enabled. If not present, the account is disabled.

Then all the user has to do is save or delete a file in the shared folder, which can be done with a script.


----------



## hqnet (Nov 14, 2009)

Thank you forthe thorough reply

cant figure this out though....

this has to do with what you mentioned, and I am also trying to use these
http://blogs.technet.com/b/heyscrip...run-a-script-under-alternate-credentials.aspx
http://www.leastprivilege.com/ConnectingToWMIAndSecurity.aspx

But everything I find seem to resort to "WinNT:" or "LDAP:" (AD?) and my standalone machine cant be reached by those protocols...

At best, I think I might have autenticated but then the "objUser" part remains broken and fails

I´m sort of stuck in a loop


----------



## Squashman (Apr 4, 2003)

Can you tell me what your intended result is? I am not much of a VB guy but TheOutCaste asked me to peek in here. There may be a better way to implement what you are trying to do.


----------



## hqnet (Nov 14, 2009)

Hi, 
thank you for your help!!

The goal is that a standard user will be able to activate a specific account in a PC in the lan from her desktop. That way, when the tech support of this app requires to login via RDP to the system hosting a particular app, she can grant them access for a specific amount of time. 

For that, my script currently lets the user set an expiration date for the account, so if today I set the expiration to tomorrow, the app support will have a 24 hs access and nothing more. 
This is because the company does not want to leave an account open to a third party active 24/7 for privacy reasons. 
Also, using the expiration would avoid issues with them having to deal with changing pasword, since they (th third party) are very messy (hence the concerns)... 

Best regards.


----------



## Squashman (Apr 4, 2003)

Well you need to somehow elevate the standard users privileges to run something only an Administrator can do. So if you have a script that can set the account expiration you could wrap it up in an encrypted run as program that will run the script with a user that has admin privileges.


----------



## hqnet (Nov 14, 2009)

Squashman said:


> Well you need to somehow elevate the standard users privileges to run something only an Administrator can do. So if you have a script that can set the account expiration you could wrap it up in an encrypted run as program that will run the script with a user that has admin privileges.


The problem is that AFAIK the local priviledges are useless against the remote system when using a vbs, so I still need to validate against it, and that is whats proven unnecesarily dificcult so far. So I ended up using a dull batch script combined with psexec to get it going. not pretty really, but it does the work Thanks anyways, Cheers!


----------

