How can I run a process as "NT Authority\NetworkService"?

windows security active-directory service-accounts

14,173

Solution 1

You can use devxexec: http://blog.developex.com/?p=1053

For example:

devxexec.exe /user:NETWORK_SERVICE cmd

Solution 2

"The scripting guy" has already answered this question here: http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0429.mspx

You'll just need to include the WMI call to grab the machine model number...

My implementation went like this:

Set objSysInfo  = CreateObject("ADSystemInfo")
Set objUser     = GetObject("LDAP://" & objSysInfo.UserName)
Set objComputer = GetObject("LDAP://" & objSysInfo.ComputerName) 

If objComputer.operatingSystem = "Windows*Server*" Then
    Quit
Else
    strMessage = objUser.CN & " logged on to " & objComputer.CN & " " & Day(Date) & "/" & Month(Date) & "/" & Year(Date) & " " & Time & "." 

    objComputer.Description = strMessage
    objComputer.SetInfo 
End If

Call the above script from a GPO, using: User Config -> Windows Settings -> Scripts -> Logon

Then just update the permissions on the OU, so that users can modify the computer object descriptions, like this: screencap

14,173

bshacklett

Updated on September 17, 2022

Comments

bshacklett almost 2 years

I'm toying with an idea for a script that would update a computer's details in Active directory with its make and model information. Ideally, I'd like this script to access AD via its computer account, which means I'd need to have the script run as "NT Authority\NetworkService". Is this something that's possible? Alternatively, could I impersonate NetworkService in the script/executable?
- hurfdurf over 13 years
  
  Depending upon your end goal, you might want to look into SpiceWorks. It harvests much of this information automagically without tweaking AD.
bshacklett over 13 years

The problem with running psexec to query remote machines is that it's more complicated to deal with machines that are unavailable. If I configure a login script or an agent via GPO, I can sit back and wait for the computers to check in on their own rather than running query after query to catch every machine. As I think about it, though, it may be better to write this as an agent with a service that can easily run as NetworkService anyway.
bshacklett over 13 years

And then the ridiculousness of installing a service just to push make/model info to AD hits me.
boyonwheels over 13 years

That's a fair criticism/annoyance. Sticking with the same theme you could push out the scheduled task to all of the client machines using a GPO.
boyonwheels over 13 years

That way you get the benefit of both: schedule tasks permission escalation and the "one time check-in" by running it on the client side.
bshacklett over 13 years

After trying it and doing some research, it appears that the Network Service account does not have rights to run as a batch job.
aseques about 5 years

Sadly, this doesn't seem to work on windows 2008r2 or newer, it throws error 0x000142
AntoineL over 3 years

@aseques: Read the (archived) manual, it explicitly explains why this error occurs, and how to solve it.