Run tasks with extended permissions

Tasks is programs that you have access to directly from Operators Console. It is basic commands like ping but also more advanced commands for Active Directory troubleshooting. After you import more management packs you will get more tasks. You can also create your own tasks in Administrator console, management packs and tasks.

 When you run a task from Operators console it runs only the current user permissions. Often the operator have very restricted permissions. But there is always a more trusted group of operators with a little bit more permissions, they use to have a “admin” account too, to do some basic administered tasks.  Unfortunately you cannot use the non-admin account to run operators console and the “little-admin” account to run tasks, at least not with basic MOM functions.

If your operators have one regular account named Kalle and one named kalle-admin you can change the command line for tasks to this

cmd /C "runas.exe /noprofile /user:%username%-admin@domain.com "mmc compmgmt.msc -s /computer:"$TargetComputer$""

Then the problem will be run as a user named kalle-admin (if you are login as kalle) and you will then be prompt to input password.

But if you need to change both login and password it is a little more complicated. You then will need a script that first ask for username and password, and then it starts the software with those credentials. This script will do that for you

strUserName = InputBox(“Please input your administration username?”, “UserName”)
strComputer = Wscript.Arguments(0)
dim OShell
Set objShell = Wscript.CreateObject(“WScript.Shell”)
objshell.run “runas.exe /noprofile /user:” & strUserName & ” ” & Chr(34) & “mmc compmgmt.msc /s /computer:” &strComputer & ” ” & Chr(34)
 


To run this you will have to change the command line to scriptname.vbs $Computer Name$

About

Microsoft

One thought on “Run tasks with extended permissions

Comments are closed.