i created managed service account for my service.
I need to add to this account SeImpersonatePrivilege
It's windows 2008 r2
How could I do it?
"Impersonate a client after authentication" in the
Local Security Policy under Local Policies -> User Rights Assignment
Also NTRights with SeImpersonatePrivilege:
ntrights.exe +r SeImpersonatePrivilege -u domain\managedserviceaccount$
Related
Need inputs to create a power shell script to run on remote machine to check whether local admin account exist on that machine
If yes report it to manage engine desktop central or send an email
Any ideas would be appreciated thanks in advance
I would like to stop Topshelf service using cmd task in azure devops release pipeline.
What I do is create CommandLineTask which following script:
ServiceName.exe stop
As an output I see
v3.1.4 2020-06-05T10:14:20.1312163Z The ServiceName service can only
be stopped by an administrator
My question is if there is a way to run this CommandLineTask as an administrator?
PS. I use agent on my virtual machine where the service exist itself
Since you are using the self-hosted agent, you could try to use the administrator account (Local system admin) to create and run the agent.
For interactive mode self-hosted agent:
You could use the following command to create an agent with admin account.
.\config.cmd --unattended --url https://myaccount.visualstudio.com --auth pat --token myToken --pool default --agent myAgent --runAsAutoLogon --windowsLogonAccount myDomain\adminaccount --windowsLogonPassword Password
For service mode self-hosted agent:
On one hand, you could create an agent with the admin account(similar as interactive mode).
.\config.cmd --unattended --url https://myaccount.visualstudio.com --auth pat --token myToken --pool default --agent myAgent --runAsService --windowsLogonAccount myDomain\adminccount --windowsLogonPassword Password
On the other hand, you could navigate to local system -> Service and find the running agent service.
Then you could change the logon account as admin account.
Here is a doc about create agent.
I'm able to connect to a remote WAS 8.5.5 deployment manager profile after supplying the user/pass from my local WAS 8.5 install. Given below is a typical wsadmin command...
./wsadmin.sh \
-lang jython \
-conntype SOAP -host myRemoteWASHost -port 12345 \
-user wasAdminUser -password wasPassword
How can I connect to remote password less; using the UserId and (xor) Password already populated in the remote WAS Profile soap.client.props file?
Put that userid and password in to soap.client.props in the profile from where you start the wsadmin tool. You may need to create new dummy local profile to not clash with your local profile, if the profile from where you run the wsadmin has different username/password.
How can I generate a report that represents all the files in a hierarchical manner using SourceGear Vault?
I know VSS and TFS have this functionality, and I am hoping that Vault does as well.
You should be able to use the command line:
vault LISTFOLDER top_of_your_repository > status_report.txt
From the command line helps:
LISTFOLDER usage: vault.exe LISTFOLDER [options] repositoryfolder
LISTFOLDER will display the contents of the folder specified by
repositoryfolder, including the status of any working folders.
Server and authentication information is specified by:
-host host Hostname of the server to connect to. Can also use "-server".
-ssl Enables SSL for server connection.
-user username Username to use when connecting to server.
-password password Password to use when connecting to server.
-repository repositoryname Repository to connect to. This is a list of possible options:
-norecursive Do not act recursively on folders.
I read this from a posting in the Windows SysInternals forum.
The HKCU - hive key current user - will point to that user's hive key who authenticated on the remote machine with the help of psexec. It will not point to the user's hive key who has logged on interactively to the machine's desktop, unless both accounts happen to be identical.
I am facing the same problem with trying to push the signer and cert associated with a self signed certificate to the HKEY_CURRENT_USER/Software/Microsoft/SystemCertificates/Root/Certificates folder in the Windows registry for the user signed onto the remote machine.
If the userid and password used with PsExec are the same as the user currently logged onto the remote machine everything works fine. The PKCU registry entries get added as expected.
Since we can't ask each end-user for their AD password I am trying to sort out how I can get this to work when both accounts aren't identical. I have a Windows service account that has admin rights on all the PCs in the domain I am trying to push the cert and signer out to. If I use that account with psexec the registry entries do not get added for the user logged onto the remote PC.
Is there any way I can I write to HKEY_CURRENT_USER using psexec when both accounts aren't identical? That is, when the account used with the psexec command is not the account that is currently logged onto the remote PC.
example:
User remoteuser is logged onto the remote PC on which we want to install the cert entry into the HKCU hive but we use a different user/account with psexec. We do this because we don't know the AD passwords for all the remote users we want to update the HKCU hive for.
That would be a serious security issue.
In this example we use the psexecuser account to start the psexec service on the remote PC that the AD user remoteuser is logged onto.
C:\psexec #C:\remoteUserPCList.txt -u ourdomain\psexecuser -p psececuserpassword -d -c -f C:\InstallSSLCertinHKCU.bat
The HKCU registry entries do not get added for the remoteuser account on the remote PC.
Any fixes that would work with psexec would be a great help. I suspect we could use AD GPO but I am hopeful that there is some trick out there that can be used with PsExec.
regards
psexec can't impersonate the logged-on user. But you don't need to push a self-signed certificate to the user's profile on the remote machine, you can push it to the computer account instead, and you can even do that with group policy.