Runas batch including password

community.spiceworks.com/topic/368007-runas-batch-including-password

TEST YOUR SMARTS

Which of the following retains the information it's storing when the system power is turned
off?

ROM
CPU
RAM
GPU

Submit »

88% of IT pros got this right.

Get answers from your peers along with millions of IT pros who visit Spiceworks.

Join Now
My plan is to run this batch file one night with a temp domain account that I previously add
to local admin group of all PCs an hour before running this and then I disable that account in
the morning.

My issue is I keep getting prompted for a password which not gonna do what I need

runas /user:MYDOMAIN\USER

"C:\Program Files\Internet Explorer\iexplore.exe" http:\\223.100.200.78

Best Answer

Lauren7060 Aug 8, 2013 at 1:42 PM

If you use psexec it might be easier

psexec \\computername -u domain\user -p password "C:\Program Files\Internet

Explorer\iexplore.exe" http:\\223.100.200.78

View this "Best Answer" in the replies below »

38 Replies

1/10
Thai Pepper

Matt9169 Aug 8, 2013 at 1:37 PM

PDQ Deploy, The pro version allows you to schedule tasks, and choose the user to
run the command as. This way you can run it as an existing domain admin, and
not have to ever store creds locally on users machines.

http://www.adminarsenal.com/pdq-deploy/main

Thai Pepper

Matt9169 Aug 8, 2013 at 1:40 PM

The page doesn't show it, but you can use PDQdeploy to run .bat files, or just
straight command line.

it also give you a report on whether the command was successful, so if any machines are
offline or unresponsive.

Habanero

Best Answer

Lauren7060 Aug 8, 2013 at 1:42 PM

If you use psexec it might be easier

psexec \\computername -u domain\user -p password "C:\Program Files\Internet

Explorer\iexplore.exe" http:\\223.100.200.78

Datil

SnifferSir Aug 8, 2013 at 1:45 PM

Lauren7060 wrote:

If you use psexec it might be easier

psexec \\computername -u domain\user -p password "C:\Program Files\Internet

Explorer\iexplore.exe" http:\\223.100.200.78

Yup. Used PsExec several times when I needed to pass credentials for a process/command.

Thai Pepper

Matt9169 Aug 8, 2013 at 1:46 PM

2/10
 SnifferSir wrote:

Yup.

+ expand

For live stuff I would use this, but I usually get mixed results when I run on large numbers of
pc's...

Chipotle

Meganerd Aug 8, 2013 at 1:59 PM

/savecred is the flag you are looking for. You will need to run this once with that
flag to save credentials.

Otherwise when setting up the scheduled task there is a radio button for running regardless
of the user being currently logged in. You can toggle the saved credentials here as well. Of
course if you don't need that level of access check that box that does not save credentials
(only local resources will be available).

If this is a system with UAC (and at this point it really should be) you may need to check off
the "Run with Highest Privileges" checkbox.

Datil

OP

IRJ Aug 8, 2013 at 2:00 PM

Matt9169 wrote:

PDQ Deploy, The pro version allows you to schedule tasks, and choose the user to run the
command as. This way you can run it as an existing domain admin, and not have to ever store
creds locally on users machines.

http://www.adminarsenal.com/pdq-deploy/main

I have PDQ Deploy Pro and use it everyday. I am trying to write a script from there so I can it
in the foreground.

http://community.spiceworks.com/topic/367973-pdq-deploy-launch-a-webpage-and-
download-software-automatically

Datil

OP

3/10
IRJ Aug 8, 2013 at 2:01 PM

Lauren7060 wrote:

If you use psexec it might be easier

psexec \\computername -u domain\user -p password "C:\Program Files\Internet

Explorer\iexplore.exe" http:\\223.100.200.78

Does computer name mean I have specify a computer name for this to run? because I cant do
that. This is going to be a mass deployment.

Spice
Reply

Datil

OP

IRJ Aug 8, 2013 at 2:02 PM

Meganerd wrote:

/savecred is the flag you are looking for. You will need to run this once with that flag to save
credentials.

Otherwise when setting up the scheduled task there is a radio button for running regardless of
the user being currently logged in. You can toggle the saved credentials here as well. Of course
if you don't need that level of access check that box that does not save credentials (only local
resources will be available).

If this is a system with UAC (and at this point it really should be) you may need to check off the
"Run with Highest Privileges" checkbox.

I just need this thing to run once. Deploying it isnt the issue, its just getting it to run with the
password saved in it.

How exactly does /savecred work?

Spice
Reply

Tabasco

Nick_NSM Aug 8, 2013 at 2:03 PM

You could use PowerShell remoting.

4/10
Powershell

$user = "username"
$pass = "password" | convertto-securestring -asplaintext -force
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist
$user, $pass

Then you could have the script remote in to each computer using the Credential $cred .
Doing this with several machines, you would want to use a foreach statement and pull the list
of computers from a text file.

Something along the lines of: $list = get-content C:\list.txt

foreach($item in $list){

$session = new-pssession $item -Credential $cred

invoke-command -Session $session {desired thing here}

Was this post helpful?

Spice
(2)
Reply

Habanero

Lauren7060 Aug 8, 2013 at 2:09 PM

Indian River Joel wrote:

Does computer name mean I have specify a computer name for this to run? because I cant do
that. This is going to be a mass deployment.

+ expand

BASH

FOR /F %%G IN (Computers.txt) DO (

psexec \\%%G -u domain\user -p password "C:\Program Files\Internet
Explorer\iexplore.exe" http:\\223.100.200.78
)

Make a file called Computers.txt and place all your computer name in there one per line.

Was this post helpful?

Spice
Reply

Thai Pepper

5/10
Matt9169 Aug 8, 2013 at 2:11 PM
How I would do this.

create the .bat using the run as and credentials.

assuming you have pdq 2.3 use the run as logged on user. (or is this what you tried after the
first post? and if so what was the result?)

Spice
Reply

Datil

OP

IRJ Aug 8, 2013 at 2:18 PM

Matt9169 wrote:

How I would do this.

create the .bat using the run as and credentials.

assuming you have pdq 2.3 use the run as logged on user. (or is this what you tried after the
first post? and if so what was the result?)

I tried running it silently with no success. I think I have to run as the logged on user, but our
users arent admins and that is required to download the modules. So that is where I am
stuck

Thanks Lauren and Nick. I am testing both methods now.

Spice
Reply

Thai Pepper

Matt9169 Aug 8, 2013 at 2:41 PM

You will laugh at how stupid this is.

So we had a instance recently just like this. A program needed opened with admin, then the
user selected the updates, which were downloaded, and each of those had to be ran as admin,
from different scripts that changed with each download.

So we created "Domain admin for all" day. We told all staff that they would have to reboot
their computers at a certain time, run the update, and then we removed domain admin and
told them to reboot again.

6/10
Wasn't my idea, but it worked for all but a few users who failed to listen.

EDIT: I in no way endorse this approach as a respectable solution to anyone's problems

Spice
(2)
Reply

Habanero

Lauren7060 Aug 8, 2013 at 2:45 PM

Matt9169 wrote:

You will laugh at how stupid this is.

So we had a instance recently just like this. A program needed opened with admin, then the
user selected the updates, which were downloaded, and each of those had to be ran as admin,
from different scripts that changed with each download.

So we created "Domain admin for all day". We told all staff that they would have to reboot
their computers at a certain time, run the update, and then we removed domain admin and told
them to reboot again.

Wasn't my idea, but it worked for all but a few users who failed to listen.

Easy solution, but it looks like Joel works for a CU... and that just won't fly in terms of an
aduit. At least it wouldn't in banking.

Datil

OP

IRJ Aug 8, 2013 at 2:55 PM

7/10
 Matt9169 wrote:

You will laugh at how stupid this is.

So we had a instance recently just like this. A program needed opened with admin, then the
user selected the updates, which were downloaded, and each of those had to be ran as admin,
from different scripts that changed with each download.

So we created "Domain admin for all" day. We told all staff that they would have to reboot
their computers at a certain time, run the update, and then we removed domain admin and told
them to reboot again.

Wasn't my idea, but it worked for all but a few users who failed to listen.

EDIT: I in no way endorse this approach as a respectable solution to anyone's problems

I'd probably lose my job doing that lol.

My approach is to make a regular domain user, deny local logon and then with Group Policy
push that user out to the local admin group. Schedule the job at night, enable the account just
before I leave and then disable it in the morning. If for some reason there is a breach, the
attacker would only be able to run as and admin on local PCs. I will probably end up logging
in to check on the job and disable the account before the morning, though.

Datil

OP

IRJ Aug 8, 2013 at 2:56 PM

Lauren7060 wrote:

Easy solution, but it looks like Joel works for a CU... and that just won't fly in terms of an
aduit. At least it wouldn't in banking.

+ expand

Yes and Waitsian from PDQ recommend your approach, Lauren.

http://community.spiceworks.com/topic/367973-pdq-deploy-launch-a-webpage-and-
download-software-automatically?page=1#entry-2426964

Datil

OP

Datil

8/10
OP

IRJ Aug 8, 2013 at 4:23 PM

Ok I need to step away from the PC for a minute from all this scripting and
testing...ugh

Lauren and Waitsian from PDQ both recommended using PsExec.exe and thats what I ended
up using. However, there was much more to automating this than meets the eye. This is what
I had to do.

1- reboot

2 - enable autologon (domain user account with no rights)

3- reboot

4- run the reference command (http://community.spiceworks.com/topic/367973-pdq-

deploy-launch-a-webpage-and-download-software-automatically)

5- disable auto logon

6- reboot

Datil

OP

Datil

Krizz Aug 8, 2013 at 4:41 PM

Ca you tell what's under http:\\223.100.200.78 so it requires admin to open it in
IE?

Datil

OP

IRJ Aug 9, 2013 at 11:08 AM

Krizz wrote:

Ca you tell what's under http:\\223.100.200.78 so it requires admin to open it in IE?

I am not sure I understand your question. If you are asking what the application is, its a
banking application that requires different installs for a teller, loan person, member service
person, etc.

Datil

9/10
Krizz Aug 9, 2013 at 11:17 AM
I understand you're trying to install a software, which requires running with
admin privileges (for which psexec is a perfect tool), but why do you connect to
http:\\223.100.200.78 in Internet Explorer in order to do so? I mean, why don't
you put the software to a networked share and start it with pexec, or use GPO
deployment feature if it's msi installer?

This topic has been locked by an administrator and is no longer open for commenting.

To continue this discussion, please ask a new question.

10/10