|
Posted by =?Utf-8?B?QmFib29u?= on December 16, 2007, 8:40 pm
If you were Registered and logged in, you could reply and use other advanced thread options
machine to do the work for you. For example, a scheduled task of a batch
file that simply uses the copy command to copy the batch file to the local
machine, running as System.
Thanks for pointing that out.
"Roger Abell [MVP]" wrote:
> If I am aware that the script exists then I can simply start up
> cmd running in the local system context and then net use to
> map sysvol and get a copy of your batch file. Anyone with
> admin or power user login at any domain joined machine
> would be able to do that.
>
> Roger
>
> > Hello -
> >
> > I have a batch file that runs a dsmove command that needs authentication
> > of
> > a user that has control of 2 very small OUs. I happen to be that user, so
> > the batch file contains my password. I want to run this as a machine
> > startup
> > script. For testing, I temporarily put this in the respective subfolder
> > of
> > Sysvol and I removed my password after every testing session. However, I
> > also changed the permissions to the batch file to:
> > System - Full
> > Me - Full
> > Domain Computers - Full
> > Enterprise Domain Controllers - Full
> >
> > I realize a Domain Admin would be able to him/herself access if they
> > wanted
> > to. Other than that, is there any risk with the above permissions? I
> > don't
> > see how there could be, but I may be missing something.
> >
> > By the way, before putting this into production, I will delegate control
> > of
> > the OUs to a service account and use those credentials in the batch file
> > instead of mine.
> >
> > Thanks.
>
>
>
| 
XML site map