How can I run a process as "NT Authority\NetworkService"?
Solution 1
You can use devxexec: http://blog.developex.com/?p=1053
For example:
devxexec.exe /user:NETWORK_SERVICE cmd
Solution 2
"The scripting guy" has already answered this question here: http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0429.mspx
You'll just need to include the WMI call to grab the machine model number...
My implementation went like this:
Set objSysInfo = CreateObject("ADSystemInfo")
Set objUser = GetObject("LDAP://" & objSysInfo.UserName)
Set objComputer = GetObject("LDAP://" & objSysInfo.ComputerName)
If objComputer.operatingSystem = "Windows*Server*" Then
Quit
Else
strMessage = objUser.CN & " logged on to " & objComputer.CN & " " & Day(Date) & "/" & Month(Date) & "/" & Year(Date) & " " & Time & "."
objComputer.Description = strMessage
objComputer.SetInfo
End If
Call the above script from a GPO, using: User Config -> Windows Settings -> Scripts -> Logon
Then just update the permissions on the OU, so that users can modify the computer object descriptions, like this:
Related videos on Youtube
bshacklett
Updated on September 17, 2022Comments
-
bshacklett almost 2 years
I'm toying with an idea for a script that would update a computer's details in Active directory with its make and model information. Ideally, I'd like this script to access AD via its computer account, which means I'd need to have the script run as "NT Authority\NetworkService". Is this something that's possible? Alternatively, could I impersonate NetworkService in the script/executable?
-
hurfdurf over 13 yearsDepending upon your end goal, you might want to look into SpiceWorks. It harvests much of this information automagically without tweaking AD.
-
-
bshacklett over 13 yearsThe problem with running psexec to query remote machines is that it's more complicated to deal with machines that are unavailable. If I configure a login script or an agent via GPO, I can sit back and wait for the computers to check in on their own rather than running query after query to catch every machine. As I think about it, though, it may be better to write this as an agent with a service that can easily run as NetworkService anyway.
-
bshacklett over 13 yearsAnd then the ridiculousness of installing a service just to push make/model info to AD hits me.
-
boyonwheels over 13 yearsThat's a fair criticism/annoyance. Sticking with the same theme you could push out the scheduled task to all of the client machines using a GPO.
-
boyonwheels over 13 yearsThat way you get the benefit of both: schedule tasks permission escalation and the "one time check-in" by running it on the client side.
-
bshacklett over 13 yearsAfter trying it and doing some research, it appears that the Network Service account does not have rights to run as a batch job.
-
aseques about 5 yearsSadly, this doesn't seem to work on windows 2008r2 or newer, it throws error 0x000142
-
AntoineL over 3 years@aseques: Read the (archived) manual, it explicitly explains why this error occurs, and how to solve it.